Update to v6.12.0-rc7 20241111

2024-11-12 14:11:38 +09:00 · 2024-11-12 14:11:38 +09:00 · adcb3a2875
commit adcb3a2875
parent 0680cfe31b
3 changed files with 8 additions and 620 deletions
--- a/.raspberrypi2.metadata
+++ b/.raspberrypi2.metadata
@ -1,2 +1,2 @@
 ac72e2f196857ecf73167250e87d33838a3859f7  SOURCES/1.20241008.tar.gz
-7c13fdfb9aeaad427d53500612a49849afb9cc7a  SOURCES/efda653d39a46aa5ed2d5f8af420c1e4eddb2dca.tar.gz
+4b879d0d4a701bbd4afa7abefe6987289ca45851  SOURCES/bf70ebd2aa440a2dc3626d6e836482a445470e64.tar.gz
--- a/SOURCES/openssl-3.0.patch
+++ b/SOURCES/openssl-3.0.patch
@ -1,613 +0,0 @@
 From 1fdf61d4739f818edb85e50f7fa4c474196a0b0a Mon Sep 17 00:00:00 2001
 From: Jan Stancek <jstancek@redhat.com>
 Date: Fri, 12 Jul 2024 09:11:14 +0200
 Subject: [PATCH 1/3] sign-file,extract-cert: move common SSL helper functions
 to a header
 Couple error handling helpers are repeated in both tools, so
 move them to a common header.
 Signed-off-by: Jan Stancek <jstancek@redhat.com>
 Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
 Tested-by: R Nageswara Sastry <rnsastry@linux.ibm.com>
 Reviewed-by: Neal Gompa <neal@gompa.dev>
 Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
 ---
 MAINTAINERS          |  1 +
 certs/Makefile       |  2 +-
 certs/extract-cert.c | 37 ++-----------------------------------
 scripts/sign-file.c  | 37 ++-----------------------------------
 scripts/ssl-common.h | 39 +++++++++++++++++++++++++++++++++++++++
 5 files changed, 45 insertions(+), 71 deletions(-)
 create mode 100644 scripts/ssl-common.h
 diff --git a/MAINTAINERS b/MAINTAINERS
 index 6a6e2941c497..7aa208b18267 100644
 --- a/MAINTAINERS
 +++ b/MAINTAINERS
@@ -4823,6 +4823,7 @@ S:	Maintained
 F:	Documentation/admin-guide/module-signing.rst
 F:	certs/
 F:	scripts/sign-file.c
 +F:	scripts/ssl-common.h
 F:	tools/certs/
 CFAG12864B LCD DRIVER
 diff --git a/certs/Makefile b/certs/Makefile
 index 799ad7b9e68a..67e1f2707c2f 100644
 --- a/certs/Makefile
 +++ b/certs/Makefile
@@ -84,5 +84,5 @@ targets += x509_revocation_list
 hostprogs := extract-cert
 -HOSTCFLAGS_extract-cert.o = $(shell $(HOSTPKG_CONFIG) --cflags libcrypto 2> /dev/null)
 +HOSTCFLAGS_extract-cert.o = $(shell $(HOSTPKG_CONFIG) --cflags libcrypto 2> /dev/null) -I$(srctree)/scripts
 HOSTLDLIBS_extract-cert = $(shell $(HOSTPKG_CONFIG) --libs libcrypto 2> /dev/null || echo -lcrypto)
 diff --git a/certs/extract-cert.c b/certs/extract-cert.c
 index 70e9ec89d87d..8e7ba9974a1f 100644
 --- a/certs/extract-cert.c
 +++ b/certs/extract-cert.c
@@ -23,6 +23,8 @@
 #include <openssl/err.h>
 #include <openssl/engine.h>
 +#include "ssl-common.h"
 +
 /*
  * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
  *
@@ -40,41 +42,6 @@ void format(void)
 	exit(2);
 }
 -static void display_openssl_errors(int l)
 -{
 -	const char *file;
 -	char buf[120];
 -	int e, line;
 -
 -	if (ERR_peek_error() == 0)
 -		return;
 -	fprintf(stderr, "At main.c:%d:\n", l);
 -
 -	while ((e = ERR_get_error_line(&file, &line))) {
 -		ERR_error_string(e, buf);
 -		fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
 -	}
 -}
 -
 -static void drain_openssl_errors(void)
