diff --git a/.gitignore b/.gitignore index 46318f345..37256e92b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,6 @@ -fedoraimaca.x509 -kernel-abi-stablelists-6.12.0-124.40.1.el10_1.tar.xz -kernel-kabi-dw-6.12.0-124.40.1.el10_1.tar.xz -linux-6.12.0-124.40.1.el10_1.tar.xz +kernel-abi-stablelists-6.12.0-124.43.1.el10_1.tar.xz +kernel-kabi-dw-6.12.0-124.43.1.el10_1.tar.xz +linux-6.12.0-124.43.1.el10_1.tar.xz nvidiagpuoot001.x509 olima1.x509 olimaca1.x509 diff --git a/Makefile.rhelver b/Makefile.rhelver index 1b4d49c32..70c165ff5 100644 --- a/Makefile.rhelver +++ b/Makefile.rhelver @@ -12,7 +12,7 @@ RHEL_MINOR = 1 # # Use this spot to avoid future merge conflicts. # Do not trim this comment. -RHEL_RELEASE = 124.40.1 +RHEL_RELEASE = 124.43.1 # # RHEL_REBASE_NUM diff --git a/kernel.changelog b/kernel.changelog index 297383dc1..5997ee26b 100644 --- a/kernel.changelog +++ b/kernel.changelog @@ -1,3 +1,58 @@ +* Tue Mar 03 2026 CKI KWF Bot [6.12.0-124.43.1.el10_1] +- HID: intel-thc-hid: intel-thc: Fix incorrect pointer arithmetic in I2C regs save (CKI Backport Bot) [RHEL-142253] {CVE-2025-39818} +- drm/xe: Make dma-fences compliant with the safe access rules (Mika Penttilä) [RHEL-122272] {CVE-2025-38703} +Resolves: RHEL-122272, RHEL-142253 + +* Sat Feb 28 2026 CKI KWF Bot [6.12.0-124.42.1.el10_1] +- dpll: zl3073x: Fix ref frequency setting (Ivan Vecera) [RHEL-139828] +- dpll: Prevent duplicate registrations (Ivan Vecera) [RHEL-139828] +- dpll: zl3073x: Remove unused dev wrappers (Ivan Vecera) [RHEL-139828] +- dpll: zl3073x: Cache all output properties in zl3073x_out (Ivan Vecera) [RHEL-139828] +- dpll: zl3073x: Cache all reference properties in zl3073x_ref (Ivan Vecera) [RHEL-139828] +- dpll: zl3073x: Cache reference monitor status (Ivan Vecera) [RHEL-139828] +- dpll: zl3073x: Split ref, out, and synth logic from core (Ivan Vecera) [RHEL-139828] +- dpll: zl3073x: Store raw register values instead of parsed state (Ivan Vecera) [RHEL-139828] +- dpll: zl3073x: fix kernel-doc name and missing parameter in fw.c (Ivan Vecera) [RHEL-139828] +- dpll: zl3073x: Specify phase adjustment granularity for pins (Ivan Vecera) [RHEL-139828] +- dpll: add phase-adjust-gran pin attribute (Ivan Vecera) [RHEL-139828] +- dpll: fix device-id-get and pin-id-get to return errors properly (Ivan Vecera) [RHEL-139828] +- dpll: spec: add missing module-name and clock-id to pin-get reply (Ivan Vecera) [RHEL-139828] +- dpll: zl3073x: Allow to configure phase offset averaging factor (Ivan Vecera) [RHEL-139828] +- dpll: add phase_offset_avg_factor_get/set callback ops (Ivan Vecera) [RHEL-139828] +- dpll: add phase-offset-avg-factor device attribute to netlink spec (Ivan Vecera) [RHEL-139828] +- dpll: fix clock quality level reporting (Ivan Vecera) [RHEL-139828] +- dpll: add reference sync get/set (Ivan Vecera) [RHEL-139828] +- dpll: add reference-sync netlink attribute (Ivan Vecera) [RHEL-139828] +- dpll: remove documentation of rclk_dev_name (Ivan Vecera) [RHEL-139828] +- ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() (CKI Backport