Update to v6.12.0-rc7 20241111

2024-11-12 14:11:38 +09:00 · 2024-11-12 14:11:38 +09:00 · adcb3a2875
commit adcb3a2875
parent 0680cfe31b
3 changed files with 8 additions and 620 deletions
--- a/.raspberrypi2.metadata
+++ b/.raspberrypi2.metadata
@ -1,2 +1,2 @@
 ac72e2f196857ecf73167250e87d33838a3859f7  SOURCES/1.20241008.tar.gz
-7c13fdfb9aeaad427d53500612a49849afb9cc7a  SOURCES/efda653d39a46aa5ed2d5f8af420c1e4eddb2dca.tar.gz
+4b879d0d4a701bbd4afa7abefe6987289ca45851  SOURCES/bf70ebd2aa440a2dc3626d6e836482a445470e64.tar.gz
--- a/SOURCES/openssl-3.0.patch
+++ b/SOURCES/openssl-3.0.patch
@ -1,613 +0,0 @@
-From 1fdf61d4739f818edb85e50f7fa4c474196a0b0a Mon Sep 17 00:00:00 2001
-From: Jan Stancek <jstancek@redhat.com>
-Date: Fri, 12 Jul 2024 09:11:14 +0200
-Subject: [PATCH 1/3] sign-file,extract-cert: move common SSL helper functions
- to a header
-
-Couple error handling helpers are repeated in both tools, so
-move them to a common header.
-
-Signed-off-by: Jan Stancek <jstancek@redhat.com>
-Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
-Tested-by: R Nageswara Sastry <rnsastry@linux.ibm.com>
-Reviewed-by: Neal Gompa <neal@gompa.dev>
-Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
---
- MAINTAINERS          |  1 +
- certs/Makefile       |  2 +-
- certs/extract-cert.c | 37 ++-----------------------------------
- scripts/sign-file.c  | 37 ++-----------------------------------
- scripts/ssl-common.h | 39 +++++++++++++++++++++++++++++++++++++++
- 5 files changed, 45 insertions(+), 71 deletions(-)
- create mode 100644 scripts/ssl-common.h
-
-diff --git a/MAINTAINERS b/MAINTAINERS
-index 6a6e2941c497..7aa208b18267 100644
--- a/MAINTAINERS
-+++ b/MAINTAINERS
-@@ -4823,6 +4823,7 @@ S:	Maintained
- F:	Documentation/admin-guide/module-signing.rst
- F:	certs/
- F:	scripts/sign-file.c
-+F:	scripts/ssl-common.h
- F:	tools/certs/
- 
- CFAG12864B LCD DRIVER
-diff --git a/certs/Makefile b/certs/Makefile
-index 799ad7b9e68a..67e1f2707c2f 100644
--- a/certs/Makefile
-+++ b/certs/Makefile
-@@ -84,5 +84,5 @@ targets += x509_revocation_list
- 
- hostprogs := extract-cert
- 
-HOSTCFLAGS_extract-cert.o = $(shell $(HOSTPKG_CONFIG) --cflags libcrypto 2> /dev/null)
-+HOSTCFLAGS_extract-cert.o = $(shell $(HOSTPKG_CONFIG) --cflags libcrypto 2> /dev/null) -I$(srctree)/scripts
- HOSTLDLIBS_extract-cert = $(shell $(HOSTPKG_CONFIG) --libs libcrypto 2> /dev/null || echo -lcrypto)
-diff --git a/certs/extract-cert.c b/certs/extract-cert.c
-index 70e9ec89d87d..8e7ba9974a1f 100644
--- a/certs/extract-cert.c
-+++ b/certs/extract-cert.c
-@@ -23,6 +23,8 @@
- #include <openssl/err.h>
- #include <openssl/engine.h>
- 
-+#include "ssl-common.h"
-+
- /*
-  * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
-  *
-@@ -40,41 +42,6 @@ void format(void)
- 	exit(2);
- }
- 
-static void display_openssl_errors(int l)
-{
-	const char *file;
-	char buf[120];
-	int e, line;
-
-	if (ERR_peek_error() == 0)
-		return;
-	fprintf(stderr, "At main.c:%d:\n", l);
-
-	while ((e = ERR_get_error_line(&file, &line))) {
-		ERR_error_string(e, buf);
-		fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
-	}
-}
-