 -{
 -	const char *file;
 -	int line;
 -
 -	if (ERR_peek_error() == 0)
 -		return;
 -	while (ERR_get_error_line(&file, &line)) {}
 -}
 -
 -#define ERR(cond, fmt, ...)				\
 -	do {						\
 -		bool __cond = (cond);			\
 -		display_openssl_errors(__LINE__);	\
 -		if (__cond) {				\
 -			err(1, fmt, ## __VA_ARGS__);	\
 -		}					\
 -	} while(0)
 -
 static const char *key_pass;
 static BIO *wb;
 static char *cert_dst;
 diff --git a/scripts/sign-file.c b/scripts/sign-file.c
 index 3edb156ae52c..39ba58db5d4e 100644
 --- a/scripts/sign-file.c
 +++ b/scripts/sign-file.c
@@ -29,6 +29,8 @@
 #include <openssl/err.h>
 #include <openssl/engine.h>
 +#include "ssl-common.h"
 +
 /*
  * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
  *
@@ -83,41 +85,6 @@ void format(void)
 	exit(2);
 }
 -static void display_openssl_errors(int l)
 -{
 -	const char *file;
 -	char buf[120];
 -	int e, line;
 -
 -	if (ERR_peek_error() == 0)
 -		return;
 -	fprintf(stderr, "At main.c:%d:\n", l);
 -
 -	while ((e = ERR_get_error_line(&file, &line))) {
 -		ERR_error_string(e, buf);
 -		fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
 -	}
 -}
 -
 -static void drain_openssl_errors(void)
 -{
 -	const char *file;
 -	int line;
 -
 -	if (ERR_peek_error() == 0)
 -		return;
 -	while (ERR_get_error_line(&file, &line)) {}
 -}
 -
 -#define ERR(cond, fmt, ...)				\
 -	do {						\
 -		bool __cond = (cond);			\
 -		display_openssl_errors(__LINE__);	\
 -		if (__cond) {				\
 -			errx(1, fmt, ## __VA_ARGS__);	\
 -		}					\
 -	} while(0)
 -
 static const char *key_pass;
 static int pem_pw_cb(char *buf, int len, int w, void *v)
 diff --git a/scripts/ssl-common.h b/scripts/ssl-common.h
 new file mode 100644
 index 000000000000..e6711c75ed91
 --- /dev/null
 +++ b/scripts/ssl-common.h
@@ -0,0 +1,39 @@
 +/* SPDX-License-Identifier: LGPL-2.1+ */
 +/*
 + * SSL helper functions shared by sign-file and extract-cert.
 + */
 +
 +static void display_openssl_errors(int l)
 +{
 +	const char *file;
 +	char buf[120];
 +	int e, line;
 +
 +	if (ERR_peek_error() == 0)
 +		return;
 +	fprintf(stderr, "At main.c:%d:\n", l);
 +
 +	while ((e = ERR_get_error_line(&file, &line))) {
 +		ERR_error_string(e, buf);
 +		fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
 +	}
 +}
 +
 +static void drain_openssl_errors(void)
 +{
 +	const char *file;
 +	int line;
 +
 +	if (ERR_peek_error() == 0)
 +		return;
 +	while (ERR_get_error_line(&file, &line)) {}
 +}
 +
 +#define ERR(cond, fmt, ...)				\
 +	do {						\
 +		bool __cond = (cond);			\
 +		display_openssl_errors(__LINE__);	\
 +		if (__cond) {				\
 +			errx(1, fmt, ## __VA_ARGS__);	\
 +		}					\
 +	} while (0)
 -- 
 2.46.2
 From 98dbd2b45aa5185d63b839f482d43c16b71f31a5 Mon Sep 17 00:00:00 2001
 From: Jan Stancek <jstancek@redhat.com>
 Date: Fri, 12 Jul 2024 09:11:15 +0200
 Subject: [PATCH 2/3] sign-file,extract-cert: avoid using deprecated
 ERR_get_error_line()
 ERR_get_error_line() is deprecated since OpenSSL 3.0.
 Use ERR_peek_error_line() instead, and combine display_openssl_errors()
 and drain_openssl_errors() to a single function where parameter decides
 if it should consume errors silently.
