diff --git a/.gitignore b/.gitignore
index bb5e4e1b0..8fc9ac237 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,7 @@
 fedoraimaca.x509
-kernel-abi-stablelists-6.12.0-55.42.1.el10_0.tar.xz
-kernel-kabi-dw-6.12.0-55.42.1.el10_0.tar.xz
-linux-6.12.0-55.42.1.el10_0.tar.xz
+kernel-abi-stablelists-6.12.0-55.43.1.el10_0.tar.xz
+kernel-kabi-dw-6.12.0-55.43.1.el10_0.tar.xz
+linux-6.12.0-55.43.1.el10_0.tar.xz
 nvidiagpuoot001.x509
 olima1.x509
 olimaca1.x509
diff --git a/Makefile.rhelver b/Makefile.rhelver
index b1ab65e86..4695070ff 100644
--- a/Makefile.rhelver
+++ b/Makefile.rhelver
@@ -12,7 +12,7 @@ RHEL_MINOR = 0
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 55.42.1
+RHEL_RELEASE = 55.43.1
 
 #
 # RHEL_REBASE_NUM
diff --git a/bug37756650-nvme-pci-remove-two-deallocate-zeroes-quirks.patch b/bug37756650-nvme-pci-remove-two-deallocate-zeroes-quirks.patch
new file mode 100644
index 000000000..79ea68fe1
--- /dev/null
+++ b/bug37756650-nvme-pci-remove-two-deallocate-zeroes-quirks.patch
@@ -0,0 +1,44 @@
+From b0de5456e201c475d6a860ceeb3ed8ee2923695a Mon Sep 17 00:00:00 2001
+From: Keith Busch <kbusch@kernel.org>
+Date: Mon, 2 Dec 2024 09:45:48 -0800
+Subject: [PATCH] nvme-pci: remove two deallocate zeroes quirks
+
+The quirk was initially used as a signal to set the discard_zeroes_data
+queue limit because there were some use cases that relied on that
+behavior. The queue limit no longer exists as every user of it has been
+converted to use the write zeroes operation instead.
+
+The quirk now means to use a discard command as an alias to a write
+zeroes request. Two of the devices previously using the quirk support
+the write zeroes command directly, so these don't need or want to use
+discard when the desired operation is to write zeroes.
+
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+
+Orabug: 37756650
+
+Modified-by: Alex Burmashev <alexander.burmashev@oracle.com>
+Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
+---
+ drivers/nvme/host/pci.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 4c644bb7f06927..9535e35ef18a56 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -3588,12 +3588,10 @@ static const struct pci_device_id nvme_id_table[] = {
+ 				NVME_QUIRK_DEALLOCATE_ZEROES, },
+ 	{ PCI_VDEVICE(INTEL, 0x0a54),	/* Intel P4500/P4600 */
+ 		.driver_data = NVME_QUIRK_STRIPE_SIZE |
+-				NVME_QUIRK_DEALLOCATE_ZEROES |
+ 				NVME_QUIRK_IGNORE_DEV_SUBNQN |
+ 				NVME_QUIRK_BOGUS_NID, },
+ 	{ PCI_VDEVICE(INTEL, 0x0a55),	/* Dell Express Flash P4600 */
+-		.driver_data = NVME_QUIRK_STRIPE_SIZE |
+-				NVME_QUIRK_DEALLOCATE_ZEROES, },
++		.driver_data = NVME_QUIRK_STRIPE_SIZE, },
+ 	{ PCI_VDEVICE(INTEL, 0xf1a5),	/* Intel 600P/P3100 */
+ 		.driver_data = NVME_QUIRK_NO_DEEPEST_PS |
+ 				NVME_QUIRK_MEDIUM_PRIO_SQ |
diff --git a/kernel-aarch64-64k-debug-rhel.config b/kernel-aarch64-64k-debug-rhel.config
index c6653002f..a50777711 100644
--- a/kernel-aarch64-64k-debug-rhel.config
+++ b/kernel-aarch64-64k-debug-rhel.config
@@ -4771,7 +4771,8 @@ CONFIG_OVERLAY_FS=m
 # CONFIG_PAC1934 is not set
 CONFIG_PACKET_DIAG=y
 CONFIG_PACKET=y
-# CONFIG_PACKING is not set
+CONFIG_PACKING_KUNIT_TEST=m
+CONFIG_PACKING=y
 CONFIG_PAGE_EXTENSION=y
 CONFIG_PAGE_OWNER=y
 CONFIG_PAGE_POISONING=y
diff --git a/kernel-aarch64-64k-rhel.config b/kernel-aarch64-64k-rhel.config
index 36c211bd6..4379d9679 100644
--- a/kernel-aarch64-64k-rhel.config
+++ b/kernel-aarch64-64k-rhel.config
@@ -4750,7 +4750,8 @@ CONFIG_OVERLAY_FS=m
 # CONFIG_PAC1934 is not set
 CONFIG_PACKET_DIAG=y
 CONFIG_PACKET=y
-# CONFIG_PACKING is not set
