From 6949c236083091480b6aa2d82472e28ee878660e Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 22 Jan 2026 10:18:01 +0000 Subject: [PATCH] import OL kernel-5.14.0-611.24.1.el9_7 --- .gitignore | 6 +- .kernel.metadata | 6 +- SOURCES/1000-debrand-some-messages.patch | 59 +++++++ SOURCES/Makefile.rhelver | 2 +- ...34729535-change-certified-hw-message.patch | 19 +++ SOURCES/kernel.changelog | 62 +++++++ SOURCES/olkmod_signing_key.pem | 24 +++ SOURCES/olkmod_signing_key1.pem | 35 ++++ SOURCES/x509.genkey.rhel | 6 +- SPECS/kernel.spec | 152 +++++++++++++----- 10 files changed, 324 insertions(+), 47 deletions(-) create mode 100644 SOURCES/1000-debrand-some-messages.patch create mode 100644 SOURCES/bug34729535-change-certified-hw-message.patch create mode 100644 SOURCES/olkmod_signing_key.pem create mode 100644 SOURCES/olkmod_signing_key1.pem mode change 100644 => 100755 SPECS/kernel.spec diff --git a/.gitignore b/.gitignore index 4ce832314..0b4a4bae8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,6 @@ -SOURCES/kernel-abi-stablelists-5.14.0-611.20.1.el9_7.tar.bz2 -SOURCES/kernel-kabi-dw-5.14.0-611.20.1.el9_7.tar.bz2 -SOURCES/linux-5.14.0-611.20.1.el9_7.tar.xz +SOURCES/kernel-abi-stablelists-5.14.0-611.24.1.el9_7.tar.bz2 +SOURCES/kernel-kabi-dw-5.14.0-611.24.1.el9_7.tar.bz2 +SOURCES/linux-5.14.0-611.24.1.el9_7.tar.xz SOURCES/nvidiagpuoot001.x509 SOURCES/olima1.x509 SOURCES/olimaca1.x509 diff --git a/.kernel.metadata b/.kernel.metadata index 0b4114be9..8eb35240d 100644 --- a/.kernel.metadata +++ b/.kernel.metadata @@ -1,6 +1,6 @@ -1e30289092b81ba717ae5e7f571e1e45bf6c9fe8 SOURCES/kernel-abi-stablelists-5.14.0-611.20.1.el9_7.tar.bz2 -070fdef7e39adf3321eb25910d3da5b3eccb36ec SOURCES/kernel-kabi-dw-5.14.0-611.20.1.el9_7.tar.bz2 -650b2127d6afd5fbed75f4c69c1dff313a99e32f SOURCES/linux-5.14.0-611.20.1.el9_7.tar.xz +9e58f9a6113ab01923ba02acaff63b7de1d8ccf0 SOURCES/kernel-abi-stablelists-5.14.0-611.24.1.el9_7.tar.bz2 +c3610b2f194974a2a575ec35b0c17336dba19542 SOURCES/kernel-kabi-dw-5.14.0-611.24.1.el9_7.tar.bz2 +1568c0459f000363b10345c6dfa4af7e700b026b SOURCES/linux-5.14.0-611.24.1.el9_7.tar.xz 4fff8080e88afffc06d8ef5004db8d53bb21237f SOURCES/nvidiagpuoot001.x509 706ae01dd14efa38f0f565a3706acac19c78df02 SOURCES/olima1.x509 6e3f0d61414c0b50f48dc2d4c3b3cd024e1c3a43 SOURCES/olimaca1.x509 diff --git a/SOURCES/1000-debrand-some-messages.patch b/SOURCES/1000-debrand-some-messages.patch new file mode 100644 index 000000000..d82ef0f3d --- /dev/null +++ b/SOURCES/1000-debrand-some-messages.patch @@ -0,0 +1,59 @@ +From 6ca79c451f7508fc1916113fd0cdba2140c14818 Mon Sep 17 00:00:00 2001 +From: Louis Abel +Date: Wed, 20 Sep 2023 14:16:05 -0700 +Subject: [PATCH] debrand some messages + +Modified-by: Alex Burmashev +--- + kernel/rh_shadowman.c | 55 ++++++++++++++++++++++--------------------- + 4 files changed, 34 insertions(+), 33 deletions(-) + +diff --git a/kernel/rh_shadowman.c b/kernel/rh_shadowman.c +index 018d5c633..d05ea0790 100644 +--- a/kernel/rh_shadowman.c ++++ b/kernel/rh_shadowman.c +@@ -1,39 +1 @@ +-#include +-#include +-#include +- +-/* Display a shadowman logo on the console screen */ +-static int __init rh_shadowman(char *str) +-{ +- pr_info("RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRRRRRRRrrrrrrrrrrrrrrrORHRrrHRRRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRRRRRHrr8rrrrrrrrrrrrrrrrrrrrhRRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRHRRRRRRRRRRRrrHRHRRRHHHrrrrrrrrrrrrrHRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRRRRHrrrrrHrrrrrrrrrrrrrrrrrrrrRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRHh88hhRHrrrrrrrrrrrrrrrrrrrrrrrrrrHRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRRrrrrrrrrrRHRH8rrrrrrrrrrrrrrrrrrrrrrr8RRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRH8rrrrrrrrrrRHRRRRRRRRRHrrrrrrrrrrrrrrrrRrhHRHRRRRRRRRRR\n"); +- pr_info("RRRRRROrrrrrrrrrrrORRRRRRRRRRRrrrrrrrrrrrrrHrrrrrrhRRRRRRRRR\n"); +- pr_info("RRRRRRRROrrrrrrrrrrrrrrr8RRRRHRrrrrrrrrrrrrrrrrrrrrrHRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRRHhrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRH. .HHHrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRR. .RRhRRHH8rrrrrrrrrrrrrrrrrrrrr8RRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRR~ .RRRRRRRRRHHh8OOOOO8HRRHRRRRRRRRRRRRRRR\n"); +- pr_info("R,```` RRR8 .hHRRRh\\hHH:=HRh.RRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RR ORRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRR ,HHtaa HRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRO. .RRRRO. . .RRRRRRR\n"); +- pr_info("RRRRRR ,RRHh, :RRRRRRRR\n"); +- pr_info("RRRRRRRR HRR :RRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRr .. ,RRRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRRt . .HRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRRRRRRr. =RRRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRRRRRRRRRRRRRHHr: .:tRhRRRRRRRRRRRRRRRRRRRRRRRRRR\n"); +- pr_info(" "); +- pr_info(" Long Live Shadowman!"); +- pr_info("576527726520686972696e6721a68747470733a2f2f7777772e7265646861742e636f6d2f6a6f6273"); +- pr_info(" "); +- return 1; +-} +- +-__setup("shadowman", rh_shadowman); ++// This file has been intentionally left blank +-- +2.41.0 + + diff --git a/SOURCES/Makefile.rhelver b/SOURCES/Makefile.rhelver index dc11f32df..6f3c7197b 100644 --- a/SOURCES/Makefile.rhelver +++ b/SOURCES/Makefile.rhelver @@ -12,7 +12,7 @@ RHEL_MINOR = 7 # # Use this spot to avoid future merge conflicts. # Do not trim this comment. -RHEL_RELEASE = 611.20.1 +RHEL_RELEASE = 611.24.1 # # ZSTREAM diff --git a/SOURCES/bug34729535-change-certified-hw-message.patch b/SOURCES/bug34729535-change-certified-hw-message.patch new file mode 100644 index 000000000..879007081 --- /dev/null +++ b/SOURCES/bug34729535-change-certified-hw-message.patch @@ -0,0 +1,19 @@ +Update message about certified hardware list. + +Orabug: 34729535 + +Signed-off-by: Kevin Lyons +Reviewed-by: Laurence Rochfort +--- +diff -ruN linux-5.14.0-160.el8.x86_64.orig/init/main.c linux-5.14.0-160.el8.x86_64/init/main.c +--- linux-5.14.0-160.el8.x86_64.orig/init/main.c 2022-08-25 13:57:06.000000000 -0700 ++++ linux-5.14.0-160.el8.x86_64/init/main.c 2022-10-26 13:15:39.700724777 -0700 +@@ -894,7 +894,7 @@ + boot_cpu_init(); + page_address_init(); + pr_notice("%s", linux_banner); +- pr_notice("The list of certified hardware and cloud instances for Red Hat Enterprise Linux 9 can be viewed at the Red Hat Ecosystem Catalog, https://catalog.redhat.com.\n"); ++ pr_notice("The list of certified hardware for Oracle Linux 9 can be viewed at the Oracle Linux Certification List https://linux.oracle.com/hardware-certifications\n"); + setup_arch(&command_line); + /* Static keys and static calls are needed by LSMs */ + jump_label_init(); diff --git a/SOURCES/kernel.changelog b/SOURCES/kernel.changelog index df8b20ef9..8a48f0903 100644 --- a/SOURCES/kernel.changelog +++ b/SOURCES/kernel.changelog @@ -1,3 +1,65 @@ +* Sat Jan 10 2026 CKI KWF Bot [5.14.0-611.24.1.el9_7] +- gitlab-ci: use rhel9.7 builder image (Michael Hofmann) +- smb: client: let recv_done verify data_offset, data_length and remaining_data_length (Paulo Alcantara) [RHEL-131388] {CVE-2025-39933} +- tty: n_tty: Fix buffer offsets when lookahead is used (Radostin Stoyanov) [RHEL-130039] +Resolves: RHEL-130039, RHEL-131388 + +* Thu Jan 08 2026 CKI KWF Bot [5.14.0-611.23.1.el9_7] +- book3s64/hash: Remove kfence support temporarily (Mamatha Inamdar) [RHEL-135574] +- xfs: rework datasync tracking and execution (CKI Backport Bot) [RHEL-135714] +- xfs: rearrange code in xfs_inode_item_precommit (CKI Backport Bot) [RHEL-135714] +- inetpeer: