1
0
forked from rpms/kernel

Compare commits

...

20 Commits

Author SHA1 Message Date
8b084f789d - Use AlmaLinux cert
- Add conflicts to old shim
2023-02-27 14:28:42 +03:00
Stepan Oksanichenko
673058d7bb Merge remote-tracking branch 'alma-origin/c8' into HEAD 2023-02-21 08:53:14 +00:00
Stepan Oksanichenko
a713fd635c Merge remote-tracking branch 'alma-origin/c8' into HEAD 2023-01-12 14:38:21 +00:00
238501d3ca Fix CONFIG_CRYPTO_FIPS_NAME 2022-11-15 12:27:24 +00:00
6dc3fdcd75 Fix signing_key_filename 2022-11-15 08:50:37 +00:00
fffef0593f Fix ppc64le signing 2022-11-08 13:43:37 +01:00
387100185b Merge branch 'c8' into a8 2022-11-08 10:39:58 +01:00
Stepan Oksanichenko
a11301c818 Merge remote-tracking branch 'alma-origin/c8' into HEAD 2022-10-25 09:10:36 +00:00
Stepan Oksanichenko
142729f8cd Merge remote-tracking branch 'alma-origin/c8' into HEAD 2022-09-13 09:41:16 +00:00
Stepan Oksanichenko
d71cb8120e Merge remote-tracking branch 'alma-origin/c8' into HEAD 2022-08-02 07:08:32 +00:00
Stepan Oksanichenko
b9216f5527 Merge remote-tracking branch 'alma-origin/c8' into HEAD 2022-07-13 06:35:40 +00:00
Stepan Oksanichenko
0b72df0ec0 Merge remote-tracking branch 'alma-origin/c8' into HEAD 2022-06-28 10:58:41 +00:00
dc2bf65b8f Drop rh_taint patch 2022-05-10 11:50:46 +00:00
Stepan Oksanichenko
90134a736e Merge remote-tracking branch 'alma-origin/c8' into HEAD 2022-05-10 10:37:24 +00:00
Stepan Oksanichenko
5bd15e08f8 Merge remote-tracking branch 'alma-origin/c8' into HEAD 2022-04-26 13:54:02 +00:00
Stepan Oksanichenko
d01e4bcc17 Merge remote-tracking branch 'alma-origin/c8' into HEAD 2022-03-10 14:48:00 +00:00
Stepan Oksanichenko
76d004474a Merge remote-tracking branch 'alma-origin/c8' into HEAD 2022-01-19 14:03:52 +00:00
eabdullin
41f15049b2 Merge branch 'c8' into a8 2021-12-21 13:03:22 +03:00
eabdullin
c57660fffb Merge branch 'c8' into a8 2021-11-30 11:32:15 +03:00
273ff5a163 AlmaLinux changes 2021-09-16 09:39:51 +00:00
23 changed files with 200 additions and 61 deletions