-static void drain_openssl_errors(void)
-{
-	const char *file;
-	int line;
-
-	if (ERR_peek_error() == 0)
-		return;
-	while (ERR_get_error_line(&file, &line)) {}
-}
-
-#define ERR(cond, fmt, ...)				\
-	do {						\
-		bool __cond = (cond);			\
-		display_openssl_errors(__LINE__);	\
-		if (__cond) {				\
-			err(1, fmt, ## __VA_ARGS__);	\
-		}					\
-	} while(0)
-
- static const char *key_pass;
- static BIO *wb;
- static char *cert_dst;
-diff --git a/scripts/sign-file.c b/scripts/sign-file.c
-index 3edb156ae52c..39ba58db5d4e 100644
--- a/scripts/sign-file.c
-+++ b/scripts/sign-file.c
-@@ -29,6 +29,8 @@
- #include <openssl/err.h>
- #include <openssl/engine.h>
- 
-+#include "ssl-common.h"
-+
- /*
-  * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
-  *
-@@ -83,41 +85,6 @@ void format(void)
- 	exit(2);
- }
- 
-static void display_openssl_errors(int l)
-{
-	const char *file;
-	char buf[120];
-	int e, line;
-
-	if (ERR_peek_error() == 0)
-		return;
-	fprintf(stderr, "At main.c:%d:\n", l);
-
-	while ((e = ERR_get_error_line(&file, &line))) {
-		ERR_error_string(e, buf);
-		fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
-	}
-}
-
-static void drain_openssl_errors(void)
-{
-	const char *file;
-	int line;
-
-	if (ERR_peek_error() == 0)
-		return;
-	while (ERR_get_error_line(&file, &line)) {}
-}
-
-#define ERR(cond, fmt, ...)				\
-	do {						\
-		bool __cond = (cond);			\
-		display_openssl_errors(__LINE__);	\
-		if (__cond) {				\
-			errx(1, fmt, ## __VA_ARGS__);	\
-		}					\
-	} while(0)
-
- static const char *key_pass;
- 
- static int pem_pw_cb(char *buf, int len, int w, void *v)
-diff --git a/scripts/ssl-common.h b/scripts/ssl-common.h
-new file mode 100644
-index 000000000000..e6711c75ed91
--- /dev/null
-+++ b/scripts/ssl-common.h
-@@ -0,0 +1,39 @@
-+/* SPDX-License-Identifier: LGPL-2.1+ */
-+/*
-+ * SSL helper functions shared by sign-file and extract-cert.
-+ */
-+
-+static void display_openssl_errors(int l)
-+{
-+	const char *file;
-+	char buf[120];
-+	int e, line;
-+
-+	if (ERR_peek_error() == 0)
-+		return;
-+	fprintf(stderr, "At main.c:%d:\n", l);
-+
-+	while ((e = ERR_get_error_line(&file, &line))) {
-+		ERR_error_string(e, buf);
-+		fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
-+	}
-+}
-+
-+static void drain_openssl_errors(void)
-+{
-+	const char *file;
-+	int line;
-+
-+	if (ERR_peek_error() == 0)
-+		return;
-+	while (ERR_get_error_line(&file, &line)) {}
-+}
-+
-+#define ERR(cond, fmt, ...)				\
-+	do {						\
-+		bool __cond = (cond);			\
-+		display_openssl_errors(__LINE__);	\
-+		if (__cond) {				\
-+			errx(1, fmt, ## __VA_ARGS__);	\
-+		}					\
-+	} while (0)
-- 
-2.46.2
-
-
-From 98dbd2b45aa5185d63b839f482d43c16b71f31a5 Mon Sep 17 00:00:00 2001
-From: Jan Stancek <jstancek@redhat.com>
-Date: Fri, 12 Jul 2024 09:11:15 +0200
-Subject: [PATCH 2/3] sign-file,extract-cert: avoid using deprecated
- ERR_get_error_line()
-
-ERR_get_error_line() is deprecated since OpenSSL 3.0.
-
-Use ERR_peek_error_line() instead, and combine display_openssl_errors()
-and drain_openssl_errors() to a single function where parameter decides
-if it should consume errors silently.