+CONFIG_PACKING_KUNIT_TEST=m
+CONFIG_PACKING=y
 CONFIG_PAGE_EXTENSION=y
 CONFIG_PAGE_OWNER=y
 CONFIG_PAGE_POISONING=y
diff --git a/kernel-aarch64-automotive-debug-rhel.config b/kernel-aarch64-automotive-debug-rhel.config
index 3832276e9..14d083a21 100644
--- a/kernel-aarch64-automotive-debug-rhel.config
+++ b/kernel-aarch64-automotive-debug-rhel.config
@@ -5058,7 +5058,8 @@ CONFIG_OVERLAY_FS=y
 # CONFIG_PAC1934 is not set
 CONFIG_PACKET_DIAG=y
 CONFIG_PACKET=y
-# CONFIG_PACKING is not set
+CONFIG_PACKING_KUNIT_TEST=m
+CONFIG_PACKING=y
 CONFIG_PAGE_EXTENSION=y
 CONFIG_PAGE_OWNER=y
 CONFIG_PAGE_POISONING=y
diff --git a/kernel-aarch64-automotive-rhel.config b/kernel-aarch64-automotive-rhel.config
index 16987dd26..ba4eeabe9 100644
--- a/kernel-aarch64-automotive-rhel.config
+++ b/kernel-aarch64-automotive-rhel.config
@@ -5037,7 +5037,8 @@ CONFIG_OVERLAY_FS=y
 # CONFIG_PAC1934 is not set
 CONFIG_PACKET_DIAG=y
 CONFIG_PACKET=y
-# CONFIG_PACKING is not set
+CONFIG_PACKING_KUNIT_TEST=m
+CONFIG_PACKING=y
 CONFIG_PAGE_EXTENSION=y
 CONFIG_PAGE_OWNER=y
 CONFIG_PAGE_POISONING=y
diff --git a/kernel-aarch64-debug-rhel.config b/kernel-aarch64-debug-rhel.config
index 8c3c32176..8511fb25b 100644
--- a/kernel-aarch64-debug-rhel.config
+++ b/kernel-aarch64-debug-rhel.config
@@ -4768,7 +4768,8 @@ CONFIG_OVERLAY_FS=m
 # CONFIG_PAC1934 is not set
 CONFIG_PACKET_DIAG=y
 CONFIG_PACKET=y
-# CONFIG_PACKING is not set
+CONFIG_PACKING_KUNIT_TEST=m
+CONFIG_PACKING=y
 CONFIG_PAGE_EXTENSION=y
 CONFIG_PAGE_OWNER=y
 CONFIG_PAGE_POISONING=y
diff --git a/kernel-aarch64-rhel.config b/kernel-aarch64-rhel.config
index ac8f2bf8b..6b9355222 100644
--- a/kernel-aarch64-rhel.config
+++ b/kernel-aarch64-rhel.config
@@ -4747,7 +4747,8 @@ CONFIG_OVERLAY_FS=m
 # CONFIG_PAC1934 is not set
 CONFIG_PACKET_DIAG=y
 CONFIG_PACKET=y
-# CONFIG_PACKING is not set
+CONFIG_PACKING_KUNIT_TEST=m
+CONFIG_PACKING=y
 CONFIG_PAGE_EXTENSION=y
 CONFIG_PAGE_OWNER=y
 CONFIG_PAGE_POISONING=y
diff --git a/kernel-aarch64-rt-64k-debug-rhel.config b/kernel-aarch64-rt-64k-debug-rhel.config
index 64607c40c..adb2b0898 100644
--- a/kernel-aarch64-rt-64k-debug-rhel.config
+++ b/kernel-aarch64-rt-64k-debug-rhel.config
@@ -4812,7 +4812,8 @@ CONFIG_OVERLAY_FS=m
 # CONFIG_PAC1934 is not set
 CONFIG_PACKET_DIAG=y
 CONFIG_PACKET=y
-# CONFIG_PACKING is not set
+CONFIG_PACKING_KUNIT_TEST=m
+CONFIG_PACKING=y
 CONFIG_PAGE_EXTENSION=y
 CONFIG_PAGE_OWNER=y
 CONFIG_PAGE_POISONING=y
diff --git a/kernel-aarch64-rt-64k-rhel.config b/kernel-aarch64-rt-64k-rhel.config
index ec6fff109..448df5339 100644
--- a/kernel-aarch64-rt-64k-rhel.config
+++ b/kernel-aarch64-rt-64k-rhel.config
@@ -4791,7 +4791,8 @@ CONFIG_OVERLAY_FS=m
 # CONFIG_PAC1934 is not set
 CONFIG_PACKET_DIAG=y
 CONFIG_PACKET=y
-# CONFIG_PACKING is not set
+CONFIG_PACKING_KUNIT_TEST=m
+CONFIG_PACKING=y
 CONFIG_PAGE_EXTENSION=y
 CONFIG_PAGE_OWNER=y
 CONFIG_PAGE_POISONING=y
diff --git a/kernel-aarch64-rt-debug-rhel.config b/kernel-aarch64-rt-debug-rhel.config
index 318cb6927..54ead5dd1 100644
--- a/kernel-aarch64-rt-debug-rhel.config
+++ b/kernel-aarch64-rt-debug-rhel.config
@@ -4809,7 +4809,8 @@ CONFIG_OVERLAY_FS=m
 # CONFIG_PAC1934 is not set
 CONFIG_PACKET_DIAG=y
 CONFIG_PACKET=y
-# CONFIG_PACKING is not set
+CONFIG_PACKING_KUNIT_TEST=m
+CONFIG_PACKING=y
 CONFIG_PAGE_EXTENSION=y
 CONFIG_PAGE_OWNER=y
 CONFIG_PAGE_POISONING=y
diff --git a/kernel-aarch64-rt-rhel.config b/kernel-aarch64-rt-rhel.config
index f4868982f..a65704513 100644
--- a/kernel-aarch64-rt-rhel.config
+++ b/kernel-aarch64-rt-rhel.config
