From 273ff5a1639b7aa4281b9d12df0844833e4b174e Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Thu, 16 Sep 2021 09:39:51 +0000 Subject: [PATCH] AlmaLinux changes --- SOURCES/almalinux.pem | 46 +++++++++++++++++ SOURCES/clsecureboot001.cer | Bin 0 -> 1561 bytes SOURCES/debrand-rh-i686-cpu.patch | 11 ++++ SOURCES/debrand-rh_taint.patch | 81 ++++++++++++++++++++++++++++++ SOURCES/debrand-single-cpu.patch | 11 ++++ SOURCES/redhatsecureboot301.cer | Bin 899 -> 0 bytes SOURCES/redhatsecureboot501.cer | Bin 964 -> 0 bytes SOURCES/redhatsecurebootca3.cer | Bin 977 -> 0 bytes SOURCES/redhatsecurebootca5.cer | Bin 920 -> 0 bytes SOURCES/secureboot_ppc.cer | Bin 899 -> 0 bytes SOURCES/secureboot_s390.cer | Bin 899 -> 0 bytes SOURCES/x509.genkey | 6 +-- SPECS/kernel.spec | 81 +++++++++++++----------------- 13 files changed, 187 insertions(+), 49 deletions(-) create mode 100644 SOURCES/almalinux.pem create mode 100644 SOURCES/clsecureboot001.cer create mode 100644 SOURCES/debrand-rh-i686-cpu.patch create mode 100644 SOURCES/debrand-rh_taint.patch create mode 100644 SOURCES/debrand-single-cpu.patch delete mode 100644 SOURCES/redhatsecureboot301.cer delete mode 100644 SOURCES/redhatsecureboot501.cer delete mode 100644 SOURCES/redhatsecurebootca3.cer delete mode 100644 SOURCES/redhatsecurebootca5.cer delete mode 100644 SOURCES/secureboot_ppc.cer delete mode 100644 SOURCES/secureboot_s390.cer diff --git a/SOURCES/almalinux.pem b/SOURCES/almalinux.pem new file mode 100644 index 0000000..67e705d --- /dev/null +++ b/SOURCES/almalinux.pem @@ -0,0 +1,46 @@ +-----BEGIN CERTIFICATE----- +MIID3zCCAsegAwIBAgIQY4iebPtuT3OKR2M/jWZWEzANBgkqhkiG9w0BAQsFADBg +MSUwIwYJKoZIhvcNAQkBFhZzZWN1cml0eUBhbG1hbGludXgub3JnMRIwEAYDVQQK +EwlBbG1hTGludXgxIzAhBgNVBAMTGkFsbWFMaW51eCBTZWN1cmUgQm9vdCBDQSAx +MB4XDTIxMDExNDIxMDcxOVoXDTM2MDExMTIxMDcxOVowaTElMCMGCSqGSIb3DQEJ +ARYWc2VjdXJpdHlAYWxtYWxpbnV4Lm9yZzESMBAGA1UEChMJQWxtYUxpbnV4MSww +KgYDVQQDEyNBbG1hTGludXggRHJpdmVyIHVwZGF0ZSBzaWduaW5nIGtleTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK7kGZShKo5uegg6T4U/wR9UeyCa +qTtx+OvzUMKT8l5+R5WfBgQU8sDrIqX3Vv3tD6UeOUyFIQ40iGESdDhWnAFynJX4 +v0k81KxJ+rVFAt5EJBeGw7U2qdpn8hzJG2dVANZ1gXJWGhC95Muif5q8fL7BJdU4 +RufixfKWq6WHAalwHaiTCbA+/Ft6TLyZcA62glKkmBn7uWn83tlMfVqC4EN2NfQb +//C2MFCbm43BoKmgrMV0J3Pu8un3QZ4ukDDhJJ9eHfSqscq9SHPjqd0RM6TRcFXW +BzmTpG7MOJRvk4ypQSHxxc4jK5MVOqzel+2UPB2ihkvvnK9hdsvvI/bal/sCAwEA +AaOBizCBiDAfBgNVHSMEGDAWgBSY0u339QWy5Y/vkiTSvJ6Ffy5GkzAVBglghkgB +hvhCAQEBAf8EBQMDAPABMB8GA1UdJQQYMBYGCCsGAQUFBwMDBgorBgEEAZIIEAEC +MA4GA1UdDwEB/wQEAwIEsDAdBgNVHQ4EFgQUe4Y+AkDtIIq2uBuKbyhgwPTox9Yw +DQYJKoZIhvcNAQELBQADggEBAHoPojMTRdFO050Ihrmr8jkdOweiOSBtlAZkLGd2 +lTybNp2Xi1lQ8SqsqU/NFs/KUPVFykmjmLeqNWC9QoKdrVGzoD9MOHprRxe6gC8k +sHzBCFqdx3B+qbeSxBUN2QLIydzM6C23qf1TjBCeEDtRrvcvupFTlOBxiOJrIwbp +dJD1JfjbgxfvLzg7PaJPi5Ev6B3gY4ybCnKQmor029Z3R4zw3miPpZVA04xt3Z9e +m45Jjv86u10wjLmGRgfMmYT43jiMbOwlG1N8OikvgIHwlZtWxUpL1t/mEYtMMkTv +R//lA5z5dqXiDCPdTwHhSjEfBFWGLl7ciYt6rYkpdlqnYdk= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIID2DCCAsCgAwIBAgIQHDEXJMuZQ/m5MXRiSmLMljANBgkqhkiG9w0BAQsFADBg +MSUwIwYJKoZIhvcNAQkBFhZzZWN1cml0eUBhbG1hbGludXgub3JnMRIwEAYDVQQK +EwlBbG1hTGludXgxIzAhBgNVBAMTGkFsbWFMaW51eCBTZWN1cmUgQm9vdCBDQSAx +MB4XDTIxMDExNDIxMDgwMFoXDTM2MDExMTIxMDgwMFowYjElMCMGCSqGSIb3DQEJ +ARYWc2VjdXJpdHlAYWxtYWxpbnV4Lm9yZzESMBAGA1UEChMJQWxtYUxpbnV4MSUw +IwYDVQQDExxBbG1hTGludXgga3BhdGNoIHNpZ25pbmcga2V5MIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxncKQ7a49o5IUwqPB1axIzopNdGoSoERVuUd +hdHAZLB2MGIuU2fGCuZ4iD2Pwk+t2KsgR1y58pmHyRBCLi2tYfEdDB8LUzUY3P+8 +Wxm2+zz8TPJUIcvPE4rHEb0vV4nTzwjpG4BTBwLkYRj+AxGbzWEy5Eetxzq5Ji+V +TMuTzRKshHEGNs3tFRPbSssc50NH+OuVKpzJAIqBmz7Gca9RqhK9ARK1p3aDEoR+ +pYw4zRjIczc3s57WeuQxRMvFK5j48U0hpEUh+eQn1m40Bus3e7i4YTskwgKN5Vq3 +lGlEdBoK4utuoHPj3JYh97hOii/kulOa9j5xeNe5z/6QByMxpwIDAQABo4GLMIGI +MB8GA1UdIwQYMBaAFJjS7ff1BbLlj++SJNK8noV/LkaTMBUGCWCGSAGG+EIBAQEB +/wQFAwMA8AEwHwYDVR0lBBgwFgYIKwYBBQUHAwMGCisGAQQBkggQAQIwDgYDVR0P +AQH/BAQDAgSwMB0GA1UdDgQWBBRpptnu0/Yg1cLhOh0hHEZRClrZ9TANBgkqhkiG +9w0BAQsFAAOCAQEAMDiuS0CD31MtO1Sn4HRYvai2LFdKpUKAEXVy9hsN+AfbcMcl +2sF/w49o43cMNIFoWKhMWZMOjCj/DGQY7ehNH3DRaTl7DNCu6y7mBNJPU+iPcE4r +92SBWIxUNi7YVbsc1evKBOnrtq6xd5BUJQx1cVGmSBI9dnd4tDBB2+KjpmdhzZK5 +V1KQz1ilz5g2FNyEj6L7hnpkGUeMYnuM49YL7JP8QNtaKUBBA3BR4S7de+Tu070h +pEhvE539I6B+wmgV/bio20TUpQ5W2eH+5YUHVIZa5pZ30tVkm21iNB7eccbM4NYc +IRmwIsesuROtaM1e0lHoxKdW0N2xOSkhSY6oyQ== +-----END CERTIFICATE----- diff --git a/SOURCES/clsecureboot001.cer b/SOURCES/clsecureboot001.cer new file mode 100644 index 0000000000000000000000000000000000000000..ca9ce5d92a13320a2995ed90f173ea719a132d8f GIT binary patch literal 1561 zcmZ`(Yfuwc6wXbS1jzzo5X>OBh=_zHxtj+9!bnI+p+=zweAJF{O%_-i65K3=V6`P` zg!+Oiw$+NM3{cvRbwp7M9c2G4W9CPDY!P9nY%kz?r;WtSRH=h8 zU|e*l3WsV{DvoP4TGbnDs9{5GAcS5Z!6h(4C{7Uq1bAm>@_|6YFE-;+7(G78M}rNd zop2L0iATV2PECX)*l5Dk>U3O<$HA#wY63bL*TU2^EXQ6+VmX8d(^It7PU5jJhO385 zA`5A%ieN~rfG#CiV@9QqDqzb&l8`jD9Hy((P@^7aCo5+n4C4+6Mny(D>xqpR~zVhEx6umhZ5RVFal3r5M(h>Ej0sf_MTi2%d}hSB1Z;Kcx_Vo?>QeGcGz_P@TPE#k$jU}t{ z=C4WMHPazOp*1PT3fm+ruI6lS_~q`^8L{y-bu+Gf%@__g=3FU^|HN|Z8E=KQmHrw0 zI*CrQY%Us>cb>W=8$P+bYgw+q?~#eYnR*Y9;aJhXnxTwk!v=F7YKwQfz8bV zV01@f!?{5q0>0>7n9VhhK+@rCzjllgEbu48Bs8(uEH~tubc=NhbLDzdL9qcd0ymIeCpOTfNz>=FRp+_ZMjPwTEfKR;4GdG@D`O}rr^ zO(!d6#<-~YhKw(p3S9X|dM{X}bRc;161eWzPCUA!^tNx{O73;zPg)%xE6 literal 0 HcmV?d00001 diff --git a/SOURCES/debrand-rh-i686-cpu.patch b/SOURCES/debrand-rh-i686-cpu.patch new file mode 100644 index 0000000..8e2e5b8 --- /dev/null +++ b/SOURCES/debrand-rh-i686-cpu.patch @@ -0,0 +1,11 @@ +--- a/arch/x86/boot/main.c 2019-03-13 04:04:53.000000000 -0700 ++++ b/arch/x86/boot/main.c 2019-05-25 14:31:21.043272496 -0700 +@@ -147,7 +147,7 @@ void main(void) + + /* Make sure we have all the proper CPU support */ + if (validate_cpu()) { +- puts("This processor is not supported in this version of RHEL.\n"); ++ puts("This processor is not supported in this version of AlmaLinux.