Bot) [RHEL-143548] {CVE-2025-71085} +- usb: core: config: Prevent OOB read in SS endpoint companion parsing (CKI Backport Bot) [RHEL-137370] {CVE-2025-39760} +- sched_ext: Fix scx_kick_pseqs corruption on concurrent scheduler loads (Phil Auld) [RHEL-124637] +- sched_ext: Allocate scx_kick_cpus_pnt_seqs lazily using kvzalloc() (Phil Auld) [RHEL-124637] +Resolves: RHEL-124637, RHEL-137370, RHEL-139828, RHEL-143548 + +* Thu Feb 26 2026 CKI KWF Bot [6.12.0-124.41.1.el10_1] +- vfs: check dentry is still valid in get_link() (Ian Kent) [RHEL-134853] +- efivarfs: fix error propagation in efivar_entry_get() (CKI Backport Bot) [RHEL-150116] {CVE-2026-23156} +- KVM: x86: Apply runtime updates to current CPUID during KVM_SET_CPUID{,2} (Igor Mammedov) [RHEL-148458] +- printk: Use console_is_usable on console_unblank (CKI Backport Bot) [RHEL-148303] +- printk: Avoid irq_work for printk_deferred() on suspend (CKI Backport Bot) [RHEL-148303] +- printk: Avoid scheduling irq_work on suspend (CKI Backport Bot) [RHEL-148303] +- printk: Allow printk_trigger_flush() to flush all types (CKI Backport Bot) [RHEL-148303] +- printk: Check CON_SUSPEND when unblanking a console (CKI Backport Bot) [RHEL-148303] +- printk: nbcon: Allow reacquire during panic (CKI Backport Bot) [RHEL-148303] +- migrate: correct lock ordering for hugetlb file folios (Luiz Capitulino) [RHEL-147270] {CVE-2026-23097} +- io_uring/sqpoll: don't put task_struct on tctx setup failure (Jeff Moyer) [RHEL-137992] +- io_uring: consistently use rcu semantics with sqpoll thread (Jeff Moyer) [RHEL-137992] +- io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo() (Jeff Moyer) [RHEL-137992] {CVE-2025-38106} +- io_uring/sqpoll: fix sqpoll error handling races (Jeff Moyer) [RHEL-137992] +- gpio: cdev: Fix resource leaks on errors in lineinfo_changed_notify() (CKI Backport Bot) [RHEL-145597] {CVE-2025-40249} +- gpio: cdev: make sure the cdev fd is still active before emitting events (CKI Backport Bot) [RHEL-145597] {CVE-2025-40249} +- macvlan: fix possible UAF in macvlan_forward_source() (CKI Backport Bot) [RHEL-144128] {CVE-2026-23001} +- dm: use READ_ONCE in dm_blk_report_zones (Benjamin Marzinski) [RHEL-137953] +- dm: fix unlocked test for dm_suspended_md (Benjamin Marzinski) [RHEL-137953] +- dm: fix dm_blk_report_zones (CKI Backport Bot) [RHEL-137953] {CVE-2025-38141} +Resolves: RHEL-134853, RHEL-137953, RHEL-137992, RHEL-144128, RHEL-145597, RHEL-147270, RHEL-148303, RHEL-148458, RHEL-150116 + * Thu Feb 19 2026 CKI KWF Bot [6.12.0-124.40.1.el10_1] - s390/mm: Fix __ptep_rdp() inline assembly (Mete Durlu) [RHEL-143715] - ice: PTP: fix missing timestamps on E825 hardware (CKI Backport Bot) [RHEL-148168] diff --git a/kernel.spec b/kernel.spec index ac346a73b..b0748c927 100644 --- a/kernel.spec +++ b/kernel.spec @@ -98,7 +98,7 @@ Summary: The Linux kernel %if 0%{?fedora} %define secure_boot_arch x86_64 %else -%define secure_boot_arch x86_64 aarch64 s390x ppc64le +%define secure_boot_arch x86_64 s390x ppc64le %endif # Signing for secure boot authentication @@ -176,15 +176,15 @@ Summary: The Linux kernel %define specrpmversion 6.12.0 %define specversion 6.12.0 %define patchversion 6.12 -%define pkgrelease 124.40.1 +%define pkgrelease 124.43.1 %define kversion 6 -%define tarfile_release 6.12.0-124.40.1.el10_1 +%define tarfile_release 6.12.0-124.43.1.el10_1 # This is needed to do merge window version magic %define patchlevel 12 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 124.40.1%{?buildid}%{?dist} +%define specrelease 124.43.1%{?buildid}%{?dist} # This defines the kabi tarball version -%define kabiversion 6.12.0-124.40.1.el10_1 +%define kabiversion 6.12.0-124.43.1.el10_1 # If this variable is set to 1, a bpf selftests build failure will cause a # fatal kernel package build error @@ -717,6 +717,8 @@ Requires: ((%{name}-modules-extra-uname-r = %{KVERREL}) if %{name}-modules-extra Provides: installonlypkg(kernel) %endif +Provides: oracle(kernel-sig-key) == 202502 +Conflicts: shim-x64 < 15.8-1.0.6 # # List the packages used during the kernel build @@ -881,8 +883,6 @@ BuildRequires: tpm2-tools %if 0%{?rhel}%{?centos} && !0%{?eln} %if 0%{?centos} BuildRequires: centos-sb-certs >= 9.0-23 -%else -BuildRequires: redhat-sb-certs >= 9.4-0.1 %endif %endif %endif @@ -902,42 +902,11 @@ Source10: redhatsecurebootca5.cer Source13: redhatsecureboot501.cer %if %{signkernel} -# Name of the packaged file containing signing key -%ifarch ppc64le -%define signing_key_filename kernel-signing-ppc.cer -%endif -%ifarch s390x -%define signing_key_filename kernel-signing-s390.cer -%endif -# Fedora/ELN pesign macro expects to see these cert file names, see: -# https://github.com/rhboot/pesign/blob/main/src/pesign-rpmbuild-helper.in#L216 -%if 0%{?fedora}%{?eln} -%define pesign_name_0 redhatsecureboot501 -%define secureboot_ca_0 %{SOURCE10} -%define secureboot_key_0 %{SOURCE13} -%endif - -# RHEL/centos certs come from system-sb-certs -%if 0%{?rhel} && !0%{?eln} %define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer %define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer -%if 0%{?centos} -%define pesign_name_0 centossecureboot201 -%else -%ifarch x86_64 aarch64 -%define pesign_name_0 redhatsecureboot801 -%endif -%ifarch s390x -%define pesign_name_0 redhatsecureboot302 -%endif -%ifarch ppc64le -%define pesign_name_0 redhatsecureboot701 -%endif -%endif -# rhel && !eln -%endif +%define pesign_name_0 OracleLinuxSecureBootKey3 # signkernel %endif @@ -1018,7 +987,10 @@ Source102: nvidiagpuoot001.x509 Source103: rhelimaca1.x509 Source104: rhelima.x509 Source105: rhelima_centos.x509 -Source106: fedoraimaca.x509 +# Oracle Linux IMA CA certificate +Source106: olimaca1.x509 +# Oracle Linux IMA signing certificate +Source107: olima1.x509 %if 0%{?fedora}%{?eln} %define ima_ca_cert %{SOURCE106} @@ -1033,9 +1005,11 @@ Source106: fedoraimaca.x509 %define ima_signing_cert %{SOURCE105} %else %define ima_signing_cert %{SOURCE104} +%define ima_signing_cert_ol %{SOURCE107} %endif %define ima_cert_name ima.cer +%define ima_cert_name_ol ima_ol.cer Source200: check-kabi @@ -1106,6 +1080,10 @@ Source4000: README.rst Source4001: rpminspect.yaml Source4002: gating.yaml +# Oracle Linux RHCK Module Signing Key +Source5001: olkmod_signing_key.pem +Source5002: olkmod_signing_key1.pem + ## Patches needed for building this package %if !