diff --git a/.gitignore b/.gitignore index e09ca7245..9b3a4754f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +fedoraimaca.x509 kernel-abi-stablelists-6.12.0-55.39.1.el10_0.tar.xz kernel-kabi-dw-6.12.0-55.39.1.el10_0.tar.xz linux-6.12.0-55.39.1.el10_0.tar.xz diff --git a/bug37756650-nvme-pci-remove-two-deallocate-zeroes-quirks.patch b/bug37756650-nvme-pci-remove-two-deallocate-zeroes-quirks.patch deleted file mode 100644 index 79ea68fe1..000000000 --- a/bug37756650-nvme-pci-remove-two-deallocate-zeroes-quirks.patch +++ /dev/null @@ -1,44 +0,0 @@ -From b0de5456e201c475d6a860ceeb3ed8ee2923695a Mon Sep 17 00:00:00 2001 -From: Keith Busch -Date: Mon, 2 Dec 2024 09:45:48 -0800 -Subject: [PATCH] nvme-pci: remove two deallocate zeroes quirks - -The quirk was initially used as a signal to set the discard_zeroes_data -queue limit because there were some use cases that relied on that -behavior. The queue limit no longer exists as every user of it has been -converted to use the write zeroes operation instead. - -The quirk now means to use a discard command as an alias to a write -zeroes request. Two of the devices previously using the quirk support -the write zeroes command directly, so these don't need or want to use -discard when the desired operation is to write zeroes. - -Reviewed-by: Christoph Hellwig -Signed-off-by: Keith Busch - -Orabug: 37756650 - -Modified-by: Alex Burmashev -Signed-off-by: Alex Burmashev ---- - drivers/nvme/host/pci.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c -index 4c644bb7f06927..9535e35ef18a56 100644 ---- a/drivers/nvme/host/pci.c -+++ b/drivers/nvme/host/pci.c -@@ -3588,12 +3588,10 @@ static const struct pci_device_id nvme_id_table[] = { - NVME_QUIRK_DEALLOCATE_ZEROES, }, - { PCI_VDEVICE(INTEL, 0x0a54), /* Intel P4500/P4600 */ - .driver_data = NVME_QUIRK_STRIPE_SIZE | -- NVME_QUIRK_DEALLOCATE_ZEROES | - NVME_QUIRK_IGNORE_DEV_SUBNQN | - NVME_QUIRK_BOGUS_NID, }, - { PCI_VDEVICE(INTEL, 0x0a55), /* Dell Express Flash P4600 */ -- .driver_data = NVME_QUIRK_STRIPE_SIZE | -- NVME_QUIRK_DEALLOCATE_ZEROES, }, -+ .driver_data = NVME_QUIRK_STRIPE_SIZE, }, - { PCI_VDEVICE(INTEL, 0xf1a5), /* Intel 600P/P3100 */ - .driver_data = NVME_QUIRK_NO_DEEPEST_PS | - NVME_QUIRK_MEDIUM_PRIO_SQ | diff --git a/kernel.spec b/kernel.spec index 01698b7b6..d3a391321 100644 --- a/kernel.spec +++ b/kernel.spec @@ -98,7 +98,7 @@ Summary: The Linux kernel %if 0%{?fedora} %define secure_boot_arch x86_64 %else -%define secure_boot_arch x86_64 s390x ppc64le +%define secure_boot_arch x86_64 aarch64 s390x ppc64le %endif # Signing for secure boot authentication @@ -168,7 +168,7 @@ Summary: The Linux kernel # This is needed to do merge window version magic %define patchlevel 12 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 55.39.1%{?buildid}.0.1%{?dist} +%define specrelease 55.39.1%{?buildid}%{?dist} # This defines the kabi tarball version %define kabiversion 6.12.0-55.39.1.el10_0 @@ -716,8 +716,6 @@ Requires: kernel-modules-core-uname-r = %{KVERREL} Provides: installonlypkg(kernel) %endif -Provides: oracle(kernel-sig-key) == 202502 -Conflicts: shim-x64 < 15.8-1.0.6 # # List the packages used during the kernel build @@ -877,6 +875,8 @@ BuildRequires: tpm2-tools %if 0%{?rhel}%{?centos} && !0%{?eln} %if 0%{?centos} BuildRequires: centos-sb-certs >= 9.0-23 +%else +BuildRequires: redhat-sb-certs >= 9.4-0.1 %endif %endif %endif @@ -896,11 +896,42 @@ Source10: redhatsecurebootca5.cer Source13: redhatsecureboot501.cer %if %{signkernel} +# Name of the packaged file containing signing key +%ifarch ppc64le +%define signing_key_filename kernel-signing-ppc.cer +%endif +%ifarch s390x +%define signing_key_filename kernel-signing-s390.cer +%endif +# Fedora/ELN pesign macro expects to see these cert file names, see: +# https://github.com/rhboot/pesign/blob/main/src/pesign-rpmbuild-helper.in#L216 +%if 0%{?fedora}%{?eln} +%define pesign_name_0 redhatsecureboot501 +%define secureboot_ca_0 %{SOURCE10} +%define secureboot_key_0 %{SOURCE13} +%endif + +# RHEL/centos certs come from system-sb-certs +%if 0%{?rhel} && !0%{?eln} %define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer %define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer -%define pesign_name_0 OracleLinuxSecureBootKey3 +%if 0%{?centos} +%define pesign_name_0 centossecureboot201 +%else +%ifarch x86_64 aarch64 +%define pesign_name_0 redhatsecureboot501 +%endif +%ifarch s390x +%define pesign_name_0 redhatsecureboot302 +%endif +%ifarch ppc64le +%define pesign_name_0 redhatsecureboot701 +%endif +%endif +# rhel && !eln +%endif # signkernel %endif @@ -977,10 +1008,7 @@ Source102: nvidiagpuoot001.x509 Source103: rhelimaca1.x509 Source104: rhelima.x509 Source105: rhelima_centos.x509 -# Oracle Linux IMA CA certificate -Source106: olimaca1.x509 -# Oracle Linux IMA signing certificate -Source107: olima1.x509 +Source106: fedoraimaca.x509 %if 0%{?fedora}%{?eln} %define ima_ca_cert %{SOURCE106} @@ -995,11 +1023,9 @@ Source107: olima1.x509 %define ima_signing_cert %{SOURCE105} %else %define ima_signing_cert %{SOURCE104} -%define ima_signing_cert_ol %{SOURCE107} %endif %define ima_cert_name ima.cer -%define ima_cert_name_ol ima_ol.cer Source200: check-kabi @@ -1064,10 +1090,6 @@ Source4000: README.rst Source4001: rpminspect.yaml Source4002: gating.yaml -# Oracle Linux RHCK Module Signing Key -Source5001: olkmod_signing_key.pem -Source5002: olkmod_signing_key1.pem - ## Patches needed for building this package %if !%{nopatches} @@ -1075,9 +1097,6 @@ Source5002: olkmod_signing_key1.pem Patch1: patch-%{patchversion}-redhat.patch %endif -# Oracle patches -Patch1001: bug37756650-nvme-pci-remove-two-deallocate-zeroes-quirks.patch - # empty final patch to facilitate testing of kernel patches Patch999999: linux-kernel-test.patch @@ -1925,8 +1944,6 @@ ApplyOptionalPatch() mv linux-%{tarfile_release} linux-%{KVERREL} cd linux-%{KVERREL} -#removal of git history -rm -rf .git cp -a %{SOURCE1} . %{log_msg "Start of patch applications"} @@ -1935,7 +1952,6 @@ cp -a %{SOURCE1} . ApplyOptionalPatch patch-%{patchversion}-redhat.patch %endif -ApplyPatch