@@ -4788,7 +4788,8 @@ CONFIG_OVERLAY_FS=m
 # CONFIG_PAC1934 is not set
 CONFIG_PACKET_DIAG=y
 CONFIG_PACKET=y
-# CONFIG_PACKING is not set
+CONFIG_PACKING_KUNIT_TEST=m
+CONFIG_PACKING=y
 CONFIG_PAGE_EXTENSION=y
 CONFIG_PAGE_OWNER=y
 CONFIG_PAGE_POISONING=y
diff --git a/kernel-ppc64le-debug-rhel.config b/kernel-ppc64le-debug-rhel.config
index 9415dc192..ffc92f0fd 100644
--- a/kernel-ppc64le-debug-rhel.config
+++ b/kernel-ppc64le-debug-rhel.config
@@ -4382,7 +4382,8 @@ CONFIG_OVERLAY_FS=m
 # CONFIG_PAC1934 is not set
 CONFIG_PACKET_DIAG=y
 CONFIG_PACKET=y
-# CONFIG_PACKING is not set
+CONFIG_PACKING_KUNIT_TEST=m
+CONFIG_PACKING=y
 CONFIG_PAGE_EXTENSION=y
 CONFIG_PAGE_OWNER=y
 CONFIG_PAGE_POISONING=y
diff --git a/kernel-ppc64le-rhel.config b/kernel-ppc64le-rhel.config
index 954fe4fde..c373e68cc 100644
--- a/kernel-ppc64le-rhel.config
+++ b/kernel-ppc64le-rhel.config
@@ -4362,7 +4362,8 @@ CONFIG_OVERLAY_FS=m
 # CONFIG_PAC1934 is not set
 CONFIG_PACKET_DIAG=y
 CONFIG_PACKET=y
-# CONFIG_PACKING is not set
+CONFIG_PACKING_KUNIT_TEST=m
+CONFIG_PACKING=y
 CONFIG_PAGE_EXTENSION=y
 CONFIG_PAGE_OWNER=y
 CONFIG_PAGE_POISONING=y
diff --git a/kernel-s390x-debug-rhel.config b/kernel-s390x-debug-rhel.config
index ab7e78f40..cbbf6d453 100644
--- a/kernel-s390x-debug-rhel.config
+++ b/kernel-s390x-debug-rhel.config
@@ -4358,7 +4358,8 @@ CONFIG_OVERLAY_FS=m
 # CONFIG_PAC1934 is not set
 CONFIG_PACKET_DIAG=y
 CONFIG_PACKET=y
-# CONFIG_PACKING is not set
+CONFIG_PACKING_KUNIT_TEST=m
+CONFIG_PACKING=y
 CONFIG_PACK_STACK=y
 CONFIG_PAGE_EXTENSION=y
 CONFIG_PAGE_OWNER=y
diff --git a/kernel-s390x-rhel.config b/kernel-s390x-rhel.config
index afe9ac4f5..9a3ff02a3 100644
--- a/kernel-s390x-rhel.config
+++ b/kernel-s390x-rhel.config
@@ -4338,7 +4338,8 @@ CONFIG_OVERLAY_FS=m
 # CONFIG_PAC1934 is not set
 CONFIG_PACKET_DIAG=y
 CONFIG_PACKET=y
-# CONFIG_PACKING is not set
+CONFIG_PACKING_KUNIT_TEST=m
+CONFIG_PACKING=y
 CONFIG_PACK_STACK=y
 CONFIG_PAGE_EXTENSION=y
 CONFIG_PAGE_OWNER=y
diff --git a/kernel-s390x-zfcpdump-rhel.config b/kernel-s390x-zfcpdump-rhel.config
index c5471088d..82bfc1575 100644
--- a/kernel-s390x-zfcpdump-rhel.config
+++ b/kernel-s390x-zfcpdump-rhel.config
@@ -4349,7 +4349,8 @@ CONFIG_OVERFLOW_KUNIT_TEST=m
 # CONFIG_PAC1934 is not set
 CONFIG_PACKET_DIAG=y
 # CONFIG_PACKET is not set
-# CONFIG_PACKING is not set
+CONFIG_PACKING_KUNIT_TEST=m
+CONFIG_PACKING=y
 CONFIG_PACK_STACK=y
 # CONFIG_PAGE_EXTENSION is not set
 # CONFIG_PAGE_OWNER is not set
diff --git a/kernel-x86_64-automotive-debug-rhel.config b/kernel-x86_64-automotive-debug-rhel.config
index 3446846f4..0c6ab2d52 100644
--- a/kernel-x86_64-automotive-debug-rhel.config
+++ b/kernel-x86_64-automotive-debug-rhel.config
@@ -3877,6 +3877,7 @@ CONFIG_MITIGATION_CALL_DEPTH_TRACKING=y
 CONFIG_MITIGATION_GDS=y
 CONFIG_MITIGATION_IBPB_ENTRY=y
 CONFIG_MITIGATION_IBRS_ENTRY=y
+CONFIG_MITIGATION_ITS=y
 CONFIG_MITIGATION_L1TF=y
 CONFIG_MITIGATION_MDS=y
 CONFIG_MITIGATION_MMIO_STALE_DATA=y
@@ -4781,7 +4782,8 @@ CONFIG_OVERLAY_FS=y
 # CONFIG_PAC1934 is not set
 CONFIG_PACKET_DIAG=y
 CONFIG_PACKET=y
-# CONFIG_PACKING is not set
+CONFIG_PACKING_KUNIT_TEST=m
+CONFIG_PACKING=y
 CONFIG_PAGE_EXTENSION=y
 CONFIG_PAGE_OWNER=y
 CONFIG_PAGE_POISONING=y
diff --git a/kernel-x86_64-automotive-rhel.config b/kernel-x86_64-automotive-rhel.config
index 3c291505f..3826436c6 100644
--- a/kernel-x86_64-automotive-rhel.config
+++ b/kernel-x86_64-automotive-rhel.config
@@ -3857,6 +3857,7 @@ CONFIG_MITIGATION_CALL_DEPTH_TRACKING=y
 CONFIG_MITIGATION_GDS=y
 CONFIG_MITIGATION_IBPB_ENTRY=y