 Signed-off-by: Jan Stancek <jstancek@redhat.com>
 Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
 Tested-by: R Nageswara Sastry <rnsastry@linux.ibm.com>
 Reviewed-by: Neal Gompa <neal@gompa.dev>
 Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
 ---
 certs/extract-cert.c |  4 ++--
 scripts/sign-file.c  |  6 +++---
 scripts/ssl-common.h | 23 ++++++++---------------
 3 files changed, 13 insertions(+), 20 deletions(-)
 diff --git a/certs/extract-cert.c b/certs/extract-cert.c
 index 8e7ba9974a1f..61bbe0085671 100644
 --- a/certs/extract-cert.c
 +++ b/certs/extract-cert.c
@@ -99,11 +99,11 @@ int main(int argc, char **argv)
 		parms.cert = NULL;
 		ENGINE_load_builtin_engines();
 -		drain_openssl_errors();
 +		drain_openssl_errors(__LINE__, 1);
 		e = ENGINE_by_id("pkcs11");
 		ERR(!e, "Load PKCS#11 ENGINE");
 		if (ENGINE_init(e))
 -			drain_openssl_errors();
 +			drain_openssl_errors(__LINE__, 1);
 		else
 			ERR(1, "ENGINE_init");
 		if (key_pass)
 diff --git a/scripts/sign-file.c b/scripts/sign-file.c
 index 39ba58db5d4e..bb3fdf1a617c 100644
 --- a/scripts/sign-file.c
 +++ b/scripts/sign-file.c
@@ -114,11 +114,11 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
 		ENGINE *e;
 		ENGINE_load_builtin_engines();
 -		drain_openssl_errors();
 +		drain_openssl_errors(__LINE__, 1);
 		e = ENGINE_by_id("pkcs11");
 		ERR(!e, "Load PKCS#11 ENGINE");
 		if (ENGINE_init(e))
 -			drain_openssl_errors();
 +			drain_openssl_errors(__LINE__, 1);
 		else
 			ERR(1, "ENGINE_init");
 		if (key_pass)
@@ -273,7 +273,7 @@ int main(int argc, char **argv)
 		/* Digest the module data. */
 		OpenSSL_add_all_digests();
 -		display_openssl_errors(__LINE__);
 +		drain_openssl_errors(__LINE__, 0);
 		digest_algo = EVP_get_digestbyname(hash_algo);
 		ERR(!digest_algo, "EVP_get_digestbyname");
 diff --git a/scripts/ssl-common.h b/scripts/ssl-common.h
 index e6711c75ed91..2db0e181143c 100644
 --- a/scripts/ssl-common.h
 +++ b/scripts/ssl-common.h
@@ -3,7 +3,7 @@
  * SSL helper functions shared by sign-file and extract-cert.
  */
 -static void display_openssl_errors(int l)
 +static void drain_openssl_errors(int l, int silent)
 {
 	const char *file;
 	char buf[120];
@@ -11,28 +11,21 @@ static void display_openssl_errors(int l)
 	if (ERR_peek_error() == 0)
 		return;
 -	fprintf(stderr, "At main.c:%d:\n", l);
 +	if (!silent)
 +		fprintf(stderr, "At main.c:%d:\n", l);
 -	while ((e = ERR_get_error_line(&file, &line))) {
 +	while ((e = ERR_peek_error_line(&file, &line))) {
 		ERR_error_string(e, buf);
 -		fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
 +		if (!silent)
 +			fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
 +		ERR_get_error();
 	}
 }
 -static void drain_openssl_errors(void)
 -{
 -	const char *file;
 -	int line;
 -
 -	if (ERR_peek_error() == 0)
 -		return;
 -	while (ERR_get_error_line(&file, &line)) {}
 -}
 -
 #define ERR(cond, fmt, ...)				\
 	do {						\
 		bool __cond = (cond);			\
 -		display_openssl_errors(__LINE__);	\
 +		drain_openssl_errors(__LINE__, 0);	\
 		if (__cond) {				\
 			errx(1, fmt, ## __VA_ARGS__);	\
 		}					\
 -- 
 2.46.2
 From eeffebeb081fcb81ae8a85b6a774dc14791dbc56 Mon Sep 17 00:00:00 2001
 From: Jan Stancek <jstancek@redhat.com>
 Date: Fri, 20 Sep 2024 19:52:48 +0300
 Subject: [PATCH 3/3] sign-file,extract-cert: use pkcs11 provider for OPENSSL
 MAJOR >= 3
 ENGINE API has been deprecated since OpenSSL version 3.0 [1].