46
SOURCES/almalinux.pem Normal file
View File

@ -0,0 +1,46 @@
-----BEGIN CERTIFICATE-----
MIID3zCCAsegAwIBAgIQY4iebPtuT3OKR2M/jWZWEzANBgkqhkiG9w0BAQsFADBg
MSUwIwYJKoZIhvcNAQkBFhZzZWN1cml0eUBhbG1hbGludXgub3JnMRIwEAYDVQQK
EwlBbG1hTGludXgxIzAhBgNVBAMTGkFsbWFMaW51eCBTZWN1cmUgQm9vdCBDQSAx
MB4XDTIxMDExNDIxMDcxOVoXDTM2MDExMTIxMDcxOVowaTElMCMGCSqGSIb3DQEJ
ARYWc2VjdXJpdHlAYWxtYWxpbnV4Lm9yZzESMBAGA1UEChMJQWxtYUxpbnV4MSww
KgYDVQQDEyNBbG1hTGludXggRHJpdmVyIHVwZGF0ZSBzaWduaW5nIGtleTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK7kGZShKo5uegg6T4U/wR9UeyCa
qTtx+OvzUMKT8l5+R5WfBgQU8sDrIqX3Vv3tD6UeOUyFIQ40iGESdDhWnAFynJX4
v0k81KxJ+rVFAt5EJBeGw7U2qdpn8hzJG2dVANZ1gXJWGhC95Muif5q8fL7BJdU4
RufixfKWq6WHAalwHaiTCbA+/Ft6TLyZcA62glKkmBn7uWn83tlMfVqC4EN2NfQb
//C2MFCbm43BoKmgrMV0J3Pu8un3QZ4ukDDhJJ9eHfSqscq9SHPjqd0RM6TRcFXW
BzmTpG7MOJRvk4ypQSHxxc4jK5MVOqzel+2UPB2ihkvvnK9hdsvvI/bal/sCAwEA
AaOBizCBiDAfBgNVHSMEGDAWgBSY0u339QWy5Y/vkiTSvJ6Ffy5GkzAVBglghkgB
hvhCAQEBAf8EBQMDAPABMB8GA1UdJQQYMBYGCCsGAQUFBwMDBgorBgEEAZIIEAEC
MA4GA1UdDwEB/wQEAwIEsDAdBgNVHQ4EFgQUe4Y+AkDtIIq2uBuKbyhgwPTox9Yw
DQYJKoZIhvcNAQELBQADggEBAHoPojMTRdFO050Ihrmr8jkdOweiOSBtlAZkLGd2
lTybNp2Xi1lQ8SqsqU/NFs/KUPVFykmjmLeqNWC9QoKdrVGzoD9MOHprRxe6gC8k
sHzBCFqdx3B+qbeSxBUN2QLIydzM6C23qf1TjBCeEDtRrvcvupFTlOBxiOJrIwbp
dJD1JfjbgxfvLzg7PaJPi5Ev6B3gY4ybCnKQmor029Z3R4zw3miPpZVA04xt3Z9e
m45Jjv86u10wjLmGRgfMmYT43jiMbOwlG1N8OikvgIHwlZtWxUpL1t/mEYtMMkTv
R//lA5z5dqXiDCPdTwHhSjEfBFWGLl7ciYt6rYkpdlqnYdk=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID2DCCAsCgAwIBAgIQHDEXJMuZQ/m5MXRiSmLMljANBgkqhkiG9w0BAQsFADBg
MSUwIwYJKoZIhvcNAQkBFhZzZWN1cml0eUBhbG1hbGludXgub3JnMRIwEAYDVQQK
EwlBbG1hTGludXgxIzAhBgNVBAMTGkFsbWFMaW51eCBTZWN1cmUgQm9vdCBDQSAx
MB4XDTIxMDExNDIxMDgwMFoXDTM2MDExMTIxMDgwMFowYjElMCMGCSqGSIb3DQEJ
ARYWc2VjdXJpdHlAYWxtYWxpbnV4Lm9yZzESMBAGA1UEChMJQWxtYUxpbnV4MSUw
IwYDVQQDExxBbG1hTGludXgga3BhdGNoIHNpZ25pbmcga2V5MIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxncKQ7a49o5IUwqPB1axIzopNdGoSoERVuUd
hdHAZLB2MGIuU2fGCuZ4iD2Pwk+t2KsgR1y58pmHyRBCLi2tYfEdDB8LUzUY3P+8
Wxm2+zz8TPJUIcvPE4rHEb0vV4nTzwjpG4BTBwLkYRj+AxGbzWEy5Eetxzq5Ji+V
TMuTzRKshHEGNs3tFRPbSssc50NH+OuVKpzJAIqBmz7Gca9RqhK9ARK1p3aDEoR+
pYw4zRjIczc3s57WeuQxRMvFK5j48U0hpEUh+eQn1m40Bus3e7i4YTskwgKN5Vq3
lGlEdBoK4utuoHPj3JYh97hOii/kulOa9j5xeNe5z/6QByMxpwIDAQABo4GLMIGI
MB8GA1UdIwQYMBaAFJjS7ff1BbLlj++SJNK8noV/LkaTMBUGCWCGSAGG+EIBAQEB
/wQFAwMA8AEwHwYDVR0lBBgwFgYIKwYBBQUHAwMGCisGAQQBkggQAQIwDgYDVR0P
AQH/BAQDAgSwMB0GA1UdDgQWBBRpptnu0/Yg1cLhOh0hHEZRClrZ9TANBgkqhkiG
9w0BAQsFAAOCAQEAMDiuS0CD31MtO1Sn4HRYvai2LFdKpUKAEXVy9hsN+AfbcMcl
2sF/w49o43cMNIFoWKhMWZMOjCj/DGQY7ehNH3DRaTl7DNCu6y7mBNJPU+iPcE4r
92SBWIxUNi7YVbsc1evKBOnrtq6xd5BUJQx1cVGmSBI9dnd4tDBB2+KjpmdhzZK5
V1KQz1ilz5g2FNyEj6L7hnpkGUeMYnuM49YL7JP8QNtaKUBBA3BR4S7de+Tu070h
pEhvE539I6B+wmgV/bio20TUpQ5W2eH+5YUHVIZa5pZ30tVkm21iNB7eccbM4NYc
IRmwIsesuROtaM1e0lHoxKdW0N2xOSkhSY6oyQ==
-----END CERTIFICATE-----