%{nopatches} @@ -1953,6 +1931,8 @@ ApplyOptionalPatch() mv linux-%{tarfile_release} linux-%{KVERREL} cd linux-%{KVERREL} +#removal of git history +rm -rf .git cp -a %{SOURCE1} . %{log_msg "Start of patch applications"} @@ -2079,6 +2059,13 @@ openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem openssl x509 -inform der -in %{SOURCE102} -out nvidiagpuoot001.pem cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem >> ../certs/rhel.pem +# Add Oracle Linux IMA CA certificate to the kernel trusted certificates list +openssl x509 -inform der -in %{SOURCE106} -out olimaca1.pem +cat olimaca1.pem >> ../certs/rhel.pem +# Add olkmod_signing_key.pem to the kernel trusted certificates list +cat %{SOURCE5001} >> ../certs/rhel.pem +# Add olkmod_signing_key1.pem to the kernel trusted certificates list +cat %{SOURCE5002} >> ../certs/rhel.pem # rhelkeys %endif %if %{signkernel} @@ -2103,7 +2090,7 @@ done %if 0%{?rhel} %{log_msg "Adjust FIPS module name for RHEL"} for i in *.config; do - sed -i 's/CONFIG_CRYPTO_FIPS_NAME=.*/CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux %{rhel} - Kernel Cryptographic API"/' $i + sed -i 's/CONFIG_CRYPTO_FIPS_NAME=.*/CONFIG_CRYPTO_FIPS_NAME="Oracle Linux 10 Kernel Crypto API Cryptographic Module"/' $i done %endif @@ -2756,6 +2743,22 @@ BuildKernel() { SBATsuffix="rhel" %endif %endif + SBAT=$(cat <<- EOF + linux,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com + linux,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com + linux.$SBATsuffix,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com + linux.ol,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com + kernel-uki-virt.$SBATsuffix,1,Red Hat,kernel-uki-virt,$KernelVer,mailto:secalert@redhat.com + kernel-uki-virt.ol,1,Oracle Linux,kernel-uki-virt,$KernelVer,mailto:secalert_us@oracle.com + EOF + ) + + ADDONS_SBAT=$(cat <<- EOF + sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md + kernel-uki-virt-addons.$SBATsuffix,1,Red Hat,kernel-uki-virt-addons,$KernelVer,mailto:secalert@redhat.com + EOF + ) + KernelUnifiedImageDir="$RPM_BUILD_ROOT/lib/modules/$KernelVer" KernelUnifiedImage="$KernelUnifiedImageDir/$InstallName-virt.efi" KernelUnifiedInitrd="$KernelUnifiedImageDir/$InstallName-virt.img" @@ -2782,6 +2785,7 @@ BuildKernel() { python3 %{SOURCE151} %{SOURCE152} $KernelAddonsDirOut virt %{primary_target} %{_target_cpu} @uki-addons.sbat %if %{signkernel} +%if ! %{?oraclelinux} %{log_msg "Sign the EFI UKI kernel"} %if 0%{?fedora}%{?eln} %pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} @@ -2813,6 +2817,7 @@ BuildKernel() { cp -a $UKI_secureboot_cert $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/secureboot-uki-%{_arch}.cer # signkernel +%endif %endif # hmac sign the UKI for FIPS @@ -2979,7 +2984,7 @@ BuildKernel() { # prune junk from kernel-debuginfo find $RPM_BUILD_ROOT/usr/src/kernels -name "*.mod.c" -delete - # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel + # UEFI Secure Boot CA cert, which can be used to authenticate the kernel %{log_msg "Install certs"} mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer %if %{signkernel} @@ -2994,6 +2999,8 @@ BuildKernel() { %if 0%{?rhel} # Red Hat IMA code-signing cert, which is used to authenticate package files install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name} + # Oracle Linux IMA signing cert + install -m 0644 %{ima_signing_cert_ol} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name_ol} %endif %if %{signmodules} @@ -4349,6 +4356,71 @@ fi\ # # %changelog +* Mon Mar 09 2026 EL Errata [6.12.0-124.43.1.el10_1.OL10] +- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985782] +- Disable UKI signing [Orabug: 36571828] +- Update Oracle Linux certificates (Kevin Lyons) +- Disable signing for aarch64 (Ilya Okomin) +- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237] +- Update x509.genkey [Orabug: 24817676] +- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5.el9 +- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535] +- Add Oracle Linux IMA certificates +- Update module name for cryptographic module [Orabug: 37400433] +- Clean git history at setup stage + +* Tue Mar 03 2026 CKI KWF Bot [6.12.0-124.43.1.el10_1] +- HID: intel-thc-hid: intel-thc: Fix incorrect pointer arithmetic in I2C regs save (CKI Backport Bot) [RHEL-142253] {CVE-2025-39818} +- drm/xe: Make dma-fences compliant with the safe access rules (Mika Penttilä) [RHEL-122272] {CVE-2025-38703} + +* Sat Feb 28 2026 CKI KWF Bot [6.12.0-124.42.1.el10_1] +- dpll: zl3073x: Fix ref frequency setting (Ivan Vecera) [RHEL-139828] +- dpll: Prevent duplicate registrations (Ivan Vecera) [RHEL-139828] +- dpll: zl3073x: Remove unused dev wrappers (Ivan Vecera) [RHEL-139828] +- dpll: zl3073x: Cache all output properties in zl3073x_out (Ivan Vecera) [RHEL-139828] +- dpll: zl3073x: Cache all reference properties in zl3073x_ref (Ivan Vecera) [RHEL-139828] +- dpll: zl3073x: Cache reference monitor status (Ivan Vecera) [RHEL-139828] +- dpll: zl3073x: Split ref, out, and synth logic from core (Ivan Vecera) [RHEL-139828] +- dpll: zl3073x: Store raw register values instead of parsed state (Ivan Vecera) [RHEL-139828] +- dpll: zl3073x: fix kernel-doc name and missing parameter in fw.c (Ivan Vecera) [RHEL-139828] +- dpll: zl3073x: Specify phase adjustment granularity for pins (Ivan Vecera) [RHEL-139828] +- dpll: add phase-adjust-gran pin attribute (Ivan Vecera) [RHEL-139828] +- dpll: fix device-id-get and pin-id-get to return errors properly (Ivan Vecera) [RHEL-139828] +- dpll: spec: add missing module-name and clock-id to pin-get reply (Ivan Vecera) [RHEL-139828] +- dpll: zl3073x: Allow to configure phase offset averaging factor (Ivan Vecera) [RHEL-139828] +- dpll: add phase_offset_avg_factor_get/set callback ops (Ivan Vecera) [RHEL-139828] +- dpll: add phase-offset-avg-factor device attribute to netlink spec (Ivan Vecera) [RHEL-139828] +- dpll: fix clock quality level reporting (Ivan Vecera) [RHEL-139828] +- dpll: add reference sync get/set (Ivan Vecera) [RHEL-139828] +- dpll: add reference-sync netlink attribute (Ivan Vecera) [RHEL-139828] +- dpll: remove documentation of rclk_dev_name (Ivan Vecera) [RHEL-139828] +- ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() (CKI Backport Bot) [RHEL-143548] {CVE-2025-71085} +- usb: core: config: Prevent OOB read in SS endpoint companion parsing (CKI Backport Bot) [RHEL-137370] {CVE-2025-39760} +- sched_ext: Fix scx_kick_pseqs corruption on concurrent scheduler loads (Phil Auld) [RHEL-124637] +- sched_ext: Allocate scx_kick_cpus_pnt_seqs lazily using kvzalloc() (Phil Auld) [RHEL-124637] + +* Thu Feb 26 2026 CKI KWF Bot [6.12.0-124.41.1.el10_1] +- vfs: check dentry is still valid in get_link() (Ian Kent) [RHEL-134853] +- efivarfs: fix error propagation in efivar_entry_get() (CKI Backport Bot) [RHEL-150116] {CVE-2026-23156} +- KVM: x86: Apply runtime updates to current CPUID during KVM_SET_CPUID{,2} (Igor Mammedov) [RHEL-148458] +- printk: Use console_is_usable on console_unblank (CKI Backport Bot) [RHEL-148303] +- printk: Avoid irq_work for printk_deferred() on suspend (CKI Backport Bot) [RHEL-148303] +- printk: Avoid scheduling irq_work on suspend (CKI Backport Bot) [RHEL-148303] +- printk: Allow printk_trigger_flush() to flush all types (CKI Backport Bot) [RHEL-148303] +- printk: Check CON_SUSPEND when unblanking a console (CKI Backport Bot) [RHEL-148303] +- printk: nbcon: Allow reacquire during panic (CKI Backport Bot) [RHEL-148303] +- migrate: correct lock ordering for hugetlb file folios (Luiz Capitulino) [RHEL-147270] {CVE-2026-23097} +- io_uring/sqpoll: don't put task_struct on tctx setup failure (Jeff Moyer) [RHEL-137992] +- io_uring: consistently use rcu semantics with sqpoll thread (Jeff Moyer) [RHEL-137992] +- io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo() (Jeff Moyer) [RHEL-137992] {CVE-2025-38106} +- io_uring/sqpoll: fix sqpoll error handling races (Jeff Moyer) [RHEL-137992] +- gpio: cdev: Fix resource leaks on errors in lineinfo_changed_notify() (CKI Backport Bot) [RHEL-145597] {CVE-2025-40249} +- gpio: cdev: make sure the cdev fd is still active before emitting events (CKI Backport Bot) [RHEL-145597] {CVE-2025-40249} +- macvlan: fix possible UAF in macvlan_forward_source() (CKI Backport Bot) [RHEL-144128] {CVE-2026-23001} +- dm: use READ_ONCE in dm_blk_report_zones (Benjamin Marzinski) [RHEL-137953] +- dm: fix unlocked test for dm_suspended_md (Benjamin Marzinski) [RHEL-137953] +- dm: fix dm_blk_report_zones (CKI Backport Bot) [RHEL-137953] {CVE-2025-38141} + * Thu Feb 19 2026 CKI KWF Bot [6.12.0-124.40.1.el10_1] - s390/mm: Fix __ptep_rdp() inline assembly (Mete Durlu) [RHEL-143715] - ice: PTP: fix missing timestamps on E825 hardware (CKI Backport Bot) [RHEL-148168] diff --git a/olkmod_signing_key.pem b/olkmod_signing_key.pem new file mode 100644 index 000000000..7a51daf16 --- /dev/null +++ b/olkmod_signing_key.