\n"); + die(); + } + diff --git a/SOURCES/debrand-rh_taint.patch b/SOURCES/debrand-rh_taint.patch new file mode 100644 index 0000000..d39bf1a --- /dev/null +++ b/SOURCES/debrand-rh_taint.patch @@ -0,0 +1,81 @@ +--- a/kernel/rh_taint.c 2020-10-16 10:41:51.000000000 -0500 ++++ b/kernel/rh_taint.c 2020-11-19 10:50:24.853039167 -0600 +@@ -2,12 +2,12 @@ + #include + + /* +- * The following functions are used by Red Hat to indicate to users that +- * hardware and drivers are unsupported, or have limited support in RHEL major ++ * The following functions are used by AlmaLinux to indicate to users that ++ * hardware and drivers are unsupported, or have limited support in AlmaLinux major + * and minor releases. These functions output loud warning messages to the end + * user and should be USED WITH CAUTION. + * +- * Any use of these functions _MUST_ be documented in the RHEL Release Notes, ++ * Any use of these functions _MUST_ be documented in the AlmaLinux Release Notes, + * and have approval of management. + */ + +@@ -16,15 +16,15 @@ + * @msg: Hardware name, class, or type + * + * Called to mark a device, class of devices, or types of devices as not having +- * support in any RHEL minor release. This does not TAINT the kernel. Red Hat +- * will not fix bugs against this hardware in this minor release. Red Hat may ++ * support in any AlmaLinux minor release. This does not TAINT the kernel. AlmaLinux ++ * will not fix bugs against this hardware in this minor release. AlmaLinux may + * declare support in a future major or minor update release. This cannot be + * used to mark drivers unsupported. + */ + void mark_hardware_unsupported(const char *msg) + { + /* Print one single message */ +- pr_crit("Warning: %s - this hardware has not undergone testing by Red Hat and might not be certified. Please consult https://catalog.redhat.com for certified hardware.\n", msg); ++ pr_crit("Warning: %s - this hardware has not undergone testing by AlmaLinux and might not be certified.\n", msg); + } + EXPORT_SYMBOL(mark_hardware_unsupported); + +@@ -35,12 +35,12 @@ EXPORT_SYMBOL(mark_hardware_unsupported) + * Called to minimize the support status of a previously supported device in + * a minor release. This does not TAINT the kernel. Marking hardware + * deprecated is usually done in conjunction with the hardware vendor. Future +- * RHEL major releases may not include this driver. Driver updates and fixes ++ * AlmaLinux major releases may not include this driver. Driver updates and fixes + * for this device will be limited to critical issues in future minor releases. + */ + void mark_hardware_deprecated(const char *msg) + { +- pr_crit("Warning: %s - this hardware is not recommended for new deployments. It continues to be supported in this RHEL release, but it is likely to be removed in the next major release. Driver updates and fixes for this device will be limited to critical issues. Please contact Red Hat Support or your device's hardware vendor for additional information.\n", msg); ++ pr_crit("Warning: %s - this hardware is not recommended for new deployments. It continues to be supported in this AlmaLinux release, but it is likely to be removed in the next major release. Driver updates and fixes for this device will be limited to critical issues. Please contact AlmaLinux Support or your device's hardware vendor for additional information.