diff --git a/Makefile.rhelver b/Makefile.rhelver index 85e15609c..b666cdc8e 100644 --- a/Makefile.rhelver +++ b/Makefile.rhelver @@ -12,7 +12,7 @@ RHEL_MINOR = 0 # # Use this spot to avoid future merge conflicts. # Do not trim this comment. -RHEL_RELEASE = 56 +RHEL_RELEASE = 57 # # Early y+1 numbering diff --git a/kernel.spec b/kernel.spec index 94f51b11e..5a82530d8 100755 --- a/kernel.spec +++ b/kernel.spec @@ -71,12 +71,6 @@ Summary: The Linux kernel -# Set released_kernel to 1 when the upstream source tarball contains a -# kernel release. (This includes prepatch or "rc" releases.) -# Set released_kernel to 0 when the upstream source tarball contains an -# unreleased kernel development snapshot. -%global released_kernel 0 - # Set debugbuildsenabled to 1 to build separate base and debug kernels # (on supported architectures). The kernel-debug-* subpackages will # contain the debug kernel. @@ -85,7 +79,7 @@ Summary: The Linux kernel # the --with-release option overrides this setting.) %define debugbuildsenabled 1 -%global distro_build 56 +%global distro_build 57 %if 0%{?fedora} %define secure_boot_arch x86_64 @@ -129,13 +123,13 @@ Summary: The Linux kernel %define kversion 5.14 %define rpmversion 5.14.0 -%define pkgrelease 56.el9 +%define pkgrelease 57.el9 # This is needed to do merge window version magic %define patchlevel 14 # allow pkg_release to have configurable %%{?dist} tag -%define specrelease 56%{?buildid}%{?dist} +%define specrelease 57%{?buildid}%{?dist} %define pkg_release %{specrelease} @@ -644,6 +638,7 @@ BuildRequires: kabi-dw %if %{signkernel}%{signmodules} BuildRequires: openssl %if %{signkernel} +BuildRequires: system-sb-certs %ifarch x86_64 aarch64 BuildRequires: nss-tools BuildRequires: pesign >= 0.10-4 @@ -680,10 +675,11 @@ BuildRequires: lld # exact git commit you can run # # xzcat -qq ${TARBALL} | git get-tar-commit-id -Source0: linux-5.14.0-56.el9.tar.xz +Source0: linux-5.14.0-57.el9.tar.xz Source1: Makefile.rhelver +%if %{signkernel} # Name of the packaged file containing signing key %ifarch ppc64le @@ -693,42 +689,24 @@ Source1: Makefile.rhelver %define signing_key_filename kernel-signing-s390.cer %endif -%if %{?released_kernel} - -Source10: redhatsecurebootca5.cer -Source11: redhatsecurebootca3.cer -Source12: redhatsecurebootca6.cer -Source13: redhatsecureboot501.cer -Source14: redhatsecureboot302.cer -Source15: redhatsecureboot601.cer +%define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer +%define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer +%if 0%{?centos} +%define pesign_name_0 centossecureboot201 +%else %ifarch x86_64 aarch64 -%define secureboot_ca_0 %{SOURCE10} -%define secureboot_key_0 %{SOURCE13} %define pesign_name_0 redhatsecureboot501 %endif %ifarch s390x -%define secureboot_ca_0 %{SOURCE11} -%define secureboot_key_0 %{SOURCE14} %define pesign_name_0 redhatsecureboot302 %endif %ifarch ppc64le -%define secureboot_ca_0 %{SOURCE12} -%define secureboot_key_0 %{SOURCE15} %define pesign_name_0 redhatsecureboot601 %endif +%endif -# released_kernel -%else - -Source10: redhatsecurebootca4.cer -Source11: redhatsecureboot401.cer - -%define secureboot_ca_0 %{SOURCE10} -%define secureboot_key_0 %{SOURCE11} -%define pesign_name_0 redhatsecureboot401 - -# released_kernel +# signkernel %endif Source20: mod-denylist.sh @@ -1364,8 +1342,8 @@ ApplyOptionalPatch() fi } -%setup -q -n kernel-5.14.0-56.el9 -c -mv linux-5.14.0-56.el9 linux-%{KVERREL} +%setup -q -n kernel-5.14.0-57.el9 -c +mv linux-5.14.0-57.el9 linux-%{KVERREL} cd linux-%{KVERREL} cp -a %{SOURCE1} . @@ -1452,10 +1430,12 @@ done openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem cat rheldup3.pem rhelkpatch1.pem > ../certs/rhel.pem +%if %{signkernel} %ifarch s390x ppc64le openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem cat secureboot.pem >> ../certs/rhel.pem %endif +%endif for i in *.config; do sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS=""@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i done @@ -1641,7 +1621,7 @@ BuildKernel() { %ifarch s390x ppc64le if [ -x /usr/bin/rpm-sign ]; then rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed - elif [ $DoModules -eq 1 ]; then + elif [ "$DoModules" == "1" -a "%{signmodules}" == "1" ]; then chmod +x scripts/sign-file ./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed else @@ -2070,14 +2050,6 @@ BuildKernel() { rm -f $RPM_BUILD_ROOT/mod-extra.list rm -f $RPM_BUILD_ROOT/mod-internal.list -%if %{signmodules} - if [ $DoModules -eq 1 ]; then - # Save the signing keys so we can sign the modules in __modsign_install_post - cp certs/signing_key.pem certs/signing_key.pem.sign${Variant:++${Variant}} - cp certs/signing_key.x509 certs/signing_key.x509.sign${Variant:++${Variant}} - fi -%endif - # Move the devel headers out of the root file system mkdir -p $RPM_BUILD_ROOT/usr/src/kernels mv $RPM_BUILD_ROOT/lib/modules/$KernelVer/build $RPM_BUILD_ROOT/$DevelDir @@ -2098,18 +2070,29 @@ BuildKernel() { # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer +%if %{signkernel} install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer %ifarch s390x ppc64le - if [ $DoModules -eq 1 ]; then - if [ -x /usr/bin/rpm-sign ]; then - install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} - else - install -m 0644 certs/signing_key.x509.sign${Variant:++${Variant}} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer - openssl x509 -in certs/signing_key.pem.sign${Variant:++${Variant}} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} - chmod 0644 $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} - fi + if [ -x /usr/bin/rpm-sign ]; then + install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} fi %endif +%endif + +%if %{signmodules} + if [ $DoModules -eq 1 ]; then + # Save the signing keys so we can sign the modules in __modsign_install_post + cp certs/signing_key.pem certs/signing_key.pem.sign${Variant:++${Variant}} + cp certs/signing_key.x509 certs/signing_key.x509.sign${Variant:++${Variant}} + %ifarch s390x ppc64le + if [ ! -x /usr/bin/rpm-sign ]; then + install -m 0644 certs/signing_key.x509.sign${Variant:++${Variant}} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + openssl x509 -in certs/signing_key.pem.sign${Variant:++${Variant}} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} + chmod 0644 $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} + fi + %endif + fi +%endif %if %{with_ipaclones} MAXPROCS=$(echo %{?_smp_mflags} | sed -n 's/-j\s*\([0-9]\+\)/\1/p') @@ -2959,6 +2942,50 @@ fi # # %changelog +* Tue Feb 08 2022 Herton R. Krzesinski [5.14.0-57.el9] +- block: assign bi_bdev for cloned bios in blk_rq_prep_clone (Benjamin Marzinski) [2026948] +- dm sysfs: use default_groups in kobj_type (Benjamin Marzinski) [2043224] +- dm space map common: add bounds check to sm_ll_lookup_bitmap() (Benjamin Marzinski) [2043224] +- dm btree: add a defensive bounds check to insert_at() (Benjamin Marzinski) [2043224] +- dm btree remove: change a bunch of BUG_ON() calls to proper errors (Benjamin Marzinski) [2043224] +- dm btree spine: eliminate duplicate le32_to_cpu() in node_check() (Benjamin Marzinski) [2043224] +- dm btree spine: remove extra node_check function declaration (Benjamin Marzinski) [2043224] +- redhat: drop the RELEASED_KERNEL switch (Herton R. Krzesinski) [2037084 2045327] +- redhat: switch the kernel package to use certs from system-sb-certs (Herton R. Krzesinski) [2037084 2045327] +- mptcp: disable by default (Davide Caratti) [2044392] +- sch_api: Don't skip qdisc attach on ingress (Davide Caratti) [2044560] +- flow_offload: return EOPNOTSUPP for the unsupported mpls action type (Davide Caratti) [2044560] +- sch_cake: do not call cake_destroy() from cake_init() (Davide Caratti) [2044560] +- net/sched: fq_pie: prevent dismantle issue (Davide Caratti) [2044560] +- vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit (Antoine Tenart) [2044252] +- qla2xxx: Add new messaging (Ewan D. Milne) [2039070] +- nvme-fc: remove freeze/unfreeze around update_nr_hw_queues (Ewan D. Milne) [2030051] +- nvme-fc: avoid race between time out and tear down (Ewan D. Milne) [2030051] +- nvme-fc: update hardware queues before using them (Ewan D. Milne) [2030051] +- lpfc: Add new messaging (Ewan D. Milne) [2039068] +- tee: handle lookup of shm with reference count 0 (Chris von Recklinghausen) [2030754] {CVE-2021-44733} +- dma-buf: move dma-buf symbols into the DMA_BUF module namespace (Chris von Recklinghausen) [2030754] {CVE-2021-44733} +- tee: add sec_world_id to struct tee_shm (Chris von Recklinghausen) [2030754] {CVE-2021-44733} +- drm/i915/selftests: Do not use import_obj uninitialized (Chris von Recklinghausen) [2030754] {CVE-2021-44733} +- drm/gem: Provide drm_gem_fb_{vmap,vunmap}() (Chris von Recklinghausen) [2030754] {CVE-2021-44733} +- drm: Define DRM_FORMAT_MAX_PLANES (Chris von Recklinghausen) [2030754] {CVE-2021-44733} +- drm/i915/gem: Correct the locking and pin pattern for dma-buf (v8) (Chris von Recklinghausen) [2030754] {CVE-2021-44733} +- drm/gm12u320: Use framebuffer dma-buf helpers (Chris von Recklinghausen) [2030754] {CVE-2021-44733} +- drm/gud: Use framebuffer dma-buf helpers (Chris von Recklinghausen) [2030754] {CVE-2021-44733} +- drm/udl: Use framebuffer dma-buf helpers (Chris von Recklinghausen) [2030754] {CVE-2021-44733} +- drm/gem: Provide drm_gem_fb_{begin,end}_cpu_access() helpers (Chris von Recklinghausen) [2030754] {CVE-2021-44733} +- dmaengine: idxd: Add wq occupancy information to sysfs attribute Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1971888 Upstream Status: kernel/git/torvalds/linux.git (Julia Denham) +- arch/x86: KABI structs and array padding (Prarit Bhargava) [2033081] +- hpsa: add new messaging (Tomas Henzl) [2028575] +- aacraid: add new messaging (Tomas Henzl) [2028574] +- mptsas: add new messaging (Tomas Henzl) [2027741] +- megaraid_sas: add new messaging (Tomas Henzl) [2027741] +- mpt3sas: Add new messaging (Tomas Henzl) [2027741] +- scsi: mpi3mr: Use scnprintf() instead of snprintf() (Tomas Henzl) [1876005] +- scsi: mpi3mr: Clean up mpi3mr_print_ioc_info() (Tomas Henzl) [1876005] +- scsi: mpi3mr: Set up IRQs in resume path (Tomas Henzl) [1876005] +- scsi: mpi3mr: Use the proper SCSI midlayer interfaces for PI (Tomas Henzl) [1876005] + * Mon Feb 07 2022 Herton R. Krzesinski [5.14.0-56.el9] - KVM: VMX: switch blocked_vcpu_on_cpu_lock to raw spinlock (Marcelo Tosatti) [2034007] - x86/hyperv: Properly deal with empty cpumasks in hyperv_flush_tlb_multi() (Vitaly Kuznetsov) [2035993] diff --git a/redhatsecureboot401.cer b/redhatsecureboot401.cer deleted file mode 100644 index 247666cfe..000000000 Binary files a/redhatsecureboot401.cer and /dev/null differ diff --git a/redhatsecurebootca4.cer b/redhatsecurebootca4.cer deleted file mode 100644 index 8cb32e68c..000000000 Binary files a/redhatsecurebootca4.cer and /dev/null differ diff --git a/sources b/sources index 57c215ed9..47c072525 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (linux-5.14.0-56.el9.tar.xz) = ae1e23af0e5902780f20a41869450e21b25ff985636c968ea0c77f114b6289edbc76d5ae6f483930f057123fc320a5acd79be15dbb9dcde02708d3561a799cc7 -SHA512 (kernel-abi-stablelists-5.14.0-56.tar.bz2) = f3574bf301f4e90704f21c2329fa5b7acd956f5f647ea162a762597fb6af82a7250d57174fee749da3bfbd24ff8bdbdf8c0f177ff1475f567a3529072f67edc1 -SHA512 (kernel-kabi-dw-5.14.0-56.tar.bz2) = da079c029608ed0f60af06676c4b0cebb60454a785fedbda73db7e21e875c8a4199332d343dafec4942ced1fc9180a65bebfea01bef7c49ef29408a981cc226d +SHA512 (linux-5.14.0-57.el9.tar.xz) = a6494ef24ea86a21958e8ae48873a6d97411e159ed46971c9abb66237c707aeaac9814825ba93c13b2c28e98ab8c033e000f9de100f696a7e1d7bd34b803d7ff +SHA512 (kernel-abi-stablelists-5.14.0-57.tar.bz2) = be430f0c21b10ce467f9c06ee6098be869c1f902bea4f7ee950fcdf676d648ed655a36fcbcd392c6ef340cf078962b3ef3d55f10cd6d9e23642efb21327a186b +SHA512 (kernel-kabi-dw-5.14.0-57.tar.bz2) = e15ad04f87b5c1ee7ef971b0e9c9d2835a8c6bbae4ede48eccb8a497b3de06485732ce84363a4b9a787c9dad33cd8e07c8eefd81ee835e74397c74c5748d0b77