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEETCCAvmgAwIBAgIJANw8y5k9b7SaMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEXMBUGA1UEBwwOUmVkd29vZCBT +aG9yZXMxGzAZBgNVBAoMEk9yYWNsZSBDb3Jwb3JhdGlvbjEVMBMGA1UECwwMT3Jh +Y2xlIExpbnV4MS0wKwYDVQQDDCRPcmFjbGUgTGludXggUkhDSyBNb2R1bGUgU2ln +bmluZyBLZXkwHhcNMTYwNTA5MjMzNjA4WhcNMjYwNTA3MjMzNjA4WjCBnjELMAkG +A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFzAVBgNVBAcMDlJlZHdvb2Qg +U2hvcmVzMRswGQYDVQQKDBJPcmFjbGUgQ29ycG9yYXRpb24xFTATBgNVBAsMDE9y +YWNsZSBMaW51eDEtMCsGA1UEAwwkT3JhY2xlIExpbnV4IFJIQ0sgTW9kdWxlIFNp +Z25pbmcgS2V5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl6bUDNNZ +jIqgsqgspwBIQ18keDxQeGnWgubZZhHrQU3GpeSRPM4lNTHc+UjMjNXrv/CENZdv +4cETRsxT1VFhGG3CvkbQdzc8v4JOQvWSSJqmViPa1eC+yGaMRnGcFXzKsHiTLA4y +WMjpJnVowFkwTzscRBlN0AysUg/hT/74DE0oqVnlCJNynqccNWpx8MtNRD55ay9A +73yJinYES14rXcU3QbJoO0ZxtRz83ZACDUGX0GORT3+NbB0RK0sttogzA3eLvxKw +umWsWZAHmTuHdWgUjSqqZr34VNLPVcsTHAW8X4bq6rRVcB2lMJ3kJfDP8BJyTn99 +37UmA+/ld47cnwIDAQABo1AwTjAdBgNVHQ4EFgQU3ZlbFVwZs6fD73cHuWniX5Y5 +Zm4wHwYDVR0jBBgwFoAU3ZlbFVwZs6fD73cHuWniX5Y5Zm4wDAYDVR0TBAUwAwEB +/zANBgkqhkiG9w0BAQsFAAOCAQEAF7nfhWfsk4uEDquLj7nJE0wPlVvllVDugzOk +R15pnQ7P+HTyz3sLaLJE4N5oWt6pFzDGDYEtPeoMCn1l447tX179Nf5SMZba9ut8 +3Vxbe7jAn9sQO7ArQR1swf1r101Me4+1oHq7rxPRizOOXrKeEvf5NSAUbSzzXfz6 +TEp21KTIQO7MjqpsKshRQbpPeiReaYy3A6gJftun5xekP04QTLZVBR4dL7tvZf0S +y9SjVg158lONXHfjBekyYTzSFBn/7v+AS8S+cAGRfYteE0Syxl7zJt3GUoEWau/e +kXHT+hd/hkdSQKZZWZo1380M1pVZZAvntLRBU6IN9SswafhiVg== +-----END CERTIFICATE----- diff --git a/olkmod_signing_key1.pem b/olkmod_signing_key1.pem new file mode 100644 index 000000000..b99afba7a --- /dev/null +++ b/olkmod_signing_key1.pem @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGBjCCA+6gAwIBAgIUf99zHRXkhhuQepjkXdIfz1kNGiwwDQYJKoZIhvcNAQEL +BQAwgZ4xKTAnBgNVBAMMIE9yYWNsZSBMaW51eCBEcml2ZXIgU2lnbmluZyBDQSAx +MQswCQYDVQQGEwJ1czEVMBMGA1UEBwwMUmVkd29vZCBDaXR5MRswGQYDVQQKDBJP +cmFjbGUgQ29ycG9yYXRpb24xGzAZBgNVBAsMEk9yYWNsZSBDb3Jwb3JhdGlvbjET +MBEGA1UECAwKQ2FsaWZvcm5pYTAeFw0yNTA1MDIwOTIzNDFaFw0zNjA0MTIyMTEw +MjlaMGcxLDAqBgNVBAMMI09yYWNsZSBMaW51eCBEcml2ZXIgU2lnbmluZyAoa2V5 +IDEpMQswCQYDVQQGEwJ1czEVMBMGA1UEBwwMUmVkd29vZCBDaXR5MRMwEQYDVQQI +DApDYWxpZm9ybmlhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5dMQ +z4EwgCYLrxJCYTn0H5yncdJREDgAgkne3nQAmtJjfcoKNqRxieK5j1KjloF3Qvjt +c5gITvjpne1UrHTodPF9qpJrFieDPb9+CMUGg/R/gk20PofKa5+DhTMyeIEpBOa7 +P6/OdCGiwaGI85Js6JMnNX2YKerehKB44zVfiNmddn7T/3y2QFFNj3VH62tC4XNt +wZLCHnnO0JzOcZht5KA1JsITSLkT6/o//SZLpaNSAQkkanymdvszV5b0PDu4A0Fi +5Ch41Akset2kAlpRoRBaVVdNhqKDyzsGRFyzHD57EyyY4M6H3yh2T6SPPOTUOKgn +tcBfnFuijl2K/d87cnky1v1XzrvZqLzRz11ksLmZrUHZZ3PWfq2EndG8OiO4PdcF +sF4nd20yuUywW4nj5iZT5h6f8P06C62ILe+dJWNzpGm6JgyYvTnHoUXjoQR+TLs/ +WY1l1N2uf3lc5rkof4g+Ckh/6uI1k5XfyHIzw8Z9wEOliUvHXq/8TVZ653IMmfC8 +gIrIMNOXONMdG7ReTnsr9z7ckv/dYKbW1gWtyY8o92N3dLuYb8MpfvCHkVF5ItUR +52ay2wOQ1tDlfLUiU21yiglyW4rKanH6mrLd4mM8cphnPvRpZ9SM0qykwHrNqKOA +m9p0AwIf1zmUL6boX/Xd+6zM2HAXOPMS1EGjA6MCAwEAAaNyMHAwDAYDVR0TAQH/ +BAIwADALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYE +FDUwOWM0ZjZkYmZjMGUyODhjOGM4MB8GA1UdIwQYMBaAFGM2NDkzM2I4OWUzNTYw +ZmVhNWQzMA0GCSqGSIb3DQEBCwUAA4ICAQAmZbUs5P2HGRHt4W/QhGyfxxa/Go8K +6a1VZlh71OURsbQ42ZDCfrYgw8LtDPqx7ySlUlkjDcc7ZvRh6RzLyn+ARIohhKNH +PpEzIpOGm5P4zqY9R36STRSgCDl9iCNlk8pGKzqEIT+aCaZUWF+7NcFgePFDuN9W +FX5tXhxEqqn8rmvGMQ3ZtodxIJb6ksKz6j/JWnuvcD4EgI1ykyc8MAtIm2/qVmPQ +IofwXo6yL6ygT5K7cMsrte4EbzrHvuhuz89RHDmwmgB6XmZCWBOGYrO7lza2Yx0C +/m4LcUHPW6XgrtkvIcLST90Ng9fp8EQl7Rp3med0K83kdwKUt7Ju9aPze049tuTQ +QoHsIHDgsExK4wXUayHNgNNr8lMFm42gTB2DqP9F/Ihq7YhIdfXbOsVdS38Il9+Y +8RWI87H+0mAxsv2RnaNkEbmd+2vY9j1ebHyblN59mxDEY+h3W7v402ay01Ia2Lnw +szOAPq6AKZdfi0nan6zunurwEGKGeF4+Gr42RlA0Pcu1ZltBQVuMhvkO1wKZ5vO6 +MNR7swI0fH6VsyUms8wQbR85MCJg0MhpzRKw0g0Ka+c4nF1c4EmU4GaIbCNfzJy+ +68wdJDHhX+sbD7+AJBQ9i6TmtbPIGKNDHh9cMIXs+jMRtia/ZCYEsOOO5B+xrawF +JuZ4rgQv9ghmhQ== +-----END CERTIFICATE----- diff --git a/sources b/sources index ce331786e..12df13904 100644 --- a/sources +++ b/sources @@ -1,7 +1,6 @@ -SHA512 (fedoraimaca.x509) = e04809394f4472c17e86d7024dee34f03fb68e82a85502fd5b00535202c72e57626a8376b2cf991b7e1e46404aa5ab8d189ebf320e0dd37d49e7efbc925c7a2e -SHA512 (kernel-abi-stablelists-6.12.0-124.40.1.el10_1.tar.xz) = d38ae1f4fbc65de04993b390fc30e3d0886c3056cb12e7f473b532d51e71864c7a7dc93cae0acbde3947b91462773341146006ac9f2a68b933182fb69d75e9bf -SHA512 (kernel-kabi-dw-6.12.0-124.40.1.el10_1.tar.xz) = 44327a65368b4173457684126017f988dc09af51b8d558d1c9a98f9a9300bfe3f7c4be9985d6e9eb1f21a6b49e3b2f328a206df7671925fa00ccbccd7546ec5e -SHA512 (linux-6.12.0-124.40.1.el10_1.tar.xz) = 49193e3cb7c7a7f39f4e7bc986da6cee4f0e3c47d1f195e8e121bf76556b9490006cdfa8ef8bf732c5142ea3b96043007d101359c3b70d083e621c5477714631 +SHA512 (kernel-abi-stablelists-6.12.0-124.43.1.el10_1.tar.xz) = 45d7bb44b76bf664ccb5c3f92a0f1ff27f8b3cd87dc7115cec1c7c151ecc6e5b09afc1394688ec6b9ec3e748d0b22da7e47beee254270ff4f321da4db98f4ac5 +SHA512 (kernel-kabi-dw-6.12.0-124.43.1.el10_1.tar.xz) = 363fa86a8b4843aeda79e2b7e2cf2c25d5b1799b55aa36f320cfe165abddc58b1bab7cbe98d4335c86d6e3dc4dfe90fb8a34e54e1d402868012cf9acb0c4dbf1 +SHA512 (linux-6.12.0-124.43.1.el10_1.tar.xz) = 0b0bd034f7993b71507571574a46cc5555f03db44bf33e61ad3ec46b989e7d8be259704cbb40f715b499b76e039fa6e1aa9bdd7265bf7e8b851f9939501ebc84 SHA512 (nvidiagpuoot001.x509) = b42f836e1cfa07890cb6ca13de9c3950e306c9ec7686c4c09f050bb68869f5d82962b2cd5f3aa0eb7a0f3a3ae54e9c480eafbac5df53aa92c295ff511a8c59fe SHA512 (olima1.x509) = 123c26c1d698cc8523845c6e1103b9c72abf855acd225d37baf1f3388a47f912166d6d786fb367fe46de39e011b586ad7f3963aa2e8923da30a6ea9ae0d76ad3 SHA512 (olimaca1.x509) = 3a779415fad29d6f7250ec97ab1f0a5eb62c351b724feee06b22e17f065bf74a558f32cc524d3222c4485635ae5b9cd5287855c94010fe743b51a4d954340c4c diff --git a/x509.genkey.rhel b/x509.genkey.rhel index b1bbe387f..5b7056d65 100644 --- a/x509.genkey.rhel +++ b/x509.genkey.rhel @@ -5,9 +5,9 @@ prompt = no x509_extensions = myexts [ req_distinguished_name ] -O = Red Hat -CN = Red Hat Enterprise Linux kernel signing key -emailAddress = secalert@redhat.com +O = Oracle America, Inc.,c=US +CN = Oracle CA Server +emailAddress = support@oracle.com [ myexts ] basicConstraints=critical,CA:FALSE