\n", msg); + } + EXPORT_SYMBOL(mark_hardware_deprecated); + +@@ -50,9 +50,9 @@ EXPORT_SYMBOL(mark_hardware_deprecated); + * + * Called to minimize the support status of a new driver. This does TAINT the + * kernel. Calling this function indicates that the driver or subsystem has +- * had limited testing and is not marked for full support within this RHEL +- * minor release. The next RHEL minor release may contain full support for +- * this driver. Red Hat does not guarantee that bugs reported against this ++ * had limited testing and is not marked for full support within this AlmaLinux ++ * minor release. The next AlmaLinux minor release may contain full support for ++ * this driver. AlmaLinux does not guarantee that bugs reported against this + * driver or subsystem will be resolved. + */ + void mark_tech_preview(const char *msg, struct module *mod) +@@ -81,13 +81,13 @@ EXPORT_SYMBOL(mark_tech_preview); + * mark_driver_unsupported - drivers that we know we don't want to support + * @name: the name of the driver + * +- * In some cases Red Hat has chosen to build a driver for internal QE ++ * In some cases AlmaLinux has chosen to build a driver for internal QE + * use. Use this function to mark those drivers as unsupported for + * customers. + */ + void mark_driver_unsupported(const char *name) + { +- pr_crit("Warning: %s - This driver has not undergone sufficient testing by Red Hat for this release and therefore cannot be used in production systems.\n", ++ pr_crit("Warning: %s - This driver has not undergone sufficient testing by AlmaLinux for this release and therefore cannot be used in production systems.\n", + name ? name : "kernel"); + } + EXPORT_SYMBOL(mark_driver_unsupported); diff --git a/SOURCES/debrand-single-cpu.patch b/SOURCES/debrand-single-cpu.patch new file mode 100644 index 0000000..32b00a5 --- /dev/null +++ b/SOURCES/debrand-single-cpu.patch @@ -0,0 +1,11 @@ +--- a/arch/x86/kernel/setup.c 2019-03-13 04:04:53.000000000 -0700 ++++ b/arch/x86/kernel/setup.c 2019-05-27 08:35:54.580595314 -0700 +@@ -900,7 +900,7 @@ static void rh_check_supported(void) + if (((boot_cpu_data.x86_max_cores * smp_num_siblings) == 1) && + !guest && is_kdump_kernel()) { + pr_crit("Detected single cpu native boot.\n"); +- pr_crit("Important: In Red Hat Enterprise Linux 8, single threaded, single CPU 64-bit physical systems are unsupported by Red Hat. Please contact your Red Hat support representative for a list of certified and supported systems."); ++ pr_crit("Important: In AlmaLinux 8, single threaded, single CPU 64-bit physical systems are unsupported. Please see https://www.almalinux.org for more information"); + } + + /* diff --git a/SOURCES/redhatsecureboot301.cer b/SOURCES/redhatsecureboot301.cer deleted file mode 100644 index 20e660479db920c9af073ef60dfd52cfcd55ef35..