Binary file not shown.

View File

@ -0,0 +1,11 @@
--- a/arch/x86/boot/main.c 2019-03-13 04:04:53.000000000 -0700
+++ b/arch/x86/boot/main.c 2019-05-25 14:31:21.043272496 -0700
@@ -147,7 +147,7 @@ void main(void)
/* Make sure we have all the proper CPU support */
if (validate_cpu()) {
- puts("This processor is not supported in this version of RHEL.\n");
+ puts("This processor is not supported in this version of AlmaLinux.\n");
die();
}

View File

@ -0,0 +1,81 @@
--- a/kernel/rh_taint.c 2020-10-16 10:41:51.000000000 -0500
+++ b/kernel/rh_taint.c 2020-11-19 10:50:24.853039167 -0600
@@ -2,12 +2,12 @@
#include <linux/module.h>
/*
- * The following functions are used by Red Hat to indicate to users that
- * hardware and drivers are unsupported, or have limited support in RHEL major
+ * The following functions are used by AlmaLinux to indicate to users that
+ * hardware and drivers are unsupported, or have limited support in AlmaLinux major
* and minor releases. These functions output loud warning messages to the end
* user and should be USED WITH CAUTION.
*
- * Any use of these functions _MUST_ be documented in the RHEL Release Notes,
+ * Any use of these functions _MUST_ be documented in the AlmaLinux Release Notes,
* and have approval of management.
*/
@@ -16,15 +16,15 @@
* @msg: Hardware name, class, or type
*
* Called to mark a device, class of devices, or types of devices as not having
- * support in any RHEL minor release. This does not TAINT the kernel. Red Hat
- * will not fix bugs against this hardware in this minor release. Red Hat may
+ * support in any AlmaLinux minor release. This does not TAINT the kernel. AlmaLinux
+ * will not fix bugs against this hardware in this minor release. AlmaLinux may
* declare support in a future major or minor update release. This cannot be
* used to mark drivers unsupported.
*/
void mark_hardware_unsupported(const char *msg)
{
/* Print one single message */
- pr_crit("Warning: %s - this hardware has not undergone testing by Red Hat and might not be certified. Please consult https://catalog.redhat.com for certified hardware.\n", msg);
+ pr_crit("Warning: %s - this hardware has not undergone testing by AlmaLinux and might not be certified.\n", msg);
}
EXPORT_SYMBOL(mark_hardware_unsupported);
@@ -35,12 +35,12 @@ EXPORT_SYMBOL(mark_hardware_unsupported)
* Called to minimize the support status of a previously supported device in
* a minor release. This does not TAINT the kernel. Marking hardware
* deprecated is usually done in conjunction with the hardware vendor. Future
- * RHEL major releases may not include this driver. Driver updates and fixes
+ * AlmaLinux major releases may not include this driver. Driver updates and fixes
* for this device will be limited to critical issues in future minor releases.
*/
void mark_hardware_deprecated(const char *msg)
{
- pr_crit("Warning: %s - this hardware is not recommended for new deployments. It continues to be supported in this RHEL release, but it is likely to be removed in the next major release. Driver updates and fixes for this device will be limited to critical issues. Please contact Red Hat Support or your device's hardware vendor for additional information.\n", msg);
+ pr_crit("Warning: %s - this hardware is not recommended for new deployments. It continues to be supported in this AlmaLinux release, but it is likely to be removed in the next major release. Driver updates and fixes for this device will be limited to critical issues. Please contact AlmaLinux Support or your device's hardware vendor for additional information.\n", msg);
}
EXPORT_SYMBOL(mark_hardware_deprecated);
@@ -50,9 +50,9 @@ EXPORT_SYMBOL(mark_hardware_deprecated);
*
* Called to minimize the support status of a new driver. This does TAINT the
* kernel. Calling this function indicates that the driver or subsystem has
- * had limited testing and is not marked for full support within this RHEL
- * minor release. The next RHEL minor release may contain full support for
- * this driver. Red Hat does not guarantee that bugs reported against this
+ * had limited testing and is not marked for full support within this AlmaLinux
+ * minor release. The next AlmaLinux minor release may contain full support for
+ * this driver. AlmaLinux does not guarantee that bugs reported against this
* driver or subsystem will be resolved.
*/
void mark_tech_preview(const char *msg, struct module *mod)
@@ -81,13 +81,13 @@ EXPORT_SYMBOL(mark_tech_preview);
* mark_driver_unsupported - drivers that we know we don't want to support
* @name: the name of the driver
*
- * In some cases Red Hat has chosen to build a driver for internal QE
+ * In some cases AlmaLinux has chosen to build a driver for internal QE
* use. Use this function to mark those drivers as unsupported for
* customers.
*/
void mark_driver_unsupported(const char *name)
{
- pr_crit("Warning: %s - This driver has not undergone sufficient testing by Red Hat for this release and therefore cannot be used in production systems.\n",
+ pr_crit("Warning: %s - This driver has not undergone sufficient testing by AlmaLinux for this release and therefore cannot be used in production systems.\n",
name ? name : "kernel");
}
EXPORT_SYMBOL(mark_driver_unsupported);

