kernel-rt-5.14.0-5.rt21.5.el9

* Fri Oct 01 2021 Juri Lelli <juri.lelli@redhat.com> [5.14.0-5.rt21.5.el9] - redhat/configs: enable CONFIG_SQUASHFS_ZSTD which is already enabled in Fedora 34 (Tao Liu) [1998953] - fs: dlm: fix return -EINTR on recovery stopped (Alexander Aring) [2004213] - redhat: replace redhatsecureboot303 signing key with redhatsecureboot601 (Jan Stancek) [2002499] - redhat: define _rhel variable because pesign macro now needs it (Jan Stancek) [2002499] - redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Jan Stancek) [1994849] - redhat: correct file name of redhatsecurebootca1 (Jan Stancek) [2002499] - redhat: align file names with names of signing keys for ppc and s390 (Jan Stancek) [2002499] - redhat: restore sublevel in changelog (Jan Stancek) - fs: dlm: avoid comms shutdown delay in release_lockspace (Alexander Aring) [1994749] - redhat/configs: Enable CONFIG_BLK_CGROUP_IOLATENCY & CONFIG_BLK_CGROUP_FC_APPID (Waiman Long) [1996675] - redhat/configs: remove conflicting SYSTEM_BLACKLIST_KEYRING (Bruno Meneguele) [2002350] - Enable "inter server to server" NFSv4.2 COPY (Steve Dickson) [1487367] Resolves: rhbz#2002474
2021-10-01 09:51:41 -04:00 · 2021-10-01 09:51:41 -04:00 · 33bdc66ad0
commit 33bdc66ad0
parent 1ed930c2ea
8 changed files with 60 additions and 54 deletions
--- a/Makefile.rhelver
+++ b/Makefile.rhelver
@ -12,7 +12,7 @@ RHEL_MINOR = 0
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 4
+RHEL_RELEASE = 5