 Distros have started dropping support from headers and in future
 it will likely disappear also from library.
 It has been superseded by the PROVIDER API, so use it instead
 for OPENSSL MAJOR >= 3.
 [1] https://github.com/openssl/openssl/blob/master/README-ENGINES.md
 [jarkko: fixed up alignment issues reported by checkpatch.pl --strict]
 Signed-off-by: Jan Stancek <jstancek@redhat.com>
 Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
 Tested-by: R Nageswara Sastry <rnsastry@linux.ibm.com>
 Reviewed-by: Neal Gompa <neal@gompa.dev>
 Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
 ---
 certs/extract-cert.c | 103 ++++++++++++++++++++++++++++++-------------
 scripts/sign-file.c  |  93 ++++++++++++++++++++++++++------------
 2 files changed, 138 insertions(+), 58 deletions(-)
 diff --git a/certs/extract-cert.c b/certs/extract-cert.c
 index 61bbe0085671..7d6d468ed612 100644
 --- a/certs/extract-cert.c
 +++ b/certs/extract-cert.c
@@ -21,17 +21,18 @@
 #include <openssl/bio.h>
 #include <openssl/pem.h>
 #include <openssl/err.h>
 -#include <openssl/engine.h>
 -
 +#if OPENSSL_VERSION_MAJOR >= 3
 +# define USE_PKCS11_PROVIDER
 +# include <openssl/provider.h>
 +# include <openssl/store.h>
 +#else
 +# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
 +#  define USE_PKCS11_ENGINE
 +#  include <openssl/engine.h>
 +# endif
 +#endif
 #include "ssl-common.h"
 -/*
 - * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
 - *
 - * Remove this if/when that API is no longer used
 - */
 -#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 -
 #define PKEY_ID_PKCS7 2
 static __attribute__((noreturn))
@@ -61,6 +62,66 @@ static void write_cert(X509 *x509)
 		fprintf(stderr, "Extracted cert: %s\n", buf);
 }
 +static X509 *load_cert_pkcs11(const char *cert_src)
 +{
 +	X509 *cert = NULL;
 +#ifdef USE_PKCS11_PROVIDER
 +	OSSL_STORE_CTX *store;
 +
 +	if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true))
 +		ERR(1, "OSSL_PROVIDER_try_load(pkcs11)");
 +	if (!OSSL_PROVIDER_try_load(NULL, "default", true))
 +		ERR(1, "OSSL_PROVIDER_try_load(default)");
 +
 +	store = OSSL_STORE_open(cert_src, NULL, NULL, NULL, NULL);
 +	ERR(!store, "OSSL_STORE_open");
 +
 +	while (!OSSL_STORE_eof(store)) {
 +		OSSL_STORE_INFO *info = OSSL_STORE_load(store);
 +
 +		if (!info) {
 +			drain_openssl_errors(__LINE__, 0);
 +			continue;
 +		}
 +		if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_CERT) {
 +			cert = OSSL_STORE_INFO_get1_CERT(info);
 +			ERR(!cert, "OSSL_STORE_INFO_get1_CERT");
 +		}
 +		OSSL_STORE_INFO_free(info);
 +		if (cert)
 +			break;
 +	}
 +	OSSL_STORE_close(store);
 +#elif defined(USE_PKCS11_ENGINE)
 +		ENGINE *e;
 +		struct {
 +			const char *cert_id;
 +			X509 *cert;
 +		} parms;
 +
 +		parms.cert_id = cert_src;
 +		parms.cert = NULL;
 +
 +		ENGINE_load_builtin_engines();
 +		drain_openssl_errors(__LINE__, 1);
 +		e = ENGINE_by_id("pkcs11");
 +		ERR(!e, "Load PKCS#11 ENGINE");
 +		if (ENGINE_init(e))
 +			drain_openssl_errors(__LINE__, 1);
 +		else
 +			ERR(1, "ENGINE_init");
 +		if (key_pass)
 +			ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
 +		ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
 +		ERR(!parms.cert, "Get X.509 from PKCS#11");
 +		cert = parms.cert;
 +#else
 +		fprintf(stderr, "no pkcs11 engine/provider available\n");
 +		exit(1);
 +#endif
 +	return cert;
 +}
 +
 int main(int argc, char **argv)