do not get a refcount in inet_getpeer() (Guillaume Nault) [RHEL-116121] +- inetpeer: update inetpeer timestamp in inet_getpeer() (Guillaume Nault) [RHEL-116121] +- inetpeer: remove create argument of inet_getpeer() (Guillaume Nault) [RHEL-116121] +- inetpeer: remove create argument of inet_getpeer_v[46]() (Guillaume Nault) [RHEL-116121] +- ipv4/route: avoid unused-but-set-variable warning (Guillaume Nault) [RHEL-116121] +- arm64: errata: Expand speculative SSBS workaround for Cortex-A720AE (Waiman Long) [RHEL-130734] +- arm64: cputype: Add Cortex-A720AE definitions (Waiman Long) [RHEL-130734] +- arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays (Waiman Long) [RHEL-130734] +- arm64: Add support for HIP09 Spectre-BHB mitigation (Waiman Long) [RHEL-130734] +- arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists (Waiman Long) [RHEL-130734] +- arm64: cputype: Add MIDR_CORTEX_A76AE (Waiman Long) [RHEL-130734] +- arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list (Waiman Long) [RHEL-130734] +- arm64: Subscribe Microsoft Azure Cobalt 100 to erratum 3194386 (Waiman Long) [RHEL-130734] +- arm64: errata: Expand speculative SSBS workaround once more (Waiman Long) [RHEL-130734] +- arm64: errata: Expand speculative SSBS workaround (again) (Waiman Long) [RHEL-130734] +- tools headers arm64: Sync arm64's cputype.h with the kernel sources (Waiman Long) [RHEL-130734] +- arm64: cputype: Add Neoverse-N3 definitions (Waiman Long) [RHEL-130734] +- arm64: cputype: Add Cortex-A725 definitions (Waiman Long) [RHEL-130734] +- arm64: cputype: Add Cortex-X1C definitions (Waiman Long) [RHEL-130734] +- drm/xe: Make dma-fences compliant with the safe access rules (Mika Penttilä) [RHEL-122263] {CVE-2025-38703} +Resolves: RHEL-116121, RHEL-122263, RHEL-130734, RHEL-135574, RHEL-135714 + +* Wed Jan 07 2026 CKI KWF Bot [5.14.0-611.22.1.el9_7] +- libceph: fix potential use-after-free in have_mon_and_osd_map() (CKI Backport Bot) [RHEL-137400] {CVE-2025-68285} +Resolves: RHEL-137400 + +* Thu Jan 01 2026 CKI KWF Bot [5.14.0-611.21.1.el9_7] +- usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths (CKI Backport Bot) [RHEL-137147] {CVE-2025-68287} +- redhat: conflict with unsupported shim on x86/aarch64 (9.7.z) (Li Tian) [RHEL-135775] +- drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE (CKI Backport Bot) [RHEL-134428] {CVE-2025-40277} +- perf tools: Don't set attr.exclude_guest by default (Michael Petlan) [RHEL-131726] +- smb: client: fix refcount leak in smb2_set_path_attr (Paulo Alcantara) [RHEL-127422] +- smb: client: fix potential UAF in smb2_close_cached_fid() (Paulo Alcantara) [RHEL-127422] +- smb: client: fix potential cfid UAF in smb2_query_info_compound (Paulo Alcantara) [RHEL-127422] +- smb: client: Fix refcount leak for cifs_sb_tlink (Paulo Alcantara) [RHEL-127422] +- cifs: parse_dfs_referrals: prevent oob on malformed input (Paulo Alcantara) [RHEL-127422] +- smb: client: remove cfids_invalidation_worker (Paulo Alcantara) [RHEL-127422] +- smb client: fix bug with newly created file in cached dir (Paulo Alcantara) [RHEL-127422] +- smb: client: short-circuit negative lookups when parent dir is fully cached (Paulo Alcantara) [RHEL-127422] +- smb: client: short-circuit in open_cached_dir_by_dentry() if !dentry (Paulo Alcantara) [RHEL-127422] +- smb: client: remove pointless cfid->has_lease check (Paulo Alcantara) [RHEL-127422] +- smb: client: remove unused fid_lock (Paulo Alcantara) [RHEL-127422] +- smb: client: update cfid->last_access_time in open_cached_dir_by_dentry() (Paulo Alcantara) [RHEL-127422] +- smb: client: ensure open_cached_dir_by_dentry() only returns valid cfid (Paulo Alcantara) [RHEL-127422] +- smb: client: account smb directory cache usage and per-tcon totals (Paulo Alcantara) [RHEL-127422] +- smb: client: add drop_dir_cache module parameter to invalidate cached dirents (Paulo Alcantara) [RHEL-127422] +- smb: client: show lease state as R/H/W (or NONE) in open_files (Paulo Alcantara) [RHEL-127422] +- smb: client: show negotiated cipher in DebugData (Paulo Alcantara) [RHEL-127422] +- smb: client: add new tracepoint to trace lease break notification (Paulo Alcantara) [RHEL-127422] +- smb: client: Fix NULL pointer dereference in cifs_debug_dirs_proc_show() (Paulo Alcantara) [RHEL-127422] +Resolves: RHEL-127422, RHEL-131726, RHEL-134428, RHEL-135775, RHEL-137147 + * Sat Dec 20 2025 CKI KWF Bot [5.14.0-611.20.1.el9_7] - HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() (CKI Backport Bot) [RHEL-124607] {CVE-2025-39806} - sctp: avoid NULL dereference when chunk data buffer is missing (CKI Backport Bot) [RHEL-134001] {CVE-2025-40240} diff --git a/SOURCES/olkmod_signing_key.pem b/SOURCES/olkmod_signing_key.pem new file mode 100644 index 000000000..7a51daf16 --- /dev/null +++ b/SOURCES/olkmod_signing_key.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEETCCAvmgAwIBAgIJANw8y5k9b7SaMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEXMBUGA1UEBwwOUmVkd29vZCBT +aG9yZXMxGzAZBgNVBAoMEk9yYWNsZSBDb3Jwb3JhdGlvbjEVMBMGA1UECwwMT3Jh +Y2xlIExpbnV4MS0wKwYDVQQDDCRPcmFjbGUgTGludXggUkhDSyBNb2R1bGUgU2ln +bmluZyBLZXkwHhcNMTYwNTA5MjMzNjA4WhcNMjYwNTA3MjMzNjA4WjCBnjELMAkG +A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFzAVBgNVBAcMDlJlZHdvb2Qg +U2hvcmVzMRswGQYDVQQKDBJPcmFjbGUgQ29ycG9yYXRpb24xFTATBgNVBAsMDE9y +YWNsZSBMaW51eDEtMCsGA1UEAwwkT3JhY2xlIExpbnV4IFJIQ0sgTW9kdWxlIFNp +Z25pbmcgS2V5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl6bUDNNZ +jIqgsqgspwBIQ18keDxQeGnWgubZZhHrQU3GpeSRPM4lNTHc+UjMjNXrv/CENZdv +4cETRsxT1VFhGG3CvkbQdzc8v4JOQvWSSJqmViPa1eC+yGaMRnGcFXzKsHiTLA4y +WMjpJnVowFkwTzscRBlN0AysUg/hT/74DE0oqVnlCJNynqccNWpx8MtNRD55ay9A +73yJinYES14rXcU3QbJoO0ZxtRz83ZACDUGX0GORT3+NbB0RK0sttogzA3eLvxKw +umWsWZAHmTuHdWgUjSqqZr34VNLPVcsTHAW8X4bq6rRVcB2lMJ3kJfDP8BJyTn99 +37UmA+/ld47cnwIDAQABo1AwTjAdBgNVHQ4EFgQU3ZlbFVwZs6fD73cHuWniX5Y5 +Zm4wHwYDVR0jBBgwFoAU3ZlbFVwZs6fD73cHuWniX5Y5Zm4wDAYDVR0TBAUwAwEB +/zANBgkqhkiG9w0BAQsFAAOCAQEAF7nfhWfsk4uEDquLj7nJE0wPlVvllVDugzOk +R15pnQ7P+HTyz3sLaLJE4N5oWt6pFzDGDYEtPeoMCn1l447tX179Nf5SMZba9ut8 +3Vxbe7jAn9sQO7ArQR1swf1r101Me4+1oHq7rxPRizOOXrKeEvf5NSAUbSzzXfz6 +TEp21KTIQO7MjqpsKshRQbpPeiReaYy3A6gJftun5xekP04QTLZVBR4dL7tvZf0S +y9SjVg158lONXHfjBekyYTzSFBn/7v+AS8S+cAGRfYteE0Syxl7zJt3GUoEWau/e +kXHT+hd/hkdSQKZZWZo1380M1pVZZAvntLRBU6IN9SswafhiVg== +-----END CERTIFICATE----- diff --git a/SOURCES/olkmod_signing_key1.pem b/SOURCES/olkmod_signing_key1.pem new file mode 100644 index 000000000..b99afba7a --- /dev/null +++ b/SOURCES/olkmod_signing_key1.pem @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGBjCCA+6gAwIBAgIUf99zHRXkhhuQepjkXdIfz1kNGiwwDQYJKoZIhvcNAQEL +BQAwgZ4xKTAnBgNVBAMMIE9yYWNsZSBMaW51eCBEcml2ZXIgU2lnbmluZyBDQSAx +MQswCQYDVQQGEwJ1czEVMBMGA1UEBwwMUmVkd29vZCBDaXR5MRswGQYDVQQKDBJP +cmFjbGUgQ29ycG9yYXRpb24xGzAZBgNVBAsMEk9yYWNsZSBDb3Jwb3JhdGlvbjET +MBEGA1UECAwKQ2FsaWZvcm5pYTAeFw0yNTA1MDIwOTIzNDFaFw0zNjA0MTIyMTEw +MjlaMGcxLDAqBgNVBAMMI09yYWNsZSBMaW51eCBEcml2ZXIgU2lnbmluZyAoa2V5 +IDEpMQswCQYDVQQGEwJ1czEVMBMGA1UEBwwMUmVkd29vZCBDaXR5MRMwEQYDVQQI +DApDYWxpZm9ybmlhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5dMQ +z4EwgCYLrxJCYTn0H5yncdJREDgAgkne3nQAmtJjfcoKNqRxieK5j1KjloF3Qvjt +c5gITvjpne1UrHTodPF9qpJrFieDPb9+CMUGg/R/gk20PofKa5+DhTMyeIEpBOa7 +P6/OdCGiwaGI85Js6JMnNX2YKerehKB44zVfiNmddn7T/3y2QFFNj3VH62tC4XNt +wZLCHnnO0JzOcZht5KA1JsITSLkT6/o//SZLpaNSAQkkanymdvszV5b0PDu4A0Fi +5Ch41Akset2kAlpRoRBaVVdNhqKDyzsGRFyzHD57EyyY4M6H3yh2T6SPPOTUOKgn +tcBfnFuijl2K/d87cnky1v1XzrvZqLzRz11ksLmZrUHZZ3PWfq2EndG8OiO4PdcF +sF4nd20yuUywW4nj5iZT5h6f8P06C62ILe+dJWNzpGm6JgyYvTnHoUXjoQR+TLs/ +WY1l1N2uf3lc5rkof4g+Ckh/6uI1k5XfyHIzw8Z9wEOliUvHXq/8TVZ653IMmfC8 +gIrIMNOXONMdG7ReTnsr9z7ckv/dYKbW1gWtyY8o92N3dLuYb8MpfvCHkVF5ItUR +52ay2wOQ1tDlfLUiU21yiglyW4rKanH6mrLd4mM8cphnPvRpZ9SM0qykwHrNqKOA +m9p0AwIf1zmUL6boX/Xd+6zM2HAXOPMS1EGjA6MCAwEAAaNyMHAwDAYDVR0TAQH/ +BAIwADALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYE +FDUwOWM0ZjZkYmZjMGUyODhjOGM4MB8GA1UdIwQYMBaAFGM2NDkzM2I4OWUzNTYw +ZmVhNWQzMA0GCSqGSIb3DQEBCwUAA4ICAQAmZbUs5P2HGRHt4W/QhGyfxxa/Go8K +6a1VZlh71OURsbQ42ZDCfrYgw8LtDPqx7ySlUlkjDcc7ZvRh6RzLyn+ARIohhKNH +PpEzIpOGm5P4zqY9R36STRSgCDl9iCNlk8pGKzqEIT+aCaZUWF+7NcFgePFDuN9W +FX5tXhxEqqn8rmvGMQ3ZtodxIJb6ksKz6j/JWnuvcD4EgI1ykyc8MAtIm2/qVmPQ +IofwXo6yL6ygT5K7cMsrte4EbzrHvuhuz89RHDmwmgB6XmZCWBOGYrO7lza2Yx0C +/m4LcUHPW6XgrtkvIcLST90Ng9fp8EQl7Rp3med0K83kdwKUt7Ju9aPze049tuTQ +QoHsIHDgsExK4wXUayHNgNNr8lMFm42gTB2DqP9F/Ihq7YhIdfXbOsVdS38Il9+Y +8RWI87H+0mAxsv2RnaNkEbmd+2vY9j1ebHyblN59mxDEY+h3W7v402ay01Ia2Lnw +szOAPq6AKZdfi0nan6zunurwEGKGeF4+Gr42RlA0Pcu1ZltBQVuMhvkO1wKZ5vO6 +MNR7swI0fH6VsyUms8wQbR85MCJg0MhpzRKw0g0Ka+c4nF1c4EmU4GaIbCNfzJy+ +68wdJDHhX+sbD7+AJBQ9i6TmtbPIGKNDHh9cMIXs+jMRtia/ZCYEsOOO5B+xrawF +JuZ4rgQv9ghmhQ== +-----END CERTIFICATE----- diff --git a/SOURCES/x509.genkey.rhel b/SOURCES/x509.genkey.rhel index b1bbe387f..5b7056d65 100644 --- a/SOURCES/x509.genkey.rhel +++ b/SOURCES/x509.genkey.rhel @@ -5,9 +5,9 @@ prompt = no x509_extensions = myexts [ req_distinguished_name ] -O = Red Hat -CN = Red Hat Enterprise Linux kernel signing key -emailAddress = secalert@redhat.com +O = Oracle America, Inc.,c=US +CN = Oracle CA Server +emailAddress = support@oracle.com [ myexts ] basicConstraints=critical,CA:FALSE diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec old mode 100644 new mode 100755 index 6c5765cc5..6394b29c2 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -104,7 +104,7 @@ Summary: The Linux kernel %if 0%{?fedora} %define secure_boot_arch x86_64 %else -%define secure_boot_arch x86_64 aarch64 s390x ppc64le +%define secure_boot_arch x86_64 s390x ppc64le %endif # Signing for secure boot authentication @@ -165,15 +165,15 @@ Summary: The Linux kernel # define buildid .local %define specversion 5.14.0 %define patchversion 5.14 -%define pkgrelease 611.20.1 +%define pkgrelease 611.24.1 %define kversion 5 -%define tarfile_release 5.14.0-611.20.1.el9_7 +%define tarfile_release 5.14.0-611.24.1.el9_7 # This is needed to do merge window version magic %define patchlevel 14 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 611.20.1%{?buildid}%{?dist} +%define specrelease 611.24.1%{?buildid}%{?dist} # This defines the kabi tarball version -%define kabiversion 5.14.0-611.20.1.el9_7 +%define kabiversion 5.14.0-611.24.1.el9_7 # # End of genspec.sh variables @@ -615,6 +615,8 @@ Requires: kernel-modules-core-uname-r = %{KVERREL} Provides: installonlypkg(kernel) %endif +Provides: oracle(kernel-sig-key) == 202502 +Conflicts: shim-x64 < 15.8-1.0.4 # # List the packages used during the kernel build @@ -760,8 +762,6 @@ BuildRequires: tpm2-tools # For UKI sb cert %if 0%{?centos} BuildRequires: centos-sb-certs >= 9.0-23 -%else -BuildRequires: redhat-sb-certs >= 9.4-0.1 %endif %endif @@ -778,30 +778,10 @@ Source2: kernel.changelog %if %{signkernel} -# Name of the packaged file containing signing key -%ifarch ppc64le -%define signing_key_filename kernel-signing-ppc.cer -%endif -%ifarch s390x -%define signing_key_filename kernel-signing-s390.cer -%endif - %define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer %define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer -%if 0%{?centos} -%define pesign_name_0 centossecureboot201 -%else -%ifarch x86_64 aarch64 -%define pesign_name_0 redhatsecureboot801 -%endif -%ifarch s390x -%define pesign_name_0 redhatsecureboot302 -%endif -%ifarch ppc64le -%define pesign_name_0 redhatsecureboot701 -%endif -%endif +%define pesign_name_0 