 #
 # Early y+1 numbering
@ -44,4 +44,4 @@ ifneq ("$(ZSTREAM)", "yes")
  endif
 endif

-RTBUILD:=.4
+RTBUILD:=.5
--- a/kernel-rt-x86_64-debug-rhel.config
+++ b/kernel-rt-x86_64-debug-rhel.config
@ -391,9 +391,9 @@ CONFIG_BIG_KEYS=y
 CONFIG_BINFMT_ELF=y
 CONFIG_BINFMT_MISC=m
 CONFIG_BINFMT_SCRIPT=y
-# CONFIG_BLK_CGROUP_FC_APPID is not set
+CONFIG_BLK_CGROUP_FC_APPID=y
 # CONFIG_BLK_CGROUP_IOCOST is not set
-# CONFIG_BLK_CGROUP_IOLATENCY is not set
+CONFIG_BLK_CGROUP_IOLATENCY=y
 # CONFIG_BLK_CGROUP_IOPRIO is not set
 CONFIG_BLK_CGROUP=y
 # CONFIG_BLK_CMDLINE_PARSER is not set
@ -3920,7 +3920,7 @@ CONFIG_NFSD_PNFS=y
 CONFIG_NFSD_SCSILAYOUT=y
 CONFIG_NFSD_V3_ACL=y
 CONFIG_NFSD_V3=y
-# CONFIG_NFSD_V4_2_INTER_SSC is not set
+CONFIG_NFSD_V4_2_INTER_SSC=y
 CONFIG_NFSD_V4_SECURITY_LABEL=y
 CONFIG_NFSD_V4=y
 CONFIG_NFS_FSCACHE=y
@ -6008,7 +6008,7 @@ CONFIG_SQUASHFS=m
 CONFIG_SQUASHFS_XATTR=y
 CONFIG_SQUASHFS_XZ=y
 CONFIG_SQUASHFS_ZLIB=y
-# CONFIG_SQUASHFS_ZSTD is not set
+CONFIG_SQUASHFS_ZSTD=y
 # CONFIG_SRAM is not set
 # CONFIG_SRF04 is not set
 # CONFIG_SRF08 is not set
@ -6081,7 +6081,7 @@ CONFIG_SYSCTL=y
 CONFIG_SYSFS_SYSCALL=y
 # CONFIG_SYSTEM76_ACPI is not set
 CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
-# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
 # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
 # CONFIG_SYSTEMPORT is not set
 # CONFIG_SYSTEM_REVOCATION_KEYS is not set
--- a/kernel-rt-x86_64-rhel.config
+++ b/kernel-rt-x86_64-rhel.config
@ -391,9 +391,9 @@ CONFIG_BIG_KEYS=y
 CONFIG_BINFMT_ELF=y
 CONFIG_BINFMT_MISC=m
 CONFIG_BINFMT_SCRIPT=y
-# CONFIG_BLK_CGROUP_FC_APPID is not set
+CONFIG_BLK_CGROUP_FC_APPID=y
 # CONFIG_BLK_CGROUP_IOCOST is not set
-# CONFIG_BLK_CGROUP_IOLATENCY is not set
+CONFIG_BLK_CGROUP_IOLATENCY=y
 # CONFIG_BLK_CGROUP_IOPRIO is not set
 CONFIG_BLK_CGROUP=y
 # CONFIG_BLK_CMDLINE_PARSER is not set
@ -3901,7 +3901,7 @@ CONFIG_NFSD_PNFS=y
 CONFIG_NFSD_SCSILAYOUT=y
 CONFIG_NFSD_V3_ACL=y
 CONFIG_NFSD_V3=y
-# CONFIG_NFSD_V4_2_INTER_SSC is not set
+CONFIG_NFSD_V4_2_INTER_SSC=y
 CONFIG_NFSD_V4_SECURITY_LABEL=y
 CONFIG_NFSD_V4=y
 CONFIG_NFS_FSCACHE=y
@ -5986,7 +5986,7 @@ CONFIG_SQUASHFS=m
 CONFIG_SQUASHFS_XATTR=y
 CONFIG_SQUASHFS_XZ=y
 CONFIG_SQUASHFS_ZLIB=y
-# CONFIG_SQUASHFS_ZSTD is not set
+CONFIG_SQUASHFS_ZSTD=y
 # CONFIG_SRAM is not set
 # CONFIG_SRF04 is not set
 # CONFIG_SRF08 is not set
@ -6059,7 +6059,7 @@ CONFIG_SYSCTL=y
 CONFIG_SYSFS_SYSCALL=y
 # CONFIG_SYSTEM76_ACPI is not set
 CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
-# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
 # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
 # CONFIG_SYSTEMPORT is not set
 # CONFIG_SYSTEM_REVOCATION_KEYS is not set
--- a/kernel.spec
+++ b/kernel.spec
@ -80,7 +80,7 @@ Summary: The Linux kernel
 #  the --with-release option overrides this setting.)
 %define debugbuildsenabled 1

-%global distro_build 4
+%global distro_build 5

 %if 0%{?fedora}
 %define secure_boot_arch x86_64
@ -124,14 +124,13 @@ Summary: The Linux kernel
 %define kversion 5.14

 %define rpmversion 5.14.0
-%define patchversion 5.14
-%define pkgrelease 4.rt21.4.el9
+%define pkgrelease 5.rt21.5.el9

 # This is needed to do merge window version magic
 %define patchlevel 14

 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 4.rt21.4%{?buildid}%{?dist}
+%define specrelease 5.rt21.5%{?buildid}%{?dist}

 %define pkg_release %{specrelease}

@ -700,7 +699,7 @@ BuildRequires: lld
 # exact git commit you can run
 #
 # xzcat -qq ${TARBALL} | git get-tar-commit-id
-Source0: linux-5.14.0-4.rt21.4.el9.tar.xz
+Source0: linux-5.14.0-5.rt21.5.el9.tar.xz

 Source1: Makefile.rhelver

@ -719,43 +718,37 @@ Source9: x509.genkey.fedora
 %if %{?released_kernel}

 Source10: redhatsecurebootca5.cer
-Source11: redhatsecurebootca1.cer
-Source12: redhatsecureboot501.cer
-Source13: redhatsecureboot301.cer
-Source14: secureboot_s390.cer
-Source15: secureboot_ppc.cer
+Source11: redhatsecurebootca3.cer
+Source12: redhatsecurebootca6.cer
+Source13: redhatsecureboot501.cer
+Source14: redhatsecureboot302.cer
+Source15: redhatsecureboot601.cer