View File

@ -0,0 +1,11 @@
--- a/arch/x86/kernel/setup.c 2019-03-13 04:04:53.000000000 -0700
+++ b/arch/x86/kernel/setup.c 2019-05-27 08:35:54.580595314 -0700
@@ -900,7 +900,7 @@ static void rh_check_supported(void)
if (((boot_cpu_data.x86_max_cores * smp_num_siblings) == 1) &&
!guest && is_kdump_kernel()) {
pr_crit("Detected single cpu native boot.\n");
- pr_crit("Important: In Red Hat Enterprise Linux 8, single threaded, single CPU 64-bit physical systems are unsupported by Red Hat. Please contact your Red Hat support representative for a list of certified and supported systems.");
+ pr_crit("Important: In AlmaLinux 8, single threaded, single CPU 64-bit physical systems are unsupported. Please see https://www.almalinux.org for more information");
}
/*

View File

@ -2914,7 +2914,7 @@ CONFIG_CRYPTO_ECHAINIV=m
CONFIG_CRYPTO_ESSIV=y CONFIG_CRYPTO_ESSIV=y
CONFIG_CRYPTO_FCRYPT=m CONFIG_CRYPTO_FCRYPT=m
CONFIG_CRYPTO_FIPS=y CONFIG_CRYPTO_FIPS=y
CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux 8 - Kernel Cryptographic API" CONFIG_CRYPTO_FIPS_NAME="AlmaLinux 8 - Kernel Cryptographic API"
CONFIG_CRYPTO_GCM=y CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_GF128MUL=y CONFIG_CRYPTO_GF128MUL=y
CONFIG_CRYPTO_GHASH=y CONFIG_CRYPTO_GHASH=y

View File

@ -2977,7 +2977,7 @@ CONFIG_CRYPTO_ECHAINIV=m
CONFIG_CRYPTO_ESSIV=y CONFIG_CRYPTO_ESSIV=y
CONFIG_CRYPTO_FCRYPT=m CONFIG_CRYPTO_FCRYPT=m
CONFIG_CRYPTO_FIPS=y CONFIG_CRYPTO_FIPS=y
CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux 8 - Kernel Cryptographic API" CONFIG_CRYPTO_FIPS_NAME="AlmaLinux 8 - Kernel Cryptographic API"
CONFIG_CRYPTO_GCM=y CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_GF128MUL=y CONFIG_CRYPTO_GF128MUL=y
CONFIG_CRYPTO_GHASH=y CONFIG_CRYPTO_GHASH=y