 CONFIG_MITIGATION_IBRS_ENTRY=y
+CONFIG_MITIGATION_ITS=y
 CONFIG_MITIGATION_L1TF=y
 CONFIG_MITIGATION_MDS=y
 CONFIG_MITIGATION_MMIO_STALE_DATA=y
@@ -4761,7 +4762,8 @@ CONFIG_OVERLAY_FS=y
 # CONFIG_PAC1934 is not set
 CONFIG_PACKET_DIAG=y
 CONFIG_PACKET=y
-# CONFIG_PACKING is not set
+CONFIG_PACKING_KUNIT_TEST=m
+CONFIG_PACKING=y
 CONFIG_PAGE_EXTENSION=y
 CONFIG_PAGE_OWNER=y
 CONFIG_PAGE_POISONING=y
diff --git a/kernel-x86_64-debug-rhel.config b/kernel-x86_64-debug-rhel.config
index 16a1024b4..0998ea3ca 100644
--- a/kernel-x86_64-debug-rhel.config
+++ b/kernel-x86_64-debug-rhel.config
@@ -3763,6 +3763,7 @@ CONFIG_MITIGATION_CALL_DEPTH_TRACKING=y
 CONFIG_MITIGATION_GDS=y
 CONFIG_MITIGATION_IBPB_ENTRY=y
 CONFIG_MITIGATION_IBRS_ENTRY=y
+CONFIG_MITIGATION_ITS=y
 CONFIG_MITIGATION_L1TF=y
 CONFIG_MITIGATION_MDS=y
 CONFIG_MITIGATION_MMIO_STALE_DATA=y
@@ -4645,7 +4646,8 @@ CONFIG_OVERLAY_FS=m
 # CONFIG_PAC1934 is not set
 CONFIG_PACKET_DIAG=y
 CONFIG_PACKET=y
-# CONFIG_PACKING is not set
+CONFIG_PACKING_KUNIT_TEST=m
+CONFIG_PACKING=y
 CONFIG_PAGE_EXTENSION=y
 CONFIG_PAGE_OWNER=y
 CONFIG_PAGE_POISONING=y
diff --git a/kernel-x86_64-rhel.config b/kernel-x86_64-rhel.config
index 1a5e634fe..c9f79d980 100644
--- a/kernel-x86_64-rhel.config
+++ b/kernel-x86_64-rhel.config
@@ -3743,6 +3743,7 @@ CONFIG_MITIGATION_CALL_DEPTH_TRACKING=y
 CONFIG_MITIGATION_GDS=y
 CONFIG_MITIGATION_IBPB_ENTRY=y
 CONFIG_MITIGATION_IBRS_ENTRY=y
+CONFIG_MITIGATION_ITS=y
 CONFIG_MITIGATION_L1TF=y
 CONFIG_MITIGATION_MDS=y
 CONFIG_MITIGATION_MMIO_STALE_DATA=y
@@ -4625,7 +4626,8 @@ CONFIG_OVERLAY_FS=m
 # CONFIG_PAC1934 is not set
 CONFIG_PACKET_DIAG=y
 CONFIG_PACKET=y
-# CONFIG_PACKING is not set
+CONFIG_PACKING_KUNIT_TEST=m
+CONFIG_PACKING=y
 CONFIG_PAGE_EXTENSION=y
 CONFIG_PAGE_OWNER=y
 CONFIG_PAGE_POISONING=y
diff --git a/kernel-x86_64-rt-debug-rhel.config b/kernel-x86_64-rt-debug-rhel.config
index 421752eb1..bb5c4f018 100644
--- a/kernel-x86_64-rt-debug-rhel.config
+++ b/kernel-x86_64-rt-debug-rhel.config
@@ -3804,6 +3804,7 @@ CONFIG_MITIGATION_CALL_DEPTH_TRACKING=y
 CONFIG_MITIGATION_GDS=y
 CONFIG_MITIGATION_IBPB_ENTRY=y
 CONFIG_MITIGATION_IBRS_ENTRY=y
+CONFIG_MITIGATION_ITS=y
 CONFIG_MITIGATION_L1TF=y
 CONFIG_MITIGATION_MDS=y
 CONFIG_MITIGATION_MMIO_STALE_DATA=y
@@ -4686,7 +4687,8 @@ CONFIG_OVERLAY_FS=m
 # CONFIG_PAC1934 is not set
 CONFIG_PACKET_DIAG=y
 CONFIG_PACKET=y
-# CONFIG_PACKING is not set
+CONFIG_PACKING_KUNIT_TEST=m
+CONFIG_PACKING=y
 CONFIG_PAGE_EXTENSION=y
 CONFIG_PAGE_OWNER=y
 CONFIG_PAGE_POISONING=y
diff --git a/kernel-x86_64-rt-rhel.config b/kernel-x86_64-rt-rhel.config
index 655feb895..1f6e44bbd 100644
--- a/kernel-x86_64-rt-rhel.config
+++ b/kernel-x86_64-rt-rhel.config
@@ -3784,6 +3784,7 @@ CONFIG_MITIGATION_CALL_DEPTH_TRACKING=y
 CONFIG_MITIGATION_GDS=y
 CONFIG_MITIGATION_IBPB_ENTRY=y
 CONFIG_MITIGATION_IBRS_ENTRY=y
+CONFIG_MITIGATION_ITS=y
 CONFIG_MITIGATION_L1TF=y
 CONFIG_MITIGATION_MDS=y
 CONFIG_MITIGATION_MMIO_STALE_DATA=y
@@ -4666,7 +4667,8 @@ CONFIG_OVERLAY_FS=m
 # CONFIG_PAC1934 is not set
 CONFIG_PACKET_DIAG=y
 CONFIG_PACKET=y
-# CONFIG_PACKING is not set
+CONFIG_PACKING_KUNIT_TEST=m
+CONFIG_PACKING=y
 CONFIG_PAGE_EXTENSION=y
 CONFIG_PAGE_OWNER=y
 CONFIG_PAGE_POISONING=y
diff --git a/kernel.changelog b/kernel.changelog
index ee7bdeb55..0ffa7be1c 100644
--- a/kernel.changelog
+++ b/kernel.changelog
@@ -1,3 +1,214 @@
+* Mon Nov 03 2025 Jan Stancek <jstancek@redhat.com> [6.12.0-55.43.1.el10_0]
+- wifi: cfg80211: fix use-after-free in cmp_bss() (CKI Backport Bot) [RHEL-122878] {CVE-2025-39864}