-
-Signed-off-by: Jan Stancek <jstancek@redhat.com>
-Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
-Tested-by: R Nageswara Sastry <rnsastry@linux.ibm.com>
-Reviewed-by: Neal Gompa <neal@gompa.dev>
-Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
---
- certs/extract-cert.c |  4 ++--
- scripts/sign-file.c  |  6 +++---
- scripts/ssl-common.h | 23 ++++++++---------------
- 3 files changed, 13 insertions(+), 20 deletions(-)
-
-diff --git a/certs/extract-cert.c b/certs/extract-cert.c
-index 8e7ba9974a1f..61bbe0085671 100644
--- a/certs/extract-cert.c
-+++ b/certs/extract-cert.c
-@@ -99,11 +99,11 @@ int main(int argc, char **argv)
- 		parms.cert = NULL;
- 
- 		ENGINE_load_builtin_engines();
-		drain_openssl_errors();
-+		drain_openssl_errors(__LINE__, 1);
- 		e = ENGINE_by_id("pkcs11");
- 		ERR(!e, "Load PKCS#11 ENGINE");
- 		if (ENGINE_init(e))
-			drain_openssl_errors();
-+			drain_openssl_errors(__LINE__, 1);
- 		else
- 			ERR(1, "ENGINE_init");
- 		if (key_pass)
-diff --git a/scripts/sign-file.c b/scripts/sign-file.c
-index 39ba58db5d4e..bb3fdf1a617c 100644
--- a/scripts/sign-file.c
-+++ b/scripts/sign-file.c
-@@ -114,11 +114,11 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
- 		ENGINE *e;
- 
- 		ENGINE_load_builtin_engines();
-		drain_openssl_errors();
-+		drain_openssl_errors(__LINE__, 1);
- 		e = ENGINE_by_id("pkcs11");
- 		ERR(!e, "Load PKCS#11 ENGINE");
- 		if (ENGINE_init(e))
-			drain_openssl_errors();
-+			drain_openssl_errors(__LINE__, 1);
- 		else
- 			ERR(1, "ENGINE_init");
- 		if (key_pass)
-@@ -273,7 +273,7 @@ int main(int argc, char **argv)
- 
- 		/* Digest the module data. */
- 		OpenSSL_add_all_digests();
-		display_openssl_errors(__LINE__);
-+		drain_openssl_errors(__LINE__, 0);
- 		digest_algo = EVP_get_digestbyname(hash_algo);
- 		ERR(!digest_algo, "EVP_get_digestbyname");
- 
-diff --git a/scripts/ssl-common.h b/scripts/ssl-common.h
-index e6711c75ed91..2db0e181143c 100644
--- a/scripts/ssl-common.h
-+++ b/scripts/ssl-common.h
-@@ -3,7 +3,7 @@
-  * SSL helper functions shared by sign-file and extract-cert.
-  */
- 
-static void display_openssl_errors(int l)
-+static void drain_openssl_errors(int l, int silent)
- {
- 	const char *file;
- 	char buf[120];
-@@ -11,28 +11,21 @@ static void display_openssl_errors(int l)
- 
- 	if (ERR_peek_error() == 0)
- 		return;
-	fprintf(stderr, "At main.c:%d:\n", l);
-+	if (!silent)
-+		fprintf(stderr, "At main.c:%d:\n", l);
- 
-	while ((e = ERR_get_error_line(&file, &line))) {
-+	while ((e = ERR_peek_error_line(&file, &line))) {
- 		ERR_error_string(e, buf);
-		fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
-+		if (!silent)
-+			fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
-+		ERR_get_error();
- 	}
- }
- 
-static void drain_openssl_errors(void)
-{
-	const char *file;
-	int line;
-
-	if (ERR_peek_error() == 0)
-		return;
-	while (ERR_get_error_line(&file, &line)) {}
-}
-
- #define ERR(cond, fmt, ...)				\
- 	do {						\
- 		bool __cond = (cond);			\
-		display_openssl_errors(__LINE__);	\
-+		drain_openssl_errors(__LINE__, 0);	\
- 		if (__cond) {				\
- 			errx(1, fmt, ## __VA_ARGS__);	\
- 		}					\
-- 
-2.46.2
-
-
-From eeffebeb081fcb81ae8a85b6a774dc14791dbc56 Mon Sep 17 00:00:00 2001
-From: Jan Stancek <jstancek@redhat.com>
-Date: Fri, 20 Sep 2024 19:52:48 +0300
-Subject: [PATCH 3/3] sign-file,extract-cert: use pkcs11 provider for OPENSSL
- MAJOR >= 3
-
-ENGINE API has been deprecated since OpenSSL version 3.0 [1].