bug37756650-nvme-pci-remove-two-deallocate-zeroes-quirks.patch ApplyOptionalPatch linux-kernel-test.patch %{log_msg "End of patch applications"} @@ -2048,13 +2064,6 @@ openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem openssl x509 -inform der -in %{SOURCE102} -out nvidiagpuoot001.pem cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem > ../certs/rhel.pem -# Add Oracle Linux IMA CA certificate to the kernel trusted certificates list -openssl x509 -inform der -in %{SOURCE106} -out olimaca1.pem -cat olimaca1.pem >> ../certs/rhel.pem -# Add olkmod_signing_key.pem to the kernel trusted certificates list -cat %{SOURCE5001} >> ../certs/rhel.pem -# Add olkmod_signing_key1.pem to the kernel trusted certificates list -cat %{SOURCE5002} >> ../certs/rhel.pem %if %{signkernel} %ifarch s390x ppc64le openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem @@ -2077,7 +2086,7 @@ done %if 0%{?rhel} %{log_msg "Adjust FIPS module name for RHEL"} for i in *.config; do - sed -i 's/CONFIG_CRYPTO_FIPS_NAME=.*/CONFIG_CRYPTO_FIPS_NAME="Oracle Linux 10 Kernel Crypto API Cryptographic Module"/' $i + sed -i 's/CONFIG_CRYPTO_FIPS_NAME=.*/CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux %{rhel} - Kernel Cryptographic API"/' $i done %endif @@ -2727,11 +2736,8 @@ BuildKernel() { %endif SBAT=$(cat <<- EOF linux,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com - linux,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com linux.$SBATsuffix,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com - linux.ol,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com kernel-uki-virt.$SBATsuffix,1,Red Hat,kernel-uki-virt,$KernelVer,mailto:secalert@redhat.com - kernel-uki-virt.ol,1,Oracle Linux,kernel-uki-virt,$KernelVer,mailto:secalert_us@oracle.com EOF ) @@ -2759,7 +2765,6 @@ BuildKernel() { python3 %{SOURCE151} %{SOURCE152} $KernelAddonsDirOut virt %{primary_target} %{_target_cpu} %if %{signkernel} -%if ! %{?oraclelinux} %{log_msg "Sign the EFI UKI kernel"} %if 0%{?fedora}%{?eln} %pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} @@ -2787,7 +2792,6 @@ BuildKernel() { done # signkernel -%endif %endif # hmac sign the UKI for FIPS @@ -2963,7 +2967,7 @@ BuildKernel() { # prune junk from kernel-debuginfo find $RPM_BUILD_ROOT/usr/src/kernels -name "*.mod.c" -delete - # UEFI Secure Boot CA cert, which can be used to authenticate the kernel + # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel %{log_msg "Install certs"} mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer %if %{signkernel} @@ -2978,8 +2982,6 @@ BuildKernel() { %if 0%{?rhel} # Red Hat IMA code-signing cert, which is used to authenticate package files install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name} - # Oracle Linux IMA signing cert - install -m 0644 %{ima_signing_cert_ol} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name_ol} %endif %if %{signmodules} @@ -4314,19 +4316,6 @@ fi\ # # %changelog -* Mon Oct 13 2025 Codrin Pruteanu [6.12.0-55.39.1.0.1.el10_0.OL10] -- nvme-pci: remove two deallocate zeroes quirks [Orabug: 