View File

@ -2588,7 +2588,7 @@ CONFIG_CRYPTO_ECHAINIV=m
CONFIG_CRYPTO_ESSIV=y CONFIG_CRYPTO_ESSIV=y
CONFIG_CRYPTO_FCRYPT=m CONFIG_CRYPTO_FCRYPT=m
CONFIG_CRYPTO_FIPS=y CONFIG_CRYPTO_FIPS=y
CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux 8 - Kernel Cryptographic API" CONFIG_CRYPTO_FIPS_NAME="AlmaLinux 8 - Kernel Cryptographic API"
CONFIG_CRYPTO_GCM=y CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_GF128MUL=y CONFIG_CRYPTO_GF128MUL=y
CONFIG_CRYPTO_GHASH=y CONFIG_CRYPTO_GHASH=y

View File

@ -2649,7 +2649,7 @@ CONFIG_CRYPTO_ECHAINIV=m
CONFIG_CRYPTO_ESSIV=y CONFIG_CRYPTO_ESSIV=y
CONFIG_CRYPTO_FCRYPT=m CONFIG_CRYPTO_FCRYPT=m
CONFIG_CRYPTO_FIPS=y CONFIG_CRYPTO_FIPS=y
CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux 8 - Kernel Cryptographic API" CONFIG_CRYPTO_FIPS_NAME="AlmaLinux 8 - Kernel Cryptographic API"
CONFIG_CRYPTO_GCM=y CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_GF128MUL=y CONFIG_CRYPTO_GF128MUL=y
CONFIG_CRYPTO_GHASH=y CONFIG_CRYPTO_GHASH=y

View File

@ -2710,7 +2710,7 @@ CONFIG_CRYPTO_ECHAINIV=m
CONFIG_CRYPTO_ESSIV=y CONFIG_CRYPTO_ESSIV=y
CONFIG_CRYPTO_FCRYPT=m CONFIG_CRYPTO_FCRYPT=m
CONFIG_CRYPTO_FIPS=y CONFIG_CRYPTO_FIPS=y
CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux 8 - Kernel Cryptographic API" CONFIG_CRYPTO_FIPS_NAME="AlmaLinux 8 - Kernel Cryptographic API"
CONFIG_CRYPTO_GCM=y CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_GF128MUL=y CONFIG_CRYPTO_GF128MUL=y
CONFIG_CRYPTO_GHASH=y CONFIG_CRYPTO_GHASH=y

View File

@ -2919,7 +2919,7 @@ CONFIG_CRYPTO_ECHAINIV=y
CONFIG_CRYPTO_ESSIV=y CONFIG_CRYPTO_ESSIV=y
CONFIG_CRYPTO_FCRYPT=y CONFIG_CRYPTO_FCRYPT=y
CONFIG_CRYPTO_FIPS=y CONFIG_CRYPTO_FIPS=y
CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux 8 - Kernel Cryptographic API" CONFIG_CRYPTO_FIPS_NAME="AlmaLinux 8 - Kernel Cryptographic API"
CONFIG_CRYPTO_GCM=y CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_GF128MUL=y CONFIG_CRYPTO_GF128MUL=y
CONFIG_CRYPTO_GHASH=y CONFIG_CRYPTO_GHASH=y

View File

@ -2771,7 +2771,7 @@ CONFIG_CRYPTO_ECHAINIV=m
CONFIG_CRYPTO_ESSIV=y CONFIG_CRYPTO_ESSIV=y
CONFIG_CRYPTO_FCRYPT=m CONFIG_CRYPTO_FCRYPT=m
CONFIG_CRYPTO_FIPS=y CONFIG_CRYPTO_FIPS=y
CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux 8 - Kernel Cryptographic API" CONFIG_CRYPTO_FIPS_NAME="AlmaLinux 8 - Kernel Cryptographic API"
CONFIG_CRYPTO_GCM=y CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_GF128MUL=y CONFIG_CRYPTO_GF128MUL=y
CONFIG_CRYPTO_GHASH=y CONFIG_CRYPTO_GHASH=y