+- igc: fix lock order in igc_ptp_reset (CKI Backport Bot) [RHEL-118667]
+- igc: add lock preventing multiple simultaneous PTM transactions (CKI Backport Bot) [RHEL-118667]
+- igc: cleanup PTP module if probe fails (CKI Backport Bot) [RHEL-118667]
+- igc: handle the IGC_PTP_ENABLED flag correctly (CKI Backport Bot) [RHEL-118667]
+- igc: move ktime snapshot into PTM retry loop (CKI Backport Bot) [RHEL-118667]
+- igc: increase wait time before retrying PTM (CKI Backport Bot) [RHEL-118667]
+- igc: fix PTM cycle trigger logic (CKI Backport Bot) [RHEL-118667]
+- coredump: Only sort VMAs when core_sort_vma sysctl is set (Herton R. Krzesinski) [RHEL-113363]
+- cxgb4: Avoid removal of uninserted tid (CKI Backport Bot) [RHEL-112148]
+- powerpc/pseries/iommu: memory notifier incorrectly adds TCEs for pmemory (Mamatha Inamdar) [RHEL-103014]
+- tools arch x86: Sync the msr-index.h copy with the kernel sources (Waiman Long) [RHEL-92175]
+- Revert "mm/execmem: Unify early execmem_cache behaviour" (Waiman Long) [RHEL-92175]
+- x86/Kconfig: only enable ROX cache in execmem when STRICT_MODULE_RWX is set (Waiman Long) [RHEL-92175]
+- x86/mm/pat: don't collapse pages without PSE set (Waiman Long) [RHEL-92175]
+- tools arch x86: Sync the msr-index.h copy with the kernel sources (Waiman Long) [RHEL-92175]
+- arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (Waiman Long) [RHEL-92175]
+- arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (Waiman Long) [RHEL-92175] {CVE-2025-37963}
+- arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (Waiman Long) [RHEL-92175] {CVE-2025-37948}
+- arm64: proton-pack: Expose whether the branchy loop k value (Waiman Long) [RHEL-92175]
+- arm64: proton-pack: Expose whether the platform is mitigated by firmware (Waiman Long) [RHEL-92175]
+- arm64: insn: Add support for encoding DSB (Waiman Long) [RHEL-92175]
+- selftest/x86/bugs: Add selftests for ITS (Waiman Long) [RHEL-92175] {CVE-2024-28956}
+- x86/ibt: Keep IBT disabled during alternative patching (Waiman Long) [RHEL-92175] {CVE-2024-28956}
+- mm/execmem: Unify early execmem_cache behaviour (Waiman Long) [RHEL-92175] {CVE-2024-28956}
+- x86/its: Align RETs in BHB clear sequence to avoid thunking (Waiman Long) [RHEL-92175] {CVE-2024-28956}
+- x86/its: Add support for RSB stuffing mitigation (Waiman Long) [RHEL-92175] {CVE-2024-28956}
+- x86/its: Add "vmexit" option to skip mitigation on some CPUs (Waiman Long) [RHEL-92175] {CVE-2024-28956}
+- x86/its: Enable Indirect Target Selection mitigation (Waiman Long) [RHEL-92175] {CVE-2024-28956}
+- redhat/configs: Enable CONFIG_MITIGATION_ITS for x86 (Waiman Long) [RHEL-92175]
+- x86/its: Add support for ITS-safe return thunk (Waiman Long) [RHEL-92175] {CVE-2024-28956}
+- x86/its: Add support for ITS-safe indirect thunk (Waiman Long) [RHEL-92175] {CVE-2024-28956}
+- x86/its: Enumerate Indirect Target Selection (ITS) bug (Waiman Long) [RHEL-92175] {CVE-2024-28956}
+- Documentation: x86/bugs/its: Add ITS documentation (Waiman Long) [RHEL-92175] {CVE-2024-28956}
+- KVM: SVM: Set/clear SRSO's BP_SPEC_REDUCE on 0 <=> 1 VM count transitions (Waiman Long) [RHEL-92175]
+- x86/bugs: Add RSB mitigation document (Waiman Long) [RHEL-92175]
+- x86/bugs: Don't fill RSB on context switch with eIBRS (Waiman Long) [RHEL-92175]
+- x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline (Waiman Long) [RHEL-92175]
+- x86/bugs: Fix RSB clearing in indirect_branch_prediction_barrier() (Waiman Long) [RHEL-92175]
+- x86/bugs: Use SBPB in write_ibpb() if applicable (Waiman Long) [RHEL-92175]
+- x86/bugs: Rename entry_ibpb() to write_ibpb() (Waiman Long) [RHEL-92175]