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 899 zcmXqLVy-u6VoG1Y%*4pV#L4h}zvyHQr&ERoylk9WZ60mkc^MhGSs4s`4b=@)*_cCF zn1$tnQd1N>5=#_OQj1C) zic(WD5=-=w^K%X4#CZ)(3=Iv;4Gj!U4NRlNd5z71To3|r4T21H474EDDPy&+I5Ryj zGcTPKJDV7lkbT9-%D~*j$j@NV#K^_e#K_37NxkdnB-fbdAp)7dSWBPZtXrYb5w*C@ z@r&`BZ02)^7x}9-F_f-vdj9zHex2s374i`=>Kunka%XeJpYTcWnYOXcua#Nzv{P2r z{{KfRpNsxBUvPxw_cT2h+pJ?Ab^$YP&OhK@vBdbb{HgCD zgVUK-5>__PZZU-1nmGUR*MJSDB-cbvx6RHHnXKVwU9@H2#x6FkEt|?~dgtD8aoSb6 z`P$`cNzxNN-!l}2zMhj&w=>05mb+)gq|2XQRV^~E`;)lfwmuUxBLm~&Sc7N-9$?7J z3NtePXJIm6FyIF9_*qz(nb;c)WI-H07BLo)aL4})TlQq;>8I$gIMsYUAgZGz$Uq(> zt;`}}Al4w_Al4%0a?Yxeg@ctn?ZuBpb5eiAAV&Z&Spg$}kwNnVx9_f&sUPlII<6Po zwsYpDLfs|_*M8fGuUk4-m%YAz`?d3h%8P~vysm29RsQ!WK%@63*E zY;yV?ieH$Xp0GJ~>}cV)`v*$4n0`ogx_k24UDm?Lu%T{WiSI>r}MgeY{-MAm@j(GO|_ezzhSNC%m_dopoSNWyMX47EzS*y|} z3cr~?y=&H&a;tfp6!|uI6Eqs8Y&qmz)j<1 z6ca8^O-{^7Eh=#+N=?Z~EYVBO&oz(}=QT1gFf*_;ur#$aF^m%DHMTG?G_-(n4bpHr zK*K-{;sAMU4hYUn&&$k9S1<({MvOa}7?qIy&dAEZ+{DPwV9>?_b=fyaz_nMgbCq_4}%h&s@!! ze1+-H$r$aU3#Wbib#?#k&uh{GYUM6Zj@vtn;gxywxjzdyRhQhFw_E3gr&3h2=~R{1 zj&**wnV1`gIDK=C)Q=HpH6<5w#musUBRX5*FRT%+S?q^ zlC!X|$Tr`#TvsL{aXYvlkoIbiCkx z5_D~Q*@8!%rFvVIJk+SN&YvaV#ohSi!kzD4u!L^;lrQW*W7-1#!tQ%Ev()B&_RmzfDxh^SOyp9_ zQ{CMgMRQYpd7N(ray<%vF*_r`|Ig1qJ?keW%w>8X>p8K%ckRW_k5{=r91h)XDEdQO n!11>ylk9WZ60mkc^MhGSs4s`4b=@)*_cCF zn1$tnQd1N>5=#_OQj1C) zic(WD5=-=w^K%X4#CZ)(42%qc(8R>VG)kP;*xbO#zzoWzwslR6O2{5!WMyD(V&rEq zXkz4IYGPz$nC+~vi6EDouC4!V-;tv&JA zN}nf->iaHo2tM8rAb&8=Njdj{a^${=Z?aE)&k<1VH{Q3Wx7jKD-_5CYum4K4d~JV` z`ccOE*<7!m22LI4&u3g0F3h!NN?ysm?c*7~^lIfF3D-Xhnr_&uU!bJ$?ZS8WW+A0- zr9raw{Iep~On)hDAUrqc*pZy>@YoE^;z#ABPp))utMY{K9XOZuN+87Vv97^}gccFK z6&c%&T=rzVyKuJ1S>c?Rq?77kYS zv==`X%}MC|0a-81!fL?G$oL;QPJxLO7^jR3 zp{b9(0{X(lQ;+K%h_CKtxc%nd+9kH!CBia&JkgcqO9LvF9(I1~^2+p(_fBqs&+@+g zjZG)^b(y8?lr#NV`RkoR|I-BpaSiJiPBV7drX0Bbe!0fPB95K&)ygj1YM5%bK;(6L z=7Y@r2hM%A`uyr;o|A^(c{icYtu_B=WuE^MZ_<i|1QMhsQHT z4}wg*#%C!d<*ePQAKPyWoS|9R;jPUx*P-5Ksuo_~6c3tyKHzf+y+r*{_;vOAw> zmv4Wk&h*1hGe;ze)#t#BH;PsH)$e|FOmna8+@9jW!^ymRMf{q+C84h)mppfN*sxn6 NnfI|Q%N6m!6aeL$dME$@ diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer deleted file mode 100644 index dfb0284954861282d1a0ce16c8c5cdc71c27659f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 920 zcmXqLVxD5q#8k6@nTe5!iIbtZm{+@~;bN2lFB_*;n@8JsUPeZ4RtAH3LoovpHs(+k zE*{>X)D#7e#1b6^&%9(kLq!95kT^4s1XNrhI5oMnC{@8JKfgr5*-^pNP{}|6ZW6NxP$#b?ru1p1aqn$3D)YB{Qqo zjCvjz?|=HkE#3AN-xTZpws*U~)f@DZ{t~uwMZy8<;F%jD%$u6!n#qYzp^Sryh{C;x9qf@!N=T4ui@b#({ zSD&^p3kNZ=9lAQ9%xdfP9doNToV+k2^LHOFD{5oE&78StJa^8n7$i2k94PWc<&xr*# z`sciS&XK#@>h!OC8{=mczNLHbADCJ+pE=-CsaDOF#s}?5Q)1qq&%R~#cz>QmiAiVx zk5XXYstAL9d+iK-w@u$FESybMIPOFY~9lmn~9nUf%vMc88@((p0B(#qL+!COmt7`j5IhPVzo{cRPw} Pd!}BnFF!b8N6JS4>O*3Z diff --git a/SOURCES/secureboot_ppc.cer b/SOURCES/secureboot_ppc.cer deleted file mode 100644 index 2c0087dbc5da376aef641bb23833401857c34940..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 899 zcmXqLVy-u6VoG1Y%*4pV#L4h}zvyHQr&GoTylk9WZ60mkc^MhGSs4s`4b=@)*_cCF zn1$tnQd1N>5=#_OQj1C) zic(WD5=-=w^K%X4#CZ)Z4a^Ko3@l8IOe~_rd5tX$3=NE+T!SD(9Rn?