-Distros have started dropping support from headers and in future
-it will likely disappear also from library.
-
-It has been superseded by the PROVIDER API, so use it instead
-for OPENSSL MAJOR >= 3.
-
-[1] https://github.com/openssl/openssl/blob/master/README-ENGINES.md
-
-[jarkko: fixed up alignment issues reported by checkpatch.pl --strict]
-
-Signed-off-by: Jan Stancek <jstancek@redhat.com>
-Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
-Tested-by: R Nageswara Sastry <rnsastry@linux.ibm.com>
-Reviewed-by: Neal Gompa <neal@gompa.dev>
-Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
---
- certs/extract-cert.c | 103 ++++++++++++++++++++++++++++++-------------
- scripts/sign-file.c  |  93 ++++++++++++++++++++++++++------------
- 2 files changed, 138 insertions(+), 58 deletions(-)
-
-diff --git a/certs/extract-cert.c b/certs/extract-cert.c
-index 61bbe0085671..7d6d468ed612 100644
--- a/certs/extract-cert.c
-+++ b/certs/extract-cert.c
-@@ -21,17 +21,18 @@
- #include <openssl/bio.h>
- #include <openssl/pem.h>
- #include <openssl/err.h>
-#include <openssl/engine.h>
-
-+#if OPENSSL_VERSION_MAJOR >= 3
-+# define USE_PKCS11_PROVIDER
-+# include <openssl/provider.h>
-+# include <openssl/store.h>
-+#else
-+# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
-+#  define USE_PKCS11_ENGINE
-+#  include <openssl/engine.h>
-+# endif
-+#endif
- #include "ssl-common.h"
- 
-/*
- * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
- *
- * Remove this if/when that API is no longer used
- */
-#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
-
- #define PKEY_ID_PKCS7 2
- 
- static __attribute__((noreturn))
-@@ -61,6 +62,66 @@ static void write_cert(X509 *x509)
- 		fprintf(stderr, "Extracted cert: %s\n", buf);
- }
- 
-+static X509 *load_cert_pkcs11(const char *cert_src)
-+{
-+	X509 *cert = NULL;
-+#ifdef USE_PKCS11_PROVIDER
-+	OSSL_STORE_CTX *store;
-+
-+	if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true))
-+		ERR(1, "OSSL_PROVIDER_try_load(pkcs11)");
-+	if (!OSSL_PROVIDER_try_load(NULL, "default", true))
-+		ERR(1, "OSSL_PROVIDER_try_load(default)");
-+
-+	store = OSSL_STORE_open(cert_src, NULL, NULL, NULL, NULL);
-+	ERR(!store, "OSSL_STORE_open");
-+
-+	while (!OSSL_STORE_eof(store)) {
-+		OSSL_STORE_INFO *info = OSSL_STORE_load(store);
-+
-+		if (!info) {
-+			drain_openssl_errors(__LINE__, 0);
-+			continue;
-+		}
-+		if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_CERT) {
-+			cert = OSSL_STORE_INFO_get1_CERT(info);
-+			ERR(!cert, "OSSL_STORE_INFO_get1_CERT");
-+		}
-+		OSSL_STORE_INFO_free(info);
-+		if (cert)
-+			break;
-+	}
-+	OSSL_STORE_close(store);
-+#elif defined(USE_PKCS11_ENGINE)
-+		ENGINE *e;
-+		struct {
-+			const char *cert_id;
-+			X509 *cert;
-+		} parms;
-+
-+		parms.cert_id = cert_src;
-+		parms.cert = NULL;
-+
-+		ENGINE_load_builtin_engines();
-+		drain_openssl_errors(__LINE__, 1);
-+		e = ENGINE_by_id("pkcs11");
-+		ERR(!e, "Load PKCS#11 ENGINE");
-+		if (ENGINE_init(e))
-+			drain_openssl_errors(__LINE__, 1);
-+		else
-+			ERR(1, "ENGINE_init");
-+		if (key_pass)
-+			ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
-+		ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
-+		ERR(!parms.cert, "Get X.509 from PKCS#11");
-+		cert = parms.cert;
-+#else