View File

@ -2650,7 +2650,7 @@ CONFIG_CRYPTO_ECHAINIV=m
CONFIG_CRYPTO_ESSIV=y CONFIG_CRYPTO_ESSIV=y
CONFIG_CRYPTO_FCRYPT=m CONFIG_CRYPTO_FCRYPT=m
CONFIG_CRYPTO_FIPS=y CONFIG_CRYPTO_FIPS=y
CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux 8 - Kernel Cryptographic API" CONFIG_CRYPTO_FIPS_NAME="AlmaLinux 8 - Kernel Cryptographic API"
CONFIG_CRYPTO_GCM=y CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_GF128MUL=y CONFIG_CRYPTO_GF128MUL=y
CONFIG_CRYPTO_GHASH=y CONFIG_CRYPTO_GHASH=y

View File

@ -2711,7 +2711,7 @@ CONFIG_CRYPTO_ECHAINIV=m
CONFIG_CRYPTO_ESSIV=y CONFIG_CRYPTO_ESSIV=y
CONFIG_CRYPTO_FCRYPT=m CONFIG_CRYPTO_FCRYPT=m
CONFIG_CRYPTO_FIPS=y CONFIG_CRYPTO_FIPS=y
CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux 8 - Kernel Cryptographic API" CONFIG_CRYPTO_FIPS_NAME="AlmaLinux 8 - Kernel Cryptographic API"
CONFIG_CRYPTO_GCM=y CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_GF128MUL=y CONFIG_CRYPTO_GF128MUL=y
CONFIG_CRYPTO_GHASH=y CONFIG_CRYPTO_GHASH=y

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@ -5,9 +5,9 @@ prompt = no
x509_extensions = myexts x509_extensions = myexts
[ req_distinguished_name ] [ req_distinguished_name ]
O = Red Hat O = AlmaLinux
CN = Red Hat Enterprise Linux kernel signing key CN = AlmaLinux kernel signing key
emailAddress = secalert@redhat.com emailAddress = security@almalinux.org
[ myexts ] [ myexts ]
basicConstraints=critical,CA:FALSE basicConstraints=critical,CA:FALSE