37756650] -- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985782] -- Disable UKI signing [Orabug: 36571828] -- Update Oracle Linux certificates (Kevin Lyons) -- Disable signing for aarch64 (Ilya Okomin) -- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237] -- Update x509.genkey [Orabug: 24817676] -- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5.el9 -- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535] -- Add Oracle Linux IMA certificates -- Update module name for cryptographic module [Orabug: 37400433] - * Sat Oct 04 2025 CKI KWF Bot [6.12.0-55.39.1.el10_0] - wifi: ath12k: Decrement TID on RX peer frag setup error handling (CKI Backport Bot) [RHEL-114712] {CVE-2025-39761} - ALSA: usb-audio: Validate UAC3 power domain descriptors, too (CKI Backport Bot) [RHEL-114695] {CVE-2025-38729} diff --git a/olkmod_signing_key.pem b/olkmod_signing_key.pem deleted file mode 100644 index 7a51daf16..000000000 --- a/olkmod_signing_key.pem +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEETCCAvmgAwIBAgIJANw8y5k9b7SaMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEXMBUGA1UEBwwOUmVkd29vZCBT -aG9yZXMxGzAZBgNVBAoMEk9yYWNsZSBDb3Jwb3JhdGlvbjEVMBMGA1UECwwMT3Jh -Y2xlIExpbnV4MS0wKwYDVQQDDCRPcmFjbGUgTGludXggUkhDSyBNb2R1bGUgU2ln -bmluZyBLZXkwHhcNMTYwNTA5MjMzNjA4WhcNMjYwNTA3MjMzNjA4WjCBnjELMAkG -A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFzAVBgNVBAcMDlJlZHdvb2Qg -U2hvcmVzMRswGQYDVQQKDBJPcmFjbGUgQ29ycG9yYXRpb24xFTATBgNVBAsMDE9y -YWNsZSBMaW51eDEtMCsGA1UEAwwkT3JhY2xlIExpbnV4IFJIQ0sgTW9kdWxlIFNp -Z25pbmcgS2V5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl6bUDNNZ -jIqgsqgspwBIQ18keDxQeGnWgubZZhHrQU3GpeSRPM4lNTHc+UjMjNXrv/CENZdv -4cETRsxT1VFhGG3CvkbQdzc8v4JOQvWSSJqmViPa1eC+yGaMRnGcFXzKsHiTLA4y -WMjpJnVowFkwTzscRBlN0AysUg/hT/74DE0oqVnlCJNynqccNWpx8MtNRD55ay9A -73yJinYES14rXcU3QbJoO0ZxtRz83ZACDUGX0GORT3+NbB0RK0sttogzA3eLvxKw -umWsWZAHmTuHdWgUjSqqZr34VNLPVcsTHAW8X4bq6rRVcB2lMJ3kJfDP8BJyTn99 -37UmA+/ld47cnwIDAQABo1AwTjAdBgNVHQ4EFgQU3ZlbFVwZs6fD73cHuWniX5Y5 -Zm4wHwYDVR0jBBgwFoAU3ZlbFVwZs6fD73cHuWniX5Y5Zm4wDAYDVR0TBAUwAwEB -/zANBgkqhkiG9w0BAQsFAAOCAQEAF7nfhWfsk4uEDquLj7nJE0wPlVvllVDugzOk -R15pnQ7P+HTyz3sLaLJE4N5oWt6pFzDGDYEtPeoMCn1l447tX179Nf5SMZba9ut8 -3Vxbe7jAn9sQO7ArQR1swf1r101Me4+1oHq7rxPRizOOXrKeEvf5NSAUbSzzXfz6 -TEp21KTIQO7MjqpsKshRQbpPeiReaYy3A6gJftun5xekP04QTLZVBR4dL7tvZf0S -y9SjVg158lONXHfjBekyYTzSFBn/7v+AS8S+cAGRfYteE0Syxl7zJt3GUoEWau/e -kXHT+hd/hkdSQKZZWZo1380M1pVZZAvntLRBU6IN9SswafhiVg== ------END CERTIFICATE----- diff --git a/olkmod_signing_key1.pem b/olkmod_signing_key1.pem deleted file mode 100644 index b99afba7a..000000000 --- a/olkmod_signing_key1.pem +++ /dev/null @@ -1,35 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIGBjCCA+6gAwIBAgIUf99zHRXkhhuQepjkXdIfz1kNGiwwDQYJKoZIhvcNAQEL -BQAwgZ4xKTAnBgNVBAMMIE9yYWNsZSBMaW51eCBEcml2ZXIgU2lnbmluZyBDQSAx -MQswCQYDVQQGEwJ1czEVMBMGA1UEBwwMUmVkd29vZCBDaXR5MRswGQYDVQQKDBJP -cmFjbGUgQ29ycG9yYXRpb24xGzAZBgNVBAsMEk9yYWNsZSBDb3Jwb3JhdGlvbjET -MBEGA1UECAwKQ2FsaWZvcm5pYTAeFw0yNTA1MDIwOTIzNDFaFw0zNjA0MTIyMTEw -MjlaMGcxLDAqBgNVBAMMI09yYWNsZSBMaW51eCBEcml2ZXIgU2lnbmluZyAoa2V5 -IDEpMQswCQYDVQQGEwJ1czEVMBMGA1UEBwwMUmVkd29vZCBDaXR5MRMwEQYDVQQI -DApDYWxpZm9ybmlhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5dMQ -z4EwgCYLrxJCYTn0H5yncdJREDgAgkne3nQAmtJjfcoKNqRxieK5j1KjloF3Qvjt -c5gITvjpne1UrHTodPF9qpJrFieDPb9+CMUGg/R/gk20PofKa5+DhTMyeIEpBOa7 -P6/OdCGiwaGI85Js6JMnNX2YKerehKB44zVfiNmddn7T/3y2QFFNj3VH62tC4XNt -wZLCHnnO0JzOcZht5KA1JsITSLkT6/o//SZLpaNSAQkkanymdvszV5b0PDu4A0Fi -5Ch41Akset2kAlpRoRBaVVdNhqKDyzsGRFyzHD57EyyY4M6H3yh2T6SPPOTUOKgn -tcBfnFuijl2K/d87cnky1v1XzrvZqLzRz11ksLmZrUHZZ3PWfq2EndG8OiO4PdcF -sF4nd20yuUywW4nj5iZT5h6f8P06C62ILe+dJWNzpGm6JgyYvTnHoUXjoQR+TLs/ -WY1l1N2uf3lc5rkof4g+Ckh/6uI1k5XfyHIzw8Z9wEOliUvHXq/8TVZ653IMmfC8 -gIrIMNOXONMdG7ReTnsr9z7ckv/dYKbW1gWtyY8o92N3dLuYb8MpfvCHkVF5ItUR -52ay2wOQ1tDlfLUiU21yiglyW4rKanH6mrLd4mM8cphnPvRpZ9SM0qykwHrNqKOA -m9p0AwIf1zmUL6boX/Xd+6zM2HAXOPMS1EGjA6MCAwEAAaNyMHAwDAYDVR0TAQH/ -BAIwADALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYE -FDUwOWM0ZjZkYmZjMGUyODhjOGM4MB8GA1UdIwQYMBaAFGM2NDkzM2I4OWUzNTYw -ZmVhNWQzMA0GCSqGSIb3DQEBCwUAA4ICAQAmZbUs5P2HGRHt4W/QhGyfxxa/Go8K -6a1VZlh71OURsbQ42ZDCfrYgw8LtDPqx7ySlUlkjDcc7ZvRh6RzLyn+ARIohhKNH -PpEzIpOGm5P4zqY9R36STRSgCDl9iCNlk8pGKzqEIT+aCaZUWF+7NcFgePFDuN9W -FX5tXhxEqqn8rmvGMQ3ZtodxIJb6ksKz6j/JWnuvcD4EgI1ykyc8MAtIm2/qVmPQ -IofwXo6yL6ygT5K7cMsrte4EbzrHvuhuz89RHDmwmgB6XmZCWBOGYrO7lza2Yx0C -/m4LcUHPW6XgrtkvIcLST90Ng9fp8EQl7Rp3med0K83kdwKUt7Ju9aPze049tuTQ -QoHsIHDgsExK4wXUayHNgNNr8lMFm42gTB2DqP9F/Ihq7YhIdfXbOsVdS38Il9+Y -8RWI87H+0mAxsv2RnaNkEbmd+2vY9j1ebHyblN59mxDEY+h3W7v402ay01Ia2Lnw -szOAPq6AKZdfi0nan6zunurwEGKGeF4+Gr42RlA0Pcu1ZltBQVuMhvkO1wKZ5vO6 -MNR7swI0fH6VsyUms8wQbR85MCJg0MhpzRKw0g0Ka+c4nF1c4EmU4GaIbCNfzJy+ -68wdJDHhX+sbD7+AJBQ9i6TmtbPIGKNDHh9cMIXs+jMRtia/ZCYEsOOO5B+xrawF -JuZ4rgQv9ghmhQ== ------END CERTIFICATE----- diff --git a/sources b/sources index 64e4c489d..e622eeb6b 100644 --- a/sources +++ b/sources @@ -1,3 +1,4 @@ +SHA512 (fedoraimaca.x509) = e04809394f4472c17e86d7024dee34f03fb68e82a85502fd5b00535202c72e57626a8376b2cf991b7e1e46404aa5ab8d189ebf320e0dd37d49e7efbc925c7a2e SHA512 (kernel-abi-stablelists-6.12.0-55.39.1.el10_0.tar.xz) = d494cde20c86e6fcd6e6c5b8abba425ed463d51478afd95defef128220e7c6909723f42949841d8ce62c88cfae27bcb753f833a0701407fd0baf321186eca4e5 SHA512 (kernel-kabi-dw-6.12.0-55.39.1.el10_0.tar.xz) = ae12a2f15f0f025f7601c44b4b0beb1176243aa32ccd96ccbcb5f56c7af18e659fae238d9b4e300a769d71de37e1794c03e19b2d3e10bc107d0f62b30af1293f SHA512 (linux-6.12.0-55.39.1.el10_0.tar.xz) = 833cbec0d6bd205c7677bf0da6af03c9548cb3a842697b63c0fde8fb523b9f07707bd144ae43479d399b97a21ec8b81eaf64f9ee4cea35693a66bb05d65b266b diff --git a/x509.genkey.rhel b/x509.genkey.rhel index 5b7056d65..b1bbe387f 100644 --- a/x509.genkey.rhel +++ b/x509.genkey.rhel @@ -5,9 +5,9 @@ prompt = no x509_extensions = myexts [ req_distinguished_name ] -O = Oracle America, Inc.,c=US -CN = Oracle CA Server -emailAddress = support@oracle.com +O = Red Hat +CN = Red Hat Enterprise Linux kernel signing key +emailAddress = secalert@redhat.com [ myexts ] basicConstraints=critical,CA:FALSE