-+		fprintf(stderr, "no pkcs11 engine/provider available\n");
-+		exit(1);
-+#endif
-+	return cert;
-+}
-+
- int main(int argc, char **argv)
- {
- 	char *cert_src;
-@@ -89,28 +150,10 @@ int main(int argc, char **argv)
- 		fclose(f);
- 		exit(0);
- 	} else if (!strncmp(cert_src, "pkcs11:", 7)) {
-		ENGINE *e;
-		struct {
-			const char *cert_id;
-			X509 *cert;
-		} parms;
-+		X509 *cert = load_cert_pkcs11(cert_src);
- 
-		parms.cert_id = cert_src;
-		parms.cert = NULL;
-
-		ENGINE_load_builtin_engines();
-		drain_openssl_errors(__LINE__, 1);
-		e = ENGINE_by_id("pkcs11");
-		ERR(!e, "Load PKCS#11 ENGINE");
-		if (ENGINE_init(e))
-			drain_openssl_errors(__LINE__, 1);
-		else
-			ERR(1, "ENGINE_init");
-		if (key_pass)
-			ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
-		ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
-		ERR(!parms.cert, "Get X.509 from PKCS#11");
-		write_cert(parms.cert);
-+		ERR(!cert, "load_cert_pkcs11 failed");
-+		write_cert(cert);
- 	} else {
- 		BIO *b;
- 		X509 *x509;
-diff --git a/scripts/sign-file.c b/scripts/sign-file.c
-index bb3fdf1a617c..7070245edfc1 100644
--- a/scripts/sign-file.c
-+++ b/scripts/sign-file.c
-@@ -27,17 +27,18 @@
- #include <openssl/evp.h>
- #include <openssl/pem.h>
- #include <openssl/err.h>
-#include <openssl/engine.h>
-
-+#if OPENSSL_VERSION_MAJOR >= 3
-+# define USE_PKCS11_PROVIDER
-+# include <openssl/provider.h>
-+# include <openssl/store.h>
-+#else
-+# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
-+#  define USE_PKCS11_ENGINE
-+#  include <openssl/engine.h>
-+# endif
-+#endif
- #include "ssl-common.h"
- 
-/*
- * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
- *
- * Remove this if/when that API is no longer used
- */
-#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
-
- /*
-  * Use CMS if we have openssl-1.0.0 or newer available - otherwise we have to
-  * assume that it's not available and its header file is missing and that we
-@@ -106,28 +107,64 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
- 	return pwlen;
- }
- 
-static EVP_PKEY *read_private_key(const char *private_key_name)
-+static EVP_PKEY *read_private_key_pkcs11(const char *private_key_name)
- {
-	EVP_PKEY *private_key;
-+	EVP_PKEY *private_key = NULL;
-+#ifdef USE_PKCS11_PROVIDER
-+	OSSL_STORE_CTX *store;
- 
-	if (!strncmp(private_key_name, "pkcs11:", 7)) {
-		ENGINE *e;
-+	if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true))
-+		ERR(1, "OSSL_PROVIDER_try_load(pkcs11)");
-+	if (!OSSL_PROVIDER_try_load(NULL, "default", true))
-+		ERR(1, "OSSL_PROVIDER_try_load(default)");
-+
-+	store = OSSL_STORE_open(private_key_name, NULL, NULL, NULL, NULL);
-+	ERR(!store, "OSSL_STORE_open");
- 
-		ENGINE_load_builtin_engines();
-+	while (!OSSL_STORE_eof(store)) {
-+		OSSL_STORE_INFO *info = OSSL_STORE_load(store);
-+
-+		if (!info) {
-+			drain_openssl_errors(__LINE__, 0);
-+			continue;
-+		}
-+		if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) {
-+			private_key = OSSL_STORE_INFO_get1_PKEY(info);
-+			ERR(!private_key, "OSSL_STORE_INFO_get1_PKEY");
-+		}
-+		OSSL_STORE_INFO_free(info);
-+		if (private_key)
-+			break;
-+	}
-+	OSSL_STORE_close(store);
-+#elif defined(USE_PKCS11_ENGINE)
-+	ENGINE *e;
-+
-+	ENGINE_load_builtin_engines();