 {
 	char *cert_src;
@@ -89,28 +150,10 @@ int main(int argc, char **argv)
 		fclose(f);
 		exit(0);
 	} else if (!strncmp(cert_src, "pkcs11:", 7)) {
 -		ENGINE *e;
 -		struct {
 -			const char *cert_id;
 -			X509 *cert;
 -		} parms;
 +		X509 *cert = load_cert_pkcs11(cert_src);
 -		parms.cert_id = cert_src;
 -		parms.cert = NULL;
 -
 -		ENGINE_load_builtin_engines();
 -		drain_openssl_errors(__LINE__, 1);
 -		e = ENGINE_by_id("pkcs11");
 -		ERR(!e, "Load PKCS#11 ENGINE");
 -		if (ENGINE_init(e))
 -			drain_openssl_errors(__LINE__, 1);
 -		else
 -			ERR(1, "ENGINE_init");
 -		if (key_pass)
 -			ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
 -		ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
 -		ERR(!parms.cert, "Get X.509 from PKCS#11");
 -		write_cert(parms.cert);
 +		ERR(!cert, "load_cert_pkcs11 failed");
 +		write_cert(cert);
 	} else {
 		BIO *b;
 		X509 *x509;
 diff --git a/scripts/sign-file.c b/scripts/sign-file.c
 index bb3fdf1a617c..7070245edfc1 100644
 --- a/scripts/sign-file.c
 +++ b/scripts/sign-file.c
@@ -27,17 +27,18 @@
 #include <openssl/evp.h>
 #include <openssl/pem.h>
 #include <openssl/err.h>
 -#include <openssl/engine.h>
 -
 +#if OPENSSL_VERSION_MAJOR >= 3
 +# define USE_PKCS11_PROVIDER
 +# include <openssl/provider.h>
 +# include <openssl/store.h>
 +#else
 +# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
 +#  define USE_PKCS11_ENGINE
 +#  include <openssl/engine.h>
 +# endif
 +#endif
 #include "ssl-common.h"
 -/*
 - * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
 - *
 - * Remove this if/when that API is no longer used
 - */
 -#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 -
 /*
  * Use CMS if we have openssl-1.0.0 or newer available - otherwise we have to
  * assume that it's not available and its header file is missing and that we
@@ -106,28 +107,64 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
 	return pwlen;
 }
 -static EVP_PKEY *read_private_key(const char *private_key_name)
 +static EVP_PKEY *read_private_key_pkcs11(const char *private_key_name)
 {
 -	EVP_PKEY *private_key;
 +	EVP_PKEY *private_key = NULL;
 +#ifdef USE_PKCS11_PROVIDER
 +	OSSL_STORE_CTX *store;
 -	if (!strncmp(private_key_name, "pkcs11:", 7)) {
 -		ENGINE *e;
 +	if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true))
 +		ERR(1, "OSSL_PROVIDER_try_load(pkcs11)");
 +	if (!OSSL_PROVIDER_try_load(NULL, "default", true))
 +		ERR(1, "OSSL_PROVIDER_try_load(default)");
 +
 +	store = OSSL_STORE_open(private_key_name, NULL, NULL, NULL, NULL);
 +	ERR(!store, "OSSL_STORE_open");
 -		ENGINE_load_builtin_engines();
 +	while (!OSSL_STORE_eof(store)) {
 +		OSSL_STORE_INFO *info = OSSL_STORE_load(store);
 +
 +		if (!info) {
 +			drain_openssl_errors(__LINE__, 0);
 +			continue;
 +		}
 +		if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) {
 +			private_key = OSSL_STORE_INFO_get1_PKEY(info);
 +			ERR(!private_key, "OSSL_STORE_INFO_get1_PKEY");
 +		}
 +		OSSL_STORE_INFO_free(info);
 +		if (private_key)
 +			break;
 +	}
 +	OSSL_STORE_close(store);
 +#elif defined(USE_PKCS11_ENGINE)
 +	ENGINE *e;
 +
 +	ENGINE_load_builtin_engines();
 +	drain_openssl_errors(__LINE__, 1);
 +	e = ENGINE_by_id("pkcs11");
 +	ERR(!e, "Load PKCS#11 ENGINE");
 +	if (ENGINE_init(e))
 		drain_openssl_errors(__LINE__, 1);
 -		e = ENGINE_by_id("pkcs11");
 -		ERR(!e, "Load PKCS#11 ENGINE");