+- x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2 (Waiman Long) [RHEL-92175]
+- x86/bugs: Use the cpu_smt_possible() helper instead of open-coded code (Waiman Long) [RHEL-92175]
+- x86/bugs: Add AUTO mitigations for mds/taa/mmio/rfds (Waiman Long) [RHEL-92175]
+- x86/bugs: Relocate mds/taa/mmio/rfds defines (Waiman Long) [RHEL-92175]
+- x86/bugs: Add X86_BUG_SPECTRE_V2_USER (Waiman Long) [RHEL-92175]
+- x86/bugs: Remove X86_FEATURE_USE_IBPB (Waiman Long) [RHEL-92175]
+- KVM: nVMX: Always use IBPB to properly virtualize IBRS (Waiman Long) [RHEL-92175]
+- x86/bugs: Use a static branch to guard IBPB on vCPU switch (Waiman Long) [RHEL-92175]
+- x86/bugs: Remove the X86_FEATURE_USE_IBPB check in ib_prctl_set() (Waiman Long) [RHEL-92175]
+- x86/mm: Remove X86_FEATURE_USE_IBPB checks in cond_mitigation() (Waiman Long) [RHEL-92175]
+- x86/bugs: Move the X86_FEATURE_USE_IBPB check into callers (Waiman Long) [RHEL-92175]
+- x86/bugs: KVM: Add support for SRSO_MSR_FIX (Waiman Long) [RHEL-92175]
+- arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB (Waiman Long) [RHEL-92175]
+- arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list (Waiman Long) [RHEL-92175]
+- x86/rfds: Exclude P-only parts from the RFDS affected list (Waiman Long) [RHEL-92175]
+- x86/cpu: Update x86_match_cpu() to also use cpu-type (Waiman Long) [RHEL-92175]
+- x86/cpu: Add cpu_type to struct x86_cpu_id (Waiman Long) [RHEL-92175]
+- x86/cpu: Shorten CPU matching macro (Waiman Long) [RHEL-92175]
+- x86/cpu: Fix the description of X86_MATCH_VFM_STEPS() (Waiman Long) [RHEL-92175]
+- module: don't annotate ROX memory as kmemleak_not_leak() (Waiman Long) [RHEL-92175]
+- module: drop unused module_writable_address() (Waiman Long) [RHEL-92175]
+- Revert "x86/module: prepare module loading for ROX allocations of text" (Waiman Long) [RHEL-92175]
+- module: switch to execmem API for remapping as RW and restoring ROX (Waiman Long) [RHEL-92175]
+- execmem: add API for temporal remapping as RW and restoring ROX afterwards (Waiman Long) [RHEL-92175]
+- execmem: don't remove ROX cache from the direct map (Waiman Long) [RHEL-92175]
+- x86/mm/pat: restore large ROX pages after fragmentation (Waiman Long) [RHEL-92175]
+- x86/mm/pat: drop duplicate variable in cpa_flush() (Waiman Long) [RHEL-92175]
+- x86/mm/pat: cpa-test: fix length for CPA_ARRAY test (Waiman Long) [RHEL-92175]
+- x86/cpu/kvm: SRSO: Fix possible missing IBPB on VM-Exit (Waiman Long) [RHEL-92175]
+- x86/cpu: Fix typo in x86_match_cpu()'s doc (Waiman Long) [RHEL-92175]
+- x86/cpu: Expose only stepping min/max interface (Waiman Long) [RHEL-92175]
+- x86/cpu: Introduce new microcode matching helper (Waiman Long) [RHEL-92175]
+- KVM: x86: Advertise SRSO_USER_KERNEL_NO to userspace (Waiman Long) [RHEL-92175]
+- x86/bugs: Add SRSO_USER_KERNEL_NO support (Waiman Long) [RHEL-92175]
+- module: fix writing of livepatch relocations in ROX text (Waiman Long) [RHEL-92175]
+- x86/execmem: fix ROX cache usage in Xen PV guests (Waiman Long) [RHEL-92175]
+- alloc_tag: load module tags into separate contiguous memory (Waiman Long) [RHEL-92175]
+- alloc_tag: introduce shutdown_mem_profiling helper function (Waiman Long) [RHEL-92175]
+- maple_tree: add mas_for_each_rev() helper (Waiman Long) [RHEL-92175]
+- x86/module: enable ROX caches for module text on 64 bit (Waiman Long) [RHEL-92175]
+- execmem: add support for cache of large ROX pages (Waiman Long) [RHEL-92175]
+- x86/module: prepare module loading for ROX allocations of text (Waiman Long) [RHEL-92175]