-+	drain_openssl_errors(__LINE__, 1);
-+	e = ENGINE_by_id("pkcs11");
-+	ERR(!e, "Load PKCS#11 ENGINE");
-+	if (ENGINE_init(e))
- 		drain_openssl_errors(__LINE__, 1);
-		e = ENGINE_by_id("pkcs11");
-		ERR(!e, "Load PKCS#11 ENGINE");
-		if (ENGINE_init(e))
-			drain_openssl_errors(__LINE__, 1);
-		else
-			ERR(1, "ENGINE_init");
-		if (key_pass)
-			ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0),
-			    "Set PKCS#11 PIN");
-		private_key = ENGINE_load_private_key(e, private_key_name,
-						      NULL, NULL);
-		ERR(!private_key, "%s", private_key_name);
-+	else
-+		ERR(1, "ENGINE_init");
-+	if (key_pass)
-+		ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
-+	private_key = ENGINE_load_private_key(e, private_key_name, NULL, NULL);
-+	ERR(!private_key, "%s", private_key_name);
-+#else
-+	fprintf(stderr, "no pkcs11 engine/provider available\n");
-+	exit(1);
-+#endif
-+	return private_key;
-+}
-+
-+static EVP_PKEY *read_private_key(const char *private_key_name)
-+{
-+	if (!strncmp(private_key_name, "pkcs11:", 7)) {
-+		return read_private_key_pkcs11(private_key_name);
- 	} else {
-+		EVP_PKEY *private_key;
- 		BIO *b;
- 
- 		b = BIO_new_file(private_key_name, "rb");
-@@ -136,9 +173,9 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
- 						      NULL);
- 		ERR(!private_key, "%s", private_key_name);
- 		BIO_free(b);
-	}
- 
-	return private_key;
-+		return private_key;
-+	}
- }
- 
- static X509 *read_x509(const char *x509_name)
-- 
-2.46.2
-
--- a/SPECS/raspberrypi2.spec
+++ b/SPECS/raspberrypi2.spec
@ -1,5 +1,5 @@
 %global firmware_tag	1.20241008
-%global version_tag	efda653d39a46aa5ed2d5f8af420c1e4eddb2dca
+%global version_tag	bf70ebd2aa440a2dc3626d6e836482a445470e64

 ExclusiveArch: aarch64

@ -18,8 +18,8 @@ ExclusiveArch: aarch64
 %define rpisuffix 2
 %define ksuffix 4

-%define kversion 6.11
-%define patchlevel 7
+%define kversion 6.12
+%define patchlevel 0

 %if 0%{?rhel} >= 10
 %define pathfix %{__python3} %{_rpmconfigdir}/redhat/pathfix.py
@ -38,14 +38,13 @@ ExclusiveArch: aarch64

 Name:           raspberrypi%{rpisuffix}
 Version:        %{kversion}.%{patchlevel}
-Release:        20241110.%{local_version}.%{extra_version}%{?dist}
+Release:        20241111.%{local_version}.%{extra_version}%{?dist}
 Summary:        Specific kernel and bootcode for Raspberry Pi

 License:        GPLv2
 URL:            https://github.com/raspberrypi/linux
 Source0:        https://github.com/raspberrypi/linux/archive/%{version_tag}.tar.gz
 Source1:        https://github.com/raspberrypi/firmware/archive/refs/tags/%{firmware_tag}.tar.gz
-Patch1:         openssl-3.0.patch
 Patch100:       config_2711.patch
 Patch101:       config_2712.patch
 # Sources for kernel-tools
@ -172,7 +171,6 @@ glibc package.

 %prep
 %setup -q -n linux-%{version_tag}
-%patch -P 1 -p1
 %patch -P 100 -p1
 %patch -P 101 -p1
 perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = -%{release}/" Makefile
@ -440,6 +438,9 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc
 %endif

 %changelog
+* Tue Nov 12 2024 Koichiro Iwao <meta@almalinux.org> - 6.12.0-20241111.v8.1
+- Update kernel to v6.12.0-rc720241110 bf70ebd2
+
 * Tue Nov 12 2024 Koichiro Iwao <meta@almalinux.org> - 6.11.7-20241110.v8.1
 - Update kernel to v6.11.7 20241110 efda653d