}bv(*gtt-w< z&&$k92is{(oSjXKO31!qWMyD(V&rEqXkz4IYGPz$II>2G|M$FqPFt5GY@Z}j_wdcG z>qlNkR*SLi2#vh>#O(I_Wno7c`4SC2=y=Zd`<9;a@{@2)?V*sz8{HTFd-E&#gtt#; zUgHuWz1pJ-y#K9{o_n?Q@4oA|9nu>-nGU?#lm1zM!m(4+W^!G6o63L4^zhgAs4rhs zUmj^WrxfJ3J}dJeuq`Lta*xk?}tZlL3PPH;Bj2!otkN-e4dL;_$JEv50IdKm9LW&^Yn$5_R6=HKv!R z$vZ?D$b+PnStJa^8bln#TEtw=Sv9h7u(GGU__1hC>W>)Y2mmH4U<5ES#PkO5sC<9x z!JKt`$32eKDcv>kntnv_@NIu_U*Q=Xk1EvP<=w1`yP>!G=8u`mTv|szZevQCch1^& z!q2ncK3iyARETApaF1br*%L8#fw_eaRczCW1C=8SIyp9OHWxSD>F|+J;%msh6TGS4 z7i9eW_V~}UtyNmb|NVAU_`StO+3?O0&CipWay2jh-RRBjrY}Bi{e-UnA#J9g_4+s? zD*o^EabCXQ^?4Wm+_igF-`xN2a7LS$!jkBBmcGB8+wcBUs^a;5FNJd^r+L3*+)39L zjQ8{>JTSZxpz7w(F!4!Co|pZnnG+e$u$S(t-F5BW&3P{?riLzZE|e}c7rGqT{#S2( H=YvQ9de&%$ diff --git a/SOURCES/secureboot_s390.cer b/SOURCES/secureboot_s390.cer deleted file mode 100644 index 137d3858f1fc667fe1f26383e25824a936fa91e8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 899 zcmXqLVy-u6VoG1Y%*4pV#L4h}zvyHQr&C4-ylk9WZ60mkc^MhGSs4s`4b=@)*_cCF zn1$tnQd1N>5=#_OQj1C) zic(WD5=-=w^K%X4#CZ)(3=Iv;4Gj!Ujm)FOd5z71To3|r4T21H474EDDPy&+I5Ryj zGcO%%rx9^>HZdw8`-+j3fw_s1pTVGsk&CH`k&)rL)%R`Z9d8Pni%j#8nS5%xYuMhN z*~K4aw_VNiPW<+5c6{qxhcog<1%{!S%d1ve-?lt7@nEG`YSGWvdwIjVs*?E~j91q@gA4wBC`{mJtw`VzCYgeqDVESaG#pR6C zD+_e;md#nK!lbi9HpX;|mup7)t%bLrv;0ijE!1(@RqEN^EVt?5S>I0f?Fz_Dl1n{T z^z+T$sVnC#^t>}W@P-&!eqc;zzyQ@v#>BTu{RjVf;fCEVk{yJS7%(mk@0@j`<)rVUNbje_vBsq z%s?I_t;`}}Al4w_Al4%0a?Yxeg@ctn?ZuBpb5eiAAV&Z&Spg$}k-=C)`p4YsaxQY) znmLm5HopJ0{@@0W?)meWA3sQ0m@vJ5ZDDBpic4A?YeHZ0AKo)b@@#NiYNxhBPO?|Z zj+x2TUhfsY&YgU?ch9%qOBZdLDm?RTXuILP;&s!`a+Rviyx?}3X~8eCHC%Nrw`X(k zwLX2Exk22ZP<5y0<;^BD{~tYgZ|#J5`{ws**O-mn0nHp^XSjT>;?@T$(mP)t Ho!JKfe5PxE diff --git a/SOURCES/x509.genkey b/SOURCES/x509.genkey index b1bbe38..4c34491 100644 --- a/SOURCES/x509.genkey +++ b/SOURCES/x509.genkey @@ -5,9 +5,9 @@ prompt = no x509_extensions = myexts [ req_distinguished_name ] -O = Red Hat -CN = Red Hat Enterprise Linux kernel signing key -emailAddress = secalert@redhat.com +O = AlmaLinux +CN = AlmaLinux kernel signing key +emailAddress = security@almalinux.org [ myexts ] basicConstraints=critical,CA:FALSE diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index d4cf505..661aa1a 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -19,7 +19,7 @@ %global distro_build 305 # Sign the x86_64 kernel for secure boot authentication -%ifarch x86_64 aarch64 s390x ppc64le +%ifarch x86_64 aarch64 %global signkernel 1 %else %global signkernel 0 @@ -222,14 +222,14 @@ %define with_bpftool 1 %endif -%ifnarch noarch +%ifnarch x86_64 %define with_kernel_abi_stablelists 0 %endif # Overrides for generic default options # only package docs noarch -%ifnarch noarch +%ifnarch x86_64 %define with_doc 0 %define doc_build_fail true %endif @@ -445,44 +445,24 @@ Source9: x509.genkey %if %{?released_kernel} -Source10: redhatsecurebootca5.cer -Source11: redhatsecurebootca3.cer -Source12: redhatsecureboot501.cer -Source13: redhatsecureboot301.cer -Source14: secureboot_s390.cer -Source15: secureboot_ppc.cer +Source11: clsecureboot001.cer +Source13: clsecureboot001.cer %define secureboot_ca_0 %{SOURCE11} -%define secureboot_ca_1 %{SOURCE10} %ifarch x86_64 aarch64 %define secureboot_key_0 %{SOURCE13} -%define pesign_name_0 redhatsecureboot301 -%define secureboot_key_1 %{SOURCE12} -%define pesign_name_1 redhatsecureboot501 -%endif -%ifarch s390x -%define secureboot_key_0 %{SOURCE14} -%define pesign_name_0 redhatsecureboot302 -%endif -%ifarch ppc64le -%define secureboot_key_0 %{SOURCE15} -%define pesign_name_0 redhatsecureboot303 +%define pesign_name_0 clsecureboot001 %endif # released_kernel %else -Source11: redhatsecurebootca4.cer -Source12: redhatsecurebootca2.cer -Source13: redhatsecureboot401.cer -Source14: redhatsecureboot003.cer +Source12: clsecureboot001.cer +Source14: clsecureboot001.cer %define secureboot_ca_0 %{SOURCE12} -%define secureboot_ca_1 %{SOURCE11} %define secureboot_key_0 %{SOURCE14} -%define pesign_name_0 redhatsecureboot003 -%define secureboot_key_1 %{SOURCE13} -%define pesign_name_1 redhatsecureboot401 +%define pesign_name_0 clsecureboot001 # released_kernel %endif @@ -514,8 +494,8 @@ Source43: generate_bls_conf.sh Source44: mod-internal.list -Source100: rheldup3.x509 -Source101: rhelkpatch1.x509 +# Source100: rheldup3.x509 +# Source101: rhelkpatch1.x509 %if %{with_kabichk} Source200: check-kabi @@ -543,18 +523,24 @@ Source2000: cpupower.service Source2001: cpupower.config Source2002: kvm_stat.logrotate +Source9000: almalinux.pem + ## Patches needed for building this package # empty final patch to facilitate testing of kernel patches Patch999999: linux-kernel-test.patch +Patch1000: debrand-single-cpu.patch +Patch1001: debrand-rh_taint.patch +Patch1002: debrand-rh-i686-cpu.patch + # END OF PATCH DEFINITIONS BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root %description -This is the package which provides the Linux %{name} for Red Hat Enterprise -Linux. It is based on upstream Linux at version %{version} and maintains kABI +This is the package which provides the Linux %{name} for AlmaLinux. +It is based on upstream Linux at version %{version} and maintains kABI compatibility of a set of approved symbols, however it is heavily modified with backports and fixes pulled from newer upstream Linux %{name} releases. This means this is not a %{version} kernel anymore: it includes several components which come @@ -562,7 +548,7 @@ from newer upstream linux versions, while maintaining a well tested and stable core. Some of the components/backports that may be pulled in are: changes like updates to the core kernel (eg.: scheduler, cgroups, memory management, security fixes and features), updates to block layer, supported filesystems, major driver -updates for supported hardware in Red Hat Enterprise Linux, enhancements for +updates for supported hardware in AlmaLinux, enhancements for enterprise customers, etc. # @@ -597,6 +583,7 @@ AutoProv: yes\ %package doc Summary: Various documentation bits found in the kernel source Group: Documentation +BuildArch: noarch %description doc This package contains documentation files from the kernel source. Various bits of