+- arch: introduce set_direct_map_valid_noflush() (Waiman Long) [RHEL-92175]
+- module: prepare to handle ROX allocations for text (Waiman Long) [RHEL-92175]
+- asm-generic: introduce text-patching.h (Waiman Long) [RHEL-92175]
+- mm: vmalloc: don't account for number of nodes for HUGE_VMAP allocations (Waiman Long) [RHEL-92175]
+- mm: vmalloc: group declarations depending on CONFIG_MMU together (Waiman Long) [RHEL-92175]
+- x86/cpu: Add CPU type to struct cpuinfo_topology (Waiman Long) [RHEL-92175]
+- x86/cpufeatures: Add X86_FEATURE_AMD_HETEROGENEOUS_CORES (Waiman Long) [RHEL-92175]
+- ice: fix Rx page leak on multi-buffer frames (Petr Oros) [RHEL-116542]
+- ice: fix NULL access of tx->in_use in ice_ll_ts_intr (Petr Oros) [RHEL-116534]
+- ice: fix NULL access of tx->in_use in ice_ptp_ts_irq (Petr Oros) [RHEL-116534]
+- ice: default to TIME_REF instead of TXCO on E825-C (Petr Oros) [RHEL-107466]
+- ice: move TSPLL init calls to ice_ptp.c (Petr Oros) [RHEL-107466]
+- ice: fall back to TCXO on TSPLL lock fail (Petr Oros) [RHEL-107466]
+- ice: wait before enabling TSPLL (Petr Oros) [RHEL-107466]
+- ice: add multiple TSPLL helpers (Petr Oros) [RHEL-107466]
+- ice: use bitfields instead of unions for CGU regs (Petr Oros) [RHEL-107466]
+- ice: read TSPLL registers again before reporting status (Petr Oros) [RHEL-107466]
+- ice: clear time_sync_en field for E825-C during reprogramming (Petr Oros) [RHEL-107466]
+- ice: add TSPLL log config helper (Petr Oros) [RHEL-107466]
+- ice: use designated initializers for TSPLL consts (Petr Oros) [RHEL-107466]
+- ice: remove ice_tspll_params_e825 definitions (Petr Oros) [RHEL-107466]
+- ice: fix E825-C TSPLL register definitions (Petr Oros) [RHEL-107466]
+- ice: rename TSPLL and CGU functions and definitions (Petr Oros) [RHEL-107466]
+- ice: move TSPLL functions to a separate file (Petr Oros) [RHEL-107466]
+- ice: enable timesync operation on 2xNAC E825 devices (Petr Oros) [RHEL-107466]
+- ice: refactor ice_sbq_msg_dev enum (Petr Oros) [RHEL-107466]
+- ice: remove SW side band access workaround for E825 (Petr Oros) [RHEL-107466]
+- ice/ptp: fix crosstimestamp reporting (Petr Oros) [RHEL-115351]
+- ice: fix rebuilding the Tx scheduler tree for large queue counts (Petr Oros) [RHEL-115351]
+- ice: create new Tx scheduler nodes for new queues only (Petr Oros) [RHEL-115351]
+- ice: fix Tx scheduler error handling in XDP callback (Petr Oros) [RHEL-115351]
+- ice: Fix LACP bonds without SRIOV environment (Petr Oros) [RHEL-115351]
+- ice: fix vf->num_mac count with port representors (Petr Oros) [RHEL-115351]
+- ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() (Petr Oros) [RHEL-115351]
+- ice: fix Get Tx Topology AQ command error on E830 (Petr Oros) [RHEL-115351]
+- ice: fix using untrusted value of pkt_len in ice_vc_fdir_parse_raw() (Petr Oros) [RHEL-115351]
+- ice: fix input validation for virtchnl BW (Petr Oros) [RHEL-115351]
+- ice: validate queue quanta parameters to prevent OOB access (Petr Oros) [RHEL-115351]
+- ice: stop truncating queue ids when checking (Petr Oros) [RHEL-115351]
+- virtchnl: make proto and filter action count unsigned (Petr Oros) [RHEL-115351]
+- ice: fix reservation of resources for RDMA when disabled (Petr Oros) [RHEL-115351]
+- ice: health.c: fix compilation on gcc 7.5 (Petr Oros) [RHEL-115351]
+- ice: E825C PHY register cleanup (Petr Oros) [RHEL-115351]
+- ice: Refactor E825C PHY registers info struct (Petr Oros) [RHEL-115351]
+- ice: rename ice_ptp_init_phc_eth56g function (Petr Oros) [RHEL-115351]