-%define secureboot_ca_1 %{SOURCE10}
-%define secureboot_ca_0 %{SOURCE11}
 %ifarch x86_64 aarch64
-%define secureboot_key_1 %{SOURCE12}
-%define pesign_name_1 redhatsecureboot501
+%define secureboot_ca_0 %{SOURCE10}
 %define secureboot_key_0 %{SOURCE13}
-%define pesign_name_0 redhatsecureboot301
+%define pesign_name_0 redhatsecureboot501
 %endif
 %ifarch s390x
+%define secureboot_ca_0 %{SOURCE11}
 %define secureboot_key_0 %{SOURCE14}
 %define pesign_name_0 redhatsecureboot302
 %endif
 %ifarch ppc64le
+%define secureboot_ca_0 %{SOURCE12}
 %define secureboot_key_0 %{SOURCE15}
-%define pesign_name_0 redhatsecureboot303
+%define pesign_name_0 redhatsecureboot601
 %endif

 # released_kernel
 %else

 Source10: redhatsecurebootca4.cer
-Source11: redhatsecurebootca2.cer
-Source12: redhatsecureboot401.cer
-Source13: redhatsecureboot003.cer
+Source11: redhatsecureboot401.cer

-%define secureboot_ca_1 %{SOURCE10}
-%define secureboot_ca_0 %{SOURCE11}
-%define secureboot_key_1 %{SOURCE12}
-%define pesign_name_1 redhatsecureboot401
-%define secureboot_key_0 %{SOURCE13}
-%define pesign_name_0 redhatsecureboot003
+%define secureboot_ca_0 %{SOURCE10}
+%define secureboot_key_0 %{SOURCE11}
+%define pesign_name_0 redhatsecureboot401

 # released_kernel
 %endif
@ -865,7 +858,7 @@ Source4002: gating.yaml

 %if !%{nopatches}

-Patch1: patch-%{patchversion}-redhat.patch
+Patch1: patch-%{rpmversion}-redhat.patch
 %endif

 # empty final patch to facilitate testing of kernel patches
@ -1428,15 +1421,15 @@ ApplyOptionalPatch()
  fi
 }

-%setup -q -n kernel-5.14.0-4.rt21.4.el9 -c
-mv linux-5.14.0-4.rt21.4.el9 linux-%{KVERREL}
+%setup -q -n kernel-5.14.0-5.rt21.5.el9 -c
+mv linux-5.14.0-5.rt21.5.el9 linux-%{KVERREL}

 cd linux-%{KVERREL}
 cp -a %{SOURCE1} .

 %if !%{nopatches}

-ApplyOptionalPatch patch-%{patchversion}-redhat.patch
+ApplyOptionalPatch patch-%{rpmversion}-redhat.patch
 %endif

 ApplyOptionalPatch linux-kernel-test.patch
@ -1709,10 +1702,15 @@ BuildKernel() {
    fi

    %ifarch x86_64 aarch64
-    %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
-    %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
-    rm vmlinuz.tmp
+    if [ -x /usr/bin/rpm-sign ]; then
+        %define _rhel 9
+        %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
+        %undefine _rhel
+    else
+        %pesign -s -i $SignImage -o vmlinuz.signed
+    fi
    %endif
+
    %ifarch s390x ppc64le
    if [ -x /usr/bin/rpm-sign ]; then
 	rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed
@ -2194,13 +2192,7 @@ BuildKernel() {

    # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
    mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
-    %ifarch x86_64 aarch64
-       install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
-       install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
-       ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
-    %else
-       install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
-    %endif
+    install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
    %ifarch s390x ppc64le
    if [ $DoModules -eq 1 ]; then
 	if [ -x /usr/bin/rpm-sign ]; then
@ -3086,6 +3078,20 @@ fi
 #
 #
 %changelog
+* Fri Oct 01 2021 Juri Lelli <juri.lelli@redhat.com> [5.14.0-5.rt21.5.el9]
+- redhat/configs: enable CONFIG_SQUASHFS_ZSTD which is already enabled in Fedora 34 (Tao Liu) [1998953]
+- fs: dlm: fix return -EINTR on recovery stopped (Alexander Aring) [2004213]
+- redhat: replace redhatsecureboot303 signing key with redhatsecureboot601 (Jan Stancek) [2002499]
+- redhat: define _rhel variable because pesign macro now needs it (Jan Stancek) [2002499]
+- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Jan Stancek) [1994849]
+- redhat: correct file name of redhatsecurebootca1 (Jan Stancek) [2002499]
+- redhat: align file names with names of signing keys for ppc and s390 (Jan Stancek) [2002499]
+- redhat: restore sublevel in changelog (Jan Stancek)
+- fs: dlm: avoid comms shutdown delay in release_lockspace (Alexander Aring) [1994749]
+- redhat/configs: Enable CONFIG_BLK_CGROUP_IOLATENCY & CONFIG_BLK_CGROUP_FC_APPID (Waiman Long) [1996675]
+- redhat/configs: remove conflicting SYSTEM_BLACKLIST_KEYRING (Bruno Meneguele) [2002350]
+- Enable "inter server to server" NFSv4.2 COPY (Steve Dickson) [1487367]
+
 * Thu Sep 23 2021 Juri Lelli <juri.lelli@redhat.com> [5.14-4.rt21.4.el9]
 - Drivers: hv: vmbus: Fix kernel crash upon unbinding a device from uio_hv_generic driver (Vitaly Kuznetsov) [1999535]
 - ipc: replace costly bailout check in sysvipc_find_ipc() (Rafael Aquini) [1987130 2003270] {CVE-2021-3669}
--- a/patch-5.14.0-redhat.patch
+++ b/patch-5.14.0-redhat.patch
--- a/redhatsecureboot003.cer
+++ b/redhatsecureboot003.cer
--- a/redhatsecurebootca2.cer
+++ b/redhatsecurebootca2.cer
--- a/6
+++ b/6
@ -1,4 +1,4 @@
 SHA512 (kernel-abi-whitelists-5.13.0-1.tar.bz2) = ceba454e1f590c1e4ef4115a75463ae3ac2c2aa7ec85fa14a2669d666c421483a38225ee19d7d72b4ac7032375741408b23543e43588538c80161ec0cf57051c
-SHA512 (linux-5.14.0-4.rt21.4.el9.tar.xz) = 3e2ffe365b57e4d1a03b43e4c0f77a429e83f8765c38b287a67ed2f3ce89eabbde6bbd219b003d962e963fd4412e2cbf48d426a260093d63fd4ca0a2207f1186
-SHA512 (kernel-abi-stablelists-5.14.0-4.tar.bz2) = 64c64d82a249464f32f3b03b882130f3efef7e26df87d31f77ebb08f61d336e3badc1d4f08f552280558772496f41ba3126c6263397cdaad3aaed14d78b8fd36
-SHA512 (kernel-kabi-dw-5.14.0-4.tar.bz2) = c901529aff636abbc2aa5f289ec098a2a29c8507aa81ee649d1104592b8abad9f495db0e947dc36a84e043708a47373de35156b40b252281ef747f06e19ed914
+SHA512 (linux-5.14.0-5.rt21.5.el9.tar.xz) = 516cae5d212bbba4765039c348624a9c96b8eeb6df19bdf8e731abb6d555fb00a2547826d86e6657a437f272ec7c33efeed2f6aac0a397ef999ed7ac7cf159af
+SHA512 (kernel-abi-stablelists-5.14.0-5.tar.bz2) = 46f7c6a027844f126f610a14b47a806ee7223a6a0a12b93fc16aeee95954cb3832cd9cf139aae6e107ab9fba41973fff5c204d9e728117dbca85081f14712813
+SHA512 (kernel-kabi-dw-5.14.0-5.tar.bz2) = c901529aff636abbc2aa5f289ec098a2a29c8507aa81ee649d1104592b8abad9f495db0e947dc36a84e043708a47373de35156b40b252281ef747f06e19ed914