information about the Linux kernel and the @@ -806,6 +793,7 @@ kernel-gcov includes the gcov graph and source files for gcov coverage collectio Summary: The Red Hat Enterprise Linux kernel ABI symbol stablelists Group: System Environment/Kernel AutoReqProv: no +BuildArch: noarch Obsoletes: %{name}-abi-whitelists < %{rpmversion}-%{pkg_release} Provides: %{name}-abi-whitelists %description -n %{name}-abi-stablelists @@ -819,8 +807,8 @@ Summary: The baseline dataset for kABI verification using DWARF data Group: System Environment/Kernel AutoReqProv: no %description kernel-kabidw-base-internal -The package contains data describing the current ABI of the Red Hat Enterprise -Linux kernel, suitable for the kabi-dw tool. +The package contains data describing the current ABI of the AlmaLinux +kernel, suitable for the kabi-dw tool. %endif # @@ -892,7 +880,7 @@ Requires: %{name}%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\ AutoReq: no\ AutoProv: yes\ %description %{?1:%{1}-}modules-internal\ -This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat internal usage.\ +This package provides kernel modules for the %{?2:%{2} }kernel package for AlmaLinux internal usage.\ %{nil} # @@ -1090,10 +1078,14 @@ ApplyOptionalPatch() } %setup -q -n %{name}-%{rpmversion}-%{pkgrelease} -c +cp -v %{SOURCE9000} linux-%{rpmversion}-%{pkgrelease}/certs/rhel.pem mv linux-%{rpmversion}-%{pkgrelease} linux-%{KVERREL} cd linux-%{KVERREL} +ApplyOptionalPatch debrand-single-cpu.patch +ApplyOptionalPatch debrand-rh_taint.patch +ApplyOptionalPatch debrand-rh-i686-cpu.patch ApplyOptionalPatch linux-kernel-test.patch # END OF PATCH APPLICATIONS @@ -1163,9 +1155,9 @@ done # Add DUP and kpatch certificates to system trusted keys for RHEL %if %{signkernel}%{signmodules} -openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem -openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem -cat rheldup3.pem rhelkpatch1.pem > ../certs/rhel.pem +# openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem +# openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem +# cat rheldup3.pem rhelkpatch1.pem > ../certs/rhel.pem %ifarch ppc64le openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem cat secureboot.pem >> ../certs/rhel.pem @@ -1318,9 +1310,7 @@ BuildKernel() { fi %ifarch x86_64 aarch64 - %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} - %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1} - rm vmlinuz.tmp + %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} %endif %ifarch s390x ppc64le if [ -x /usr/bin/rpm-sign ]; then @@ -1729,9 +1719,8 @@ BuildKernel() { # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer %ifarch x86_64 aarch64 - install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer - install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer - ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20210114.cer + ln -s kernel-signing-ca-20210114.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer %else install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer %endif