 -		if (ENGINE_init(e))
 -			drain_openssl_errors(__LINE__, 1);
 -		else
 -			ERR(1, "ENGINE_init");
 -		if (key_pass)
 -			ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0),
 -			    "Set PKCS#11 PIN");
 -		private_key = ENGINE_load_private_key(e, private_key_name,
 -						      NULL, NULL);
 -		ERR(!private_key, "%s", private_key_name);
 +	else
 +		ERR(1, "ENGINE_init");
 +	if (key_pass)
 +		ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
 +	private_key = ENGINE_load_private_key(e, private_key_name, NULL, NULL);
 +	ERR(!private_key, "%s", private_key_name);
 +#else
 +	fprintf(stderr, "no pkcs11 engine/provider available\n");
 +	exit(1);
 +#endif
 +	return private_key;
 +}
 +
 +static EVP_PKEY *read_private_key(const char *private_key_name)
 +{
 +	if (!strncmp(private_key_name, "pkcs11:", 7)) {
 +		return read_private_key_pkcs11(private_key_name);
 	} else {
 +		EVP_PKEY *private_key;
 		BIO *b;
 		b = BIO_new_file(private_key_name, "rb");
@@ -136,9 +173,9 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
 						      NULL);
 		ERR(!private_key, "%s", private_key_name);
 		BIO_free(b);
 -	}
 -	return private_key;
 +		return private_key;
 +	}
 }
 static X509 *read_x509(const char *x509_name)
 -- 
 2.46.2
--- a/SPECS/raspberrypi2.spec
+++ b/SPECS/raspberrypi2.spec
@ -1,5 +1,5 @@
 %global firmware_tag	1.20241008
-%global version_tag	efda653d39a46aa5ed2d5f8af420c1e4eddb2dca
+%global version_tag	bf70ebd2aa440a2dc3626d6e836482a445470e64
 ExclusiveArch: aarch64
@ -18,8 +18,8 @@ ExclusiveArch: aarch64
 %define rpisuffix 2
 %define ksuffix 4
-%define kversion 6.11
+%define kversion 6.12
-%define patchlevel 7
+%define patchlevel 0
 %if 0%{?rhel} >= 10
 %define pathfix %{__python3} %{_rpmconfigdir}/redhat/pathfix.py
@ -38,14 +38,13 @@ ExclusiveArch: aarch64
 Name:           raspberrypi%{rpisuffix}
 Version:        %{kversion}.%{patchlevel}
-Release:        20241110.%{local_version}.%{extra_version}%{?dist}
+Release:        20241111.%{local_version}.%{extra_version}%{?dist}
 Summary:        Specific kernel and bootcode for Raspberry Pi
 License:        GPLv2
 URL:            https://github.com/raspberrypi/linux
 Source0:        https://github.com/raspberrypi/linux/archive/%{version_tag}.tar.gz
 Source1:        https://github.com/raspberrypi/firmware/archive/refs/tags/%{firmware_tag}.tar.gz
 Patch1:         openssl-3.0.patch
 Patch100:       config_2711.patch
 Patch101:       config_2712.patch
 # Sources for kernel-tools
@ -172,7 +171,6 @@ glibc package.
 %prep
 %setup -q -n linux-%{version_tag}
 %patch -P 1 -p1
 %patch -P 100 -p1
 %patch -P 101 -p1
 perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = -%{release}/" Makefile
@ -440,6 +438,9 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc
 %endif
 %changelog
 * Tue Nov 12 2024 Koichiro Iwao <meta@almalinux.org> - 6.12.0-20241111.v8.1
 - Update kernel to v6.12.0-rc720241110 bf70ebd2
 * Tue Nov 12 2024 Koichiro Iwao <meta@almalinux.org> - 6.11.7-20241110.v8.1
 - Update kernel to v6.11.7 20241110 efda653d
`@ -1,2 +1,2 @@`
	`ac72e2f196857ecf73167250e87d33838a3859f7 SOURCES/1.20241008.tar.gz`	`ac72e2f196857ecf73167250e87d33838a3859f7 SOURCES/1.20241008.tar.gz`
	`7c13fdfb9aeaad427d53500612a49849afb9cc7a SOURCES/efda653d39a46aa5ed2d5f8af420c1e4eddb2dca.tar.gz`	`4b879d0d4a701bbd4afa7abefe6987289ca45851 SOURCES/bf70ebd2aa440a2dc3626d6e836482a445470e64.tar.gz`