View File

@ -15,7 +15,7 @@
%global distro_build 425 %global distro_build 425
# Sign the x86_64 kernel for secure boot authentication # Sign the x86_64 kernel for secure boot authentication
%ifarch x86_64 aarch64 s390x ppc64le %ifarch x86_64 aarch64
%global signkernel 1 %global signkernel 1
%else %else
%global signkernel 0 %global signkernel 0
@ -218,14 +218,14 @@
%define with_bpftool 1 %define with_bpftool 1
%endif %endif
%ifnarch noarch %ifnarch x86_64
%define with_kernel_abi_stablelists 0 %define with_kernel_abi_stablelists 0
%endif %endif
# Overrides for generic default options # Overrides for generic default options
# only package docs noarch # only package docs noarch
%ifnarch noarch %ifnarch x86_64
%define with_doc 0 %define with_doc 0
%define doc_build_fail true %define doc_build_fail true
%endif %endif
@ -347,6 +347,9 @@ Requires: rt-setup
%endif %endif
%endif %endif
Provides: almalinux(kernel-sig-key) = 202303
Conflicts: shim-ia32 <= 15.6-1.el8.alma
Conflicts: shim-x64 <= 15.6-1.el8.alma
# #
# List the packages used during the kernel build # List the packages used during the kernel build
@ -446,34 +449,11 @@ Source9: x509.genkey
%define signing_key_filename kernel-signing-s390.cer %define signing_key_filename kernel-signing-s390.cer
%endif %endif
Source10: redhatsecurebootca3.cer Source11: almalinuxsecurebootca0.cer
Source11: redhatsecurebootca5.cer
Source12: redhatsecureboot301.cer
Source13: redhatsecureboot501.cer
Source14: secureboot_s390.cer
Source15: secureboot_ppc.cer
Source16: redhatsecurebootca7.cer
%define secureboot_ca_0 %{SOURCE10} %define secureboot_ca_0 %{SOURCE11}
%define secureboot_ca_1 %{SOURCE11} %define secureboot_key_0 %{SOURCE11}
%define secureboot_ca_2 %{SOURCE16} %define pesign_name_0 almalinuxsecurebootca0
%ifarch x86_64 aarch64
%define secureboot_key_0 %{SOURCE12}
%define pesign_name_0 redhatsecureboot301
%define secureboot_key_1 %{SOURCE13}
%define pesign_name_1 redhatsecureboot501
%endif
%ifarch s390x
%define secureboot_key_0 %{SOURCE14}
%define pesign_name_0 redhatsecureboot302
%endif
%ifarch ppc64le
%define secureboot_key_0 %{SOURCE15}
%define pesign_name_0 redhatsecureboot701
%endif
Source17: mod-blacklist.sh Source17: mod-blacklist.sh
Source18: mod-sign.sh Source18: mod-sign.sh
@ -502,8 +482,8 @@ Source43: generate_bls_conf.sh
Source44: mod-internal.list Source44: mod-internal.list
Source100: rheldup3.x509 # Source100: rheldup3.x509
Source101: rhelkpatch1.x509 # Source101: rhelkpatch1.x509
%if %{with_kabichk} %if %{with_kabichk}
Source200: check-kabi Source200: check-kabi
@ -531,23 +511,30 @@ Source2000: cpupower.service
Source2001: cpupower.config Source2001: cpupower.config
Source2002: kvm_stat.logrotate Source2002: kvm_stat.logrotate
Source9000: almalinux.pem
# CI gating config # CI gating config
Source4000: gating.yaml Source4000: gating.yaml
# rpminspect config # rpminspect config
Source4001: rpminspect.yaml Source4001: rpminspect.yaml
## Patches needed for building this package ## Patches needed for building this package
# empty final patch to facilitate testing of kernel patches # empty final patch to facilitate testing of kernel patches
Patch999999: linux-kernel-test.patch Patch999999: linux-kernel-test.patch
Patch1000: debrand-single-cpu.patch
# Patch1001: debrand-rh_taint.patch
Patch1002: debrand-rh-i686-cpu.patch
# END OF PATCH DEFINITIONS # END OF PATCH DEFINITIONS
BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root
%description %description
This is the package which provides the Linux %{name} for Red Hat Enterprise This is the package which provides the Linux %{name} for AlmaLinux.
Linux. It is based on upstream Linux at version %{version} and maintains kABI It is based on upstream Linux at version %{version} and maintains kABI
compatibility of a set of approved symbols, however it is heavily modified with compatibility of a set of approved symbols, however it is heavily modified with
backports and fixes pulled from newer upstream Linux %{name} releases. This means backports and fixes pulled from newer upstream Linux %{name} releases. This means
this is not a %{version} kernel anymore: it includes several components which come this is not a %{version} kernel anymore: it includes several components which come
@ -555,7 +542,7 @@ from newer upstream linux versions, while maintaining a well tested and stable
core. Some of the components/backports that may be pulled in are: changes like core. Some of the components/backports that may be pulled in are: changes like
updates to the core kernel (eg.: scheduler, cgroups, memory management, security updates to the core kernel (eg.: scheduler, cgroups, memory management, security
fixes and features), updates to block layer, supported filesystems, major driver fixes and features), updates to block layer, supported filesystems, major driver
