diff --git a/90-default.preset b/90-default.preset index c462b65..3abff62 100644 --- a/90-default.preset +++ b/90-default.preset @@ -56,7 +56,7 @@ enable avahi-daemon.* enable cups.socket enable cups.path -# RHELBLD-15232: We need the full service enabled to act as a print server +# RHEL-37762: We need the full service enabled to act as a print server enable cups.service # The various syslog implementations @@ -360,6 +360,10 @@ enable device_cio_free.service # https://bugzilla.redhat.com/show_bug.cgi?id=1630514 enable stratisd.service +# nvme auto connect +# RHEL-76850 +enable nvmefc-boot-connections.service + # Enable a service to finalize staged OSTree changes at shutdown # https://bugzilla.redhat.com/show_bug.cgi?id=1639372 enable ostree-finalize-staged.path @@ -419,9 +423,9 @@ enable thermald.service # https://pagure.io/fesco/issue/2457 enable uresourced.service -# enable power-profiles-daemon -# https://pagure.io/fedora-workstation/issue/191 -enable power-profiles-daemon.service +# enable tuned-ppd.service +# https://issues.redhat.com/browse/RHEL-68853 +enable tuned-ppd.service # Enable clevis-luks-askpass.path # https://bugzilla.redhat.com/show_bug.cgi?id=2101719 @@ -465,3 +469,6 @@ enable cockpit.socket # https://fedoraproject.org/wiki/Changes/EnableFwupdRefreshByDefault enable fwupd-refresh.timer + +# RHEL-67012 +enable fips-crypto-policy-overlay.service diff --git a/almalinux-crb.repo b/almalinux-crb.repo index 2783373..0e4a896 100644 --- a/almalinux-crb.repo +++ b/almalinux-crb.repo @@ -2,7 +2,7 @@ name=AlmaLinux $releasever - CRB mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/crb # baseurl=https://repo.almalinux.org/almalinux/$releasever/CRB/$basearch/os/ -enabled=0 +enabled=1 gpgcheck=1 countme=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-10 diff --git a/almalinux-release.spec b/almalinux-release.spec index f2bf688..6d3dbff 100644 --- a/almalinux-release.spec +++ b/almalinux-release.spec @@ -3,12 +3,12 @@ %global major 10 %global minor 0 %global eol_date 2035-06-01 -%global beta Beta Name: almalinux-release Version: %{major}.%{minor} -Release: 14.4%{?dist} +Release: 32%{?dist} Summary: %{distro} release files +Group: System Environment/Base License: GPL-2.0-or-later URL: https://almalinux.org @@ -30,7 +30,8 @@ Provides: redhat-release = %{version}-%{release} # https://github.com/rpm-software-management/dnf/blob/4.2.23/dnf/const.py.in#L26 Provides: system-release = %{version}-%{release} Provides: system-release(releasever) = %{major} -Conflicts: system-release +Provides: system-release(releasever_major) = %{major} +Provides: system-release(releasever_minor) = %{minor} # required by libdnf # https://github.com/rpm-software-management/libdnf/blob/0.48.0/libdnf/module/ModulePackage.cpp#L472 @@ -45,7 +46,15 @@ Source302: 90-default-user.preset Source303: 99-default-disable.preset Source304: 50-redhat.conf -Source400: alsecureboot001.cer +Source400: alsecurebootca1.cer +# kernel signing certificate +Source401: alsecureboot1.cer +# grub2 signing certificate +Source402: alsecureboot1.cer +# Fwupd signing certificate +Source403: alsecureboot1.cer +# UKI signing certificate +Source404: alsecureboot1.cer Source500: almalinux-appstream.repo Source501: almalinux-baseos.repo @@ -60,6 +69,8 @@ Source511: almalinux-rt.repo Source600: RPM-GPG-KEY-AlmaLinux-10 +Source700: macros.x86_64_v2 + %package -n almalinux-sb-certs Summary: %{distro} public secureboot certificates Group: System Environment/Base @@ -186,6 +197,13 @@ cat > %{buildroot}%{_rpmmacrodir}/macros.dist << EOF %%dist_bug_report_url %{dist_bug_report_url} EOF +# make almalinux-release a protected package +install -p -d -m 755 %{buildroot}%{_sysconfdir}/dnf/protected.d/ +touch almalinux-release.conf +echo almalinux-release > almalinux-release.conf +install -p -c -m 0644 almalinux-release.conf %{buildroot}%{_sysconfdir}/dnf/protected.d/ +rm -f almalinux-release.conf + # use unbranded datadir install -d -m 0755 %{buildroot}%{_datadir}/almalinux-release ln -s almalinux-release %{buildroot}%{_datadir}/redhat-release @@ -216,29 +234,29 @@ install -d -m 0755 %{buildroot}%{_datadir}/pki/sb-certs/ # Install aarch64 certs install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-ca-aarch64.cer -install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-aarch64.cer -install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-aarch64.cer -install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-fwupd-aarch64.cer -install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-uki-virt-aarch64.cer +install -m 644 %{SOURCE401} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-aarch64.cer +install -m 644 %{SOURCE402} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-aarch64.cer +install -m 644 %{SOURCE403} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-fwupd-aarch64.cer +install -m 644 %{SOURCE404} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-uki-virt-aarch64.cer # Install x86_64 certs install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-ca-x86_64.cer -install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-x86_64.cer -install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-x86_64.cer -install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-fwupd-x86_64.cer -install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-uki-virt-x86_64.cer +install -m 644 %{SOURCE401} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-x86_64.cer +install -m 644 %{SOURCE402} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-x86_64.cer +install -m 644 %{SOURCE403} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-fwupd-x86_64.cer +install -m 644 %{SOURCE404} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-uki-virt-x86_64.cer # Install ppc64le certs install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-ca-ppc64le.cer -install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-ppc64le.cer -install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-ppc64le.cer -install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-uki-virt-ppc64le.cer +install -m 644 %{SOURCE401} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-ppc64le.cer +install -m 644 %{SOURCE402} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-ppc64le.cer +install -m 644 %{SOURCE404} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-uki-virt-ppc64le.cer # Install s390x certs install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-ca-s390x.cer -install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-s390x.cer -install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-uki-virt-s390x.cer +install -m 644 %{SOURCE401} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-s390x.cer +install -m 644 %{SOURCE404} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-uki-virt-s390x.cer # Link x86_64 certs ln -sr %{buildroot}%{_datadir}/pki/sb-certs/secureboot-ca-x86_64.cer %{buildroot}%{_sysconfdir}/pki/sb-certs/secureboot-ca-x86_64.cer @@ -274,7 +292,6 @@ install -p -m 0644 %{SOURCE503} %{buildroot}%{_sysconfdir}/yum.repos.d/ install -p -m 0644 %{SOURCE504} %{buildroot}%{_sysconfdir}/yum.repos.d/ install -p -m 0644 %{SOURCE505} %{buildroot}%{_sysconfdir}/yum.repos.d/ install -p -m 0644 %{SOURCE506} %{buildroot}%{_sysconfdir}/yum.repos.d/ -install -p -m 0644 %{SOURCE507} %{buildroot}%{_sysconfdir}/yum.repos.d/ # RT and NFV are only for x86_64 %ifarch x86_64 install -p -m 0644 %{SOURCE510} %{buildroot}%{_sysconfdir}/yum.repos.d/ @@ -304,8 +321,7 @@ install -p -m 0644 %{SOURCE600} %{buildroot}%{_sysconfdir}/pki/rpm-gpg/ # These variables should be set in the build environment to change rpm names mkdir -p %{buildroot}%{_sysconfdir}/rpm %ifarch x86_64_v2 -echo '%%_target_platform x86_64-%%{_vendor}-%%{_target_os}%%{?_gnu}' >> %{buildroot}%{_sysconfdir}/rpm/macros.x86_64_v2 -echo '%%x86_64_v2 1' >> %{buildroot}%{_sysconfdir}/rpm/macros.x86_64_v2 +install -p -m 0644 %{SOURCE700} %{buildroot}%{_sysconfdir}/rpm/ %endif @@ -319,6 +335,7 @@ echo '%%x86_64_v2 1' >> %{buildroot}%{_sysconfdir}/rpm/macros.x86_64_v2 %config(noreplace) %{_sysconfdir}/issue %config(noreplace) %{_sysconfdir}/issue.net %dir %{_sysconfdir}/issue.d +%{_sysconfdir}/dnf/protected.d/almalinux-release.conf %dir %{_sysconfdir}/yum.repos.d %ghost %{_sysconfdir}/yum.repos.d/redhat.repo %{_rpmmacrodir}/macros.dist @@ -358,5 +375,14 @@ echo '%%x86_64_v2 1' >> %{buildroot}%{_sysconfdir}/rpm/macros.x86_64_v2 %{_sysconfdir}/pki/rpm-gpg %changelog +* Tue Sep 09 2025 Eduard Abdullin - 10.0-32 +- Redefine __cflags_arch_x86_64_level and __cflags_arch_x86_64 macroses for x86_64_v2 + +* Thu May 29 2025 Neal Gompa - 10.0-31 +- Enable CRB repository by default + +* Mon May 19 2025 Eduard Abdullin - 10.0-30 +- 10.0 stable release + * Mon Nov 25 2024 Eduard Abdullin - 10.0-14.4 - Initial release diff --git a/alsecureboot001.cer b/alsecureboot001.cer deleted file mode 100644 index 6a4e99b..0000000 Binary files a/alsecureboot001.cer and /dev/null differ diff --git a/alsecureboot1.cer b/alsecureboot1.cer new file mode 100644 index 0000000..e6bb9db Binary files /dev/null and b/alsecureboot1.cer differ diff --git a/alsecurebootca1.cer b/alsecurebootca1.cer new file mode 100644 index 0000000..d086cd5 Binary files /dev/null and b/alsecurebootca1.cer differ diff --git a/macros.x86_64_v2 b/macros.x86_64_v2 new file mode 100644 index 0000000..76e1942 --- /dev/null +++ b/macros.x86_64_v2 @@ -0,0 +1,4 @@ +%_target_platform x86_64-%{_vendor}-%{_target_os}%{?_gnu} +%x86_64_v2 1 +%__cflags_arch_x86_64_level %[0%{?x86_64_v2} ? "-v2" : ""]%[ (!0%{?x86_64_v2} && 0%{?rhel} == 9) ? "-v2" : ""]%[ (!0%{?x86_64_v2} && 0%{?rhel} > 9) ? "-v3" : ""] +%__cflags_arch_x86_64 -march=x86-64%{?__cflags_arch_x86_64_level:%{__cflags_arch_x86_64_level}}