OracleLinuxSecureBootKey3 # signkernel %endif @@ -887,14 +867,20 @@ Source102: rhelimaca1.x509 Source103: rhelima.x509 Source104: rhelima_centos.x509 Source105: nvidiagpuoot001.x509 +# Oracle Linux IMA CA certificate +Source106: olimaca1.x509 +# Oracle Linux IMA signing certificate +Source107: olima1.x509 %if 0%{?centos} %define ima_signing_cert %{SOURCE104} %else %define ima_signing_cert %{SOURCE103} +%define ima_signing_cert_ol %{SOURCE107} %endif %define ima_cert_name ima.cer +%define ima_cert_name_ol ima_ol.cer Source150: dracut-virt.conf @@ -937,6 +923,10 @@ Source4000: README.rst Source4001: rpminspect.yaml Source4002: gating.yaml +# Oracle Linux RHCK Module Signing Key +Source5001: olkmod_signing_key.pem +Source5002: olkmod_signing_key1.pem + ## Patches needed for building this package %if !%{nopatches} @@ -944,8 +934,12 @@ Source4002: gating.yaml Patch1: patch-%{patchversion}-redhat.patch %endif +# Oracle patches +Patch1000: bug34729535-change-certified-hw-message.patch + # empty final patch to facilitate testing of kernel patches Patch999999: linux-kernel-test.patch +Patch1000000: 1000-debrand-some-messages.patch # END OF PATCH DEFINITIONS @@ -972,6 +966,9 @@ Recommends: linux-firmware\ Requires(preun): systemd >= 200\ Conflicts: xfsprogs < 4.3.0-1\ Conflicts: xorg-x11-drv-vmmouse < 13.0.99\ +%ifarch x86_64 aarch64\ +Conflicts: shim < 15.8-1\ +%endif\ %{expand:%%{?kernel%{?1:_%{1}}_conflicts:Conflicts: %%{kernel%{?1:_%{1}}_conflicts}}}\ %{expand:%%{?kernel%{?1:_%{1}}_obsoletes:Obsoletes: %%{kernel%{?1:_%{1}}_obsoletes}}}\ %{expand:%%{?kernel%{?1:_%{1}}_provides:Provides: %%{kernel%{?1:_%{1}}_provides}}}\ @@ -1094,10 +1091,10 @@ This package provides debug information for the libperf package. %package -n kernel-tools Summary: Assortment of tools for the Linux kernel %ifarch %{cpupowerarchs} -Provides: cpupowerutils = 1:009-0.6.p1 +Provides: cpupowerutils = 1:009-0.6.p1 Obsoletes: cpupowerutils < 1:009-0.6.p1 -Provides: cpufreq-utils = 1:009-0.6.p1 -Provides: cpufrequtils = 1:009-0.6.p1 +Provides: cpufreq-utils = 1:009-0.6.p1 +Provides: cpufrequtils = 1:009-0.6.p1 Obsoletes: cpufreq-utils < 1:009-0.6.p1 Obsoletes: cpufrequtils < 1:009-0.6.p1 Obsoletes: cpuspeed < 1:1.5-16 @@ -1118,7 +1115,7 @@ from the kernel source. Summary: Assortment of tools for the Linux kernel Requires: kernel-tools = %{version}-%{release} %ifarch %{cpupowerarchs} -Provides: cpupowerutils-devel = 1:009-0.6.p1 +Provides: cpupowerutils-devel = 1:009-0.6.p1 Obsoletes: cpupowerutils-devel < 1:009-0.6.p1 %endif Requires: kernel-tools-libs = %{version}-%{release} @@ -1645,6 +1642,7 @@ cp -a %{SOURCE1} . ApplyOptionalPatch patch-%{patchversion}-redhat.patch %endif +ApplyPatch bug34729535-change-certified-hw-message.patch ApplyOptionalPatch linux-kernel-test.patch # END OF PATCH APPLICATIONS @@ -1724,6 +1722,13 @@ openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem openssl x509 -inform der -in %{SOURCE102} -out rhelimaca1.pem openssl x509 -inform der -in %{SOURCE105} -out nvidiagpuoot001.pem cat rheldup3.pem rhelkpatch1.pem rhelimaca1.pem nvidiagpuoot001.pem > ../certs/rhel.pem +# Add Oracle Linux IMA CA certificate to the kernel trusted certificates list +openssl x509 -inform der -in %{SOURCE106} -out olimaca1.pem +cat olimaca1.pem >> ../certs/rhel.pem +# Add olkmod_signing_key.pem to the kernel trusted certificates list +cat %{SOURCE5001} >> ../certs/rhel.pem +# Add olkmod_signing_key1.pem to the kernel trusted certificates list +cat %{SOURCE5002} >> ../certs/rhel.pem %if %{signkernel} %ifarch s390x ppc64le openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem @@ -2383,8 +2388,11 @@ BuildKernel() { %endif SBAT=$(cat <<- EOF linux,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com + linux,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com linux.