updates for supported hardware in Red Hat Enterprise Linux, enhancements for updates for supported hardware in AlmaLinux, enhancements for
enterprise customers, etc. enterprise customers, etc.
# #
@ -590,6 +577,7 @@ AutoProv: yes\
%package doc %package doc
Summary: Various documentation bits found in the kernel source Summary: Various documentation bits found in the kernel source
Group: Documentation Group: Documentation
BuildArch: noarch
%description doc %description doc
This package contains documentation files from the kernel This package contains documentation files from the kernel
source. Various bits of information about the Linux kernel and the source. Various bits of information about the Linux kernel and the
@ -802,6 +790,7 @@ kernel-gcov includes the gcov graph and source files for gcov coverage collectio
Summary: The Red Hat Enterprise Linux kernel ABI symbol stablelists Summary: The Red Hat Enterprise Linux kernel ABI symbol stablelists
Group: System Environment/Kernel Group: System Environment/Kernel
AutoReqProv: no AutoReqProv: no
BuildArch: noarch
Obsoletes: %{name}-abi-whitelists < %{rpmversion}-%{pkg_release} Obsoletes: %{name}-abi-whitelists < %{rpmversion}-%{pkg_release}
Provides: %{name}-abi-whitelists Provides: %{name}-abi-whitelists
%description -n %{name}-abi-stablelists %description -n %{name}-abi-stablelists
@ -815,8 +804,8 @@ Summary: The baseline dataset for kABI verification using DWARF data
Group: System Environment/Kernel Group: System Environment/Kernel
AutoReqProv: no AutoReqProv: no
%description kernel-kabidw-base-internal %description kernel-kabidw-base-internal
The package contains data describing the current ABI of the Red Hat Enterprise The package contains data describing the current ABI of the AlmaLinux
Linux kernel, suitable for the kabi-dw tool. kernel, suitable for the kabi-dw tool.
%endif %endif
# #
@ -890,7 +879,7 @@ Requires: %{name}%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\
AutoReq: no\ AutoReq: no\
AutoProv: yes\ AutoProv: yes\
%description %{?1:%{1}-}modules-internal\ %description %{?1:%{1}-}modules-internal\
This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat internal usage.\ This package provides kernel modules for the %{?2:%{2} }kernel package for AlmaLinux internal usage.\
%{nil} %{nil}
# #
@ -1088,10 +1077,14 @@ ApplyOptionalPatch()
} }
%setup -q -n %{name}-%{rpmversion}-%{pkgrelease} -c %setup -q -n %{name}-%{rpmversion}-%{pkgrelease} -c
cp -v %{SOURCE9000} linux-%{rpmversion}-%{pkgrelease}/certs/rhel.pem
mv linux-%{rpmversion}-%{pkgrelease} linux-%{KVERREL} mv linux-%{rpmversion}-%{pkgrelease} linux-%{KVERREL}
cd linux-%{KVERREL} cd linux-%{KVERREL}
ApplyOptionalPatch debrand-single-cpu.patch
# ApplyOptionalPatch debrand-rh_taint.patch
ApplyOptionalPatch debrand-rh-i686-cpu.patch
ApplyOptionalPatch linux-kernel-test.patch ApplyOptionalPatch linux-kernel-test.patch
# END OF PATCH APPLICATIONS # END OF PATCH APPLICATIONS
@ -1161,11 +1154,11 @@ done
# Add DUP and kpatch certificates to system trusted keys for RHEL # Add DUP and kpatch certificates to system trusted keys for RHEL
%if %{signkernel}%{signmodules} %if %{signkernel}%{signmodules}
openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem # openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem # openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
cat rheldup3.pem rhelkpatch1.pem > ../certs/rhel.pem # cat rheldup3.pem rhelkpatch1.pem > ../certs/rhel.pem
%ifarch ppc64le %ifarch ppc64le
openssl x509 -inform der -in %{secureboot_ca_2} -out secureboot.pem openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
cat secureboot.pem >> ../certs/rhel.pem cat secureboot.pem >> ../certs/rhel.pem
%endif %endif
for i in *.config; do for i in *.config; do
@ -1316,9 +1309,7 @@ BuildKernel() {
fi fi
%ifarch x86_64 aarch64 %ifarch x86_64 aarch64
%pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
%pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
rm vmlinuz.tmp
%endif %endif
%ifarch s390x ppc64le %ifarch s390x ppc64le
if [ -x /usr/bin/rpm-sign ]; then if [ -x /usr/bin/rpm-sign ]; then
@ -1740,12 +1731,11 @@ BuildKernel() {
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
%ifarch x86_64 aarch64 %ifarch x86_64 aarch64
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20210114.cer
install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer ln -s kernel-signing-ca-20210114.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
%else %else
%ifarch ppc64le %ifarch ppc64le
install -m 0644 %{secureboot_ca_2} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
%else %else
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
%endif %endif