+- ice: Add E830 checksum offload support (Petr Oros) [RHEL-115351]
+- ice: register devlink prior to creating health reporters (Petr Oros) [RHEL-115351]
+- ice: Fix switchdev slow-path in LAG (Petr Oros) [RHEL-115351]
+- ice: fix memory leak in aRFS after reset (Petr Oros) [RHEL-115351]
+- ice: do not configure destination override for switchdev (Petr Oros) [RHEL-115351]
+- ice: dpll: Remove newline at the end of a netlink error message (Petr Oros) [RHEL-115351]
+- virtchnl: add enumeration for the rxdid format (Petr Oros) [RHEL-115351]
+- ice: support Rx timestamp on flex descriptor (Petr Oros) [RHEL-115351]
+- virtchnl: add support for enabling PTP on iAVF (Petr Oros) [RHEL-115351]
+- ice: refactor ice_fdir_create_dflt_rules() function (Petr Oros) [RHEL-115351]
+- ice: Implement PTP support for E830 devices (Petr Oros) [RHEL-115351]
+- ice: Refactor ice_ptp_init_tx_* (Petr Oros) [RHEL-115351]
+- ice: Add unified ice_capture_crosststamp (Petr Oros) [RHEL-115351]
+- ice: Process TSYN IRQ in a separate function (Petr Oros) [RHEL-115351]
+- ice: Use FIELD_PREP for timestamp values (Petr Oros) [RHEL-115351]
+- ice: Remove unnecessary ice_is_e8xx() functions (Petr Oros) [RHEL-115351]
+- ice: Don't check device type when checking GNSS presence (Petr Oros) [RHEL-115351]
+- ice: use generic unrolled_count() macro (Petr Oros) [RHEL-115351]
+- ice: count combined queues using Rx/Tx count (Petr Oros) [RHEL-115351]
+- ice: Add check for devm_kzalloc() (Petr Oros) [RHEL-115351]
+- ice: remove invalid parameter of equalizer (Petr Oros) [RHEL-115351]
+- ice: fix ice_parser_rt::bst_key array size (Petr Oros) [RHEL-115351]
+- ice: Add in/out PTP pin delays (Petr Oros) [RHEL-115351]
+- ice: use string choice helpers (Petr Oros) [RHEL-115351]
+- ice: add fw and port health reporters (Petr Oros) [RHEL-115351]
+- ice: add recipe priority check in search (Petr Oros) [RHEL-115351]
+- ice: Add MDD logging via devlink health (Petr Oros) [RHEL-115351]
+- ice: add Tx hang devlink health reporter (Petr Oros) [RHEL-115351]
+- ice: rename devlink_port.[ch] to port.[ch] (Petr Oros) [RHEL-115351]
+- ice: cleanup Rx queue context programming functions (Petr Oros) [RHEL-115351]
+- ice: move prefetch enable to ice_setup_rx_ctx (Petr Oros) [RHEL-115351]
+- ice: reduce size of queue context fields (Petr Oros) [RHEL-115351]
+- ice: use <linux/packing.h> for Tx and Rx queue context data (Petr Oros) [RHEL-115351]
+- ice: use structures to keep track of queue context size (Petr Oros) [RHEL-115351]
+- ice: remove int_q_state from ice_tlan_ctx (Petr Oros) [RHEL-115351]
+- ice: fix incorrect PHY settings for 100 GB/s (Petr Oros) [RHEL-115351]
+- ice: fix max values for dpll pin phase adjust (Petr Oros) [RHEL-115351]
+- ice: Fix VLAN pruning in switchdev mode (Petr Oros) [RHEL-115351]
+- ice: Fix NULL pointer dereference in switchdev (Petr Oros) [RHEL-115351]
+- ice: fix PHY timestamp extraction for ETH56G (Petr Oros) [RHEL-115351]
+- ice: Unbind the workqueue (Petr Oros) [RHEL-115351]
+- ice: use stack variable for virtchnl_supported_rxdids (Petr Oros) [RHEL-115351]
+- ice: initialize pf->supported_rxdids immediately after loading DDP (Petr Oros) [RHEL-115351]
+- ice: only allow Tx promiscuous for multicast (Petr Oros) [RHEL-115351]
+- ice: support optional flags in signature segment header (Petr Oros) [RHEL-115351]
+- ice: refactor "last" segment of DDP pkg (Petr Oros) [RHEL-115351]
+- ice: extend dump serdes equalizer values feature (Petr Oros) [RHEL-115351]
+- ice: rework of dump serdes equalizer values feature (Petr Oros) [RHEL-115351]
+- ice: Support VF queue