$SBATsuffix,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com + linux.ol,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com kernel-uki-virt.$SBATsuffix,1,Red Hat,kernel-uki-virt,$KernelVer,mailto:secalert@redhat.com + kernel-uki-virt.ol,1,Oracle Linux,kernel-uki-virt,$KernelVer,mailto:secalert_us@oracle.com EOF ) @@ -2416,15 +2424,13 @@ BuildKernel() { python3 %{SOURCE151} %{SOURCE152} $KernelAddonsDirOut virt %{primary_target} %{_target_cpu} "$ADDONS_SBAT" %if %{signkernel} - +%if ! %{?oraclelinux} %if 0%{?centos} UKI_secureboot_name=centossecureboot204 - UKI_secureboot_cert=%{_datadir}/pki/sb-certs/secureboot-uki-virt-%{_arch}.cer %else - # RHEL only builds UKI for x86 UKI_secureboot_name=redhatsecureboot504 - UKI_secureboot_cert=%{SOURCE153} %endif + UKI_secureboot_cert=%{_datadir}/pki/sb-certs/secureboot-uki-virt-%{_arch}.cer %pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.signed -a %{secureboot_ca_0} -c $UKI_secureboot_cert -n $UKI_secureboot_name if [ ! -s $KernelUnifiedImage.signed ]; then @@ -2443,6 +2449,7 @@ BuildKernel() { cp -a $UKI_secureboot_cert $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/secureboot-uki-%{_arch}.cer # signkernel +%endif %endif # hmac sign the UKI for FIPS @@ -2523,7 +2530,7 @@ BuildKernel() { # prune junk from kernel-devel find $RPM_BUILD_ROOT/usr/src/kernels -name ".*.cmd" -delete - # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel + # UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer %if %{signkernel} install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer @@ -2537,6 +2544,8 @@ BuildKernel() { %if 0%{?rhel} # Red Hat IMA code-signing cert, which is used to authenticate package files install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name} + # Oracle Linux IMA signing cert + install -m 0644 %{ima_signing_cert_ol} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name_ol} %endif %if %{signmodules} @@ -3691,6 +3700,75 @@ fi # # %changelog +* Mon Jan 19 2026 EL Errata [5.14.0-611.24.1.el9_7.OL9] +- Disable UKI signing [Orabug: 36571828] +- Update Oracle Linux certificates (Kevin Lyons) +- Disable signing for aarch64 (Ilya Okomin) +- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237] +- Update x509.genkey [Orabug: 24817676] +- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5.el9 +- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535] +- Add Oracle Linux IMA certificates +- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985764] + +* Sat Jan 10 2026 CKI KWF Bot [5.14.0-611.24.1.el9_7] +- gitlab-ci: use rhel9.7 builder image (Michael Hofmann) +- smb: client: let recv_done verify data_offset, data_length and remaining_data_length (Paulo Alcantara) [RHEL-131388] {CVE-2025-39933} +- tty: n_tty: Fix buffer offsets when lookahead is used (Radostin Stoyanov) [RHEL-130039] + +* Thu Jan 08 2026 CKI KWF Bot [5.14.0-611.23.1.el9_7] +- book3s64/hash: Remove kfence support temporarily (Mamatha Inamdar) [RHEL-135574] +- xfs: rework datasync tracking and execution (CKI Backport Bot) [RHEL-135714] +- xfs: rearrange code in xfs_inode_item_precommit (CKI Backport Bot) [RHEL-135714] +- inetpeer: do not get a refcount in inet_getpeer() (Guillaume Nault) [RHEL-116121] +- inetpeer: update inetpeer timestamp in inet_getpeer() (Guillaume Nault) [RHEL-116121] +- inetpeer: remove create argument of inet_getpeer() (Guillaume Nault) [RHEL-116121] +- inetpeer: remove create argument of inet_getpeer_v[46]() (Guillaume Nault) [RHEL-116121] +- ipv4/route: avoid unused-but-set-variable warning (Guillaume Nault) [RHEL-116121] +- arm64: errata: Expand speculative SSBS workaround for Cortex-A720AE (Waiman Long) [RHEL-130734] +- arm64: cputype: Add Cortex-A720AE definitions (Waiman Long) [RHEL-130734] +- arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays (Waiman Long) [RHEL-130734] +- arm64: Add support for HIP09 Spectre-BHB mitigation (Waiman Long) [RHEL-130734] +- arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists (Waiman Long) [RHEL-130734] +- arm64: cputype: Add MIDR_CORTEX_A76AE (Waiman Long) [RHEL-130734] +- arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list (Waiman Long) [RHEL-130734] +- arm64: Subscribe Microsoft Azure Cobalt 100 to erratum 3194386 (Waiman Long) [RHEL-130734] +- arm64: errata: Expand speculative SSBS workaround once more (Waiman Long) [RHEL-130734] +- arm64: errata: Expand speculative SSBS workaround (again) (Waiman Long) [RHEL-130734] +- tools headers arm64: Sync arm64's cputype.h with the kernel sources (Waiman Long) [RHEL-130734] +- arm64: cputype: Add Neoverse-N3 definitions (Waiman Long) [RHEL-130734] +- arm64: cputype: Add Cortex-A725 definitions (Waiman Long) [RHEL-130734] +- arm64: cputype: Add Cortex-X1C definitions (Waiman Long) [RHEL-130734] +- drm/xe: Make dma-fences compliant with the safe access rules (Mika Penttilä) [RHEL-122263] {CVE-2025-38703} + +* Wed Jan 07 2026 CKI KWF Bot [5.14.0-611.22.1.el9_7] +- libceph: fix potential use-after-free in have_mon_and_osd_map() (CKI Backport Bot) [RHEL-137400] {CVE-2025-68285} + +* Thu Jan 01 2026 CKI KWF Bot [5.14.0-611.21.1.el9_7] +- usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths (CKI Backport Bot) [RHEL-137147] {CVE-2025-68287} +- redhat: conflict with unsupported shim on x86/aarch64 (9.7.z) (Li Tian) [RHEL-135775] +- drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE (CKI Backport Bot) [RHEL-134428] {CVE-2025-40277} +- perf tools: Don't set attr.exclude_guest by default (Michael Petlan) [RHEL-131726] +- smb: client: fix refcount leak in smb2_set_path_attr (Paulo Alcantara) [RHEL-127422] +- smb: client: fix potential UAF in smb2_close_cached_fid() (Paulo Alcantara) [RHEL-127422] +- smb: client: fix potential cfid UAF in smb2_query_info_compound (Paulo Alcantara) [RHEL-127422] +- smb: client: Fix refcount leak for cifs_sb_tlink (Paulo Alcantara) [RHEL-127422] +- cifs: parse_dfs_referrals: prevent oob on malformed input (Paulo Alcantara) [RHEL-127422] +- smb: client: remove cfids_invalidation_worker (Paulo Alcantara) [RHEL-127422] +- smb client: fix bug with newly created file in cached dir (Paulo Alcantara) [RHEL-127422] +- smb: client: short-circuit negative lookups when parent dir is fully cached (Paulo Alcantara) [RHEL-127422] +- smb: client: short-circuit in open_cached_dir_by_dentry() if !dentry (Paulo Alcantara) [RHEL-127422] +- smb: client: remove pointless cfid->has_lease check (Paulo Alcantara) [RHEL-127422] +- smb: client: remove unused fid_lock (Paulo Alcantara) [RHEL-127422] +- smb: client: update cfid->last_access_time in open_cached_dir_by_dentry() (Paulo Alcantara) [RHEL-127422] +- smb: client: ensure open_cached_dir_by_dentry() only returns valid cfid (Paulo Alcantara) [RHEL-127422] +- smb: client: account smb directory cache usage and per-tcon totals (Paulo Alcantara) [RHEL-127422] +- smb: client: add drop_dir_cache module parameter to invalidate cached dirents (Paulo Alcantara) [RHEL-127422] +- smb: client: show lease state as R/H/W (or NONE) in open_files (Paulo Alcantara) [RHEL-127422] +- smb: client: show negotiated cipher in DebugData (Paulo Alcantara) [RHEL-127422] +- smb: client: add new tracepoint to trace lease break notification (Paulo Alcantara) [RHEL-127422] +- smb: client: Fix NULL pointer dereference in cifs_debug_dirs_proc_show() (Paulo Alcantara) [RHEL-127422] + * Sat Dec 20 2025 CKI KWF Bot [5.14.0-611.20.1.el9_7] - HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() (CKI Backport Bot) [RHEL-124607] {CVE-2025-39806} - sctp: avoid NULL dereference when chunk data buffer is missing (CKI Backport Bot) [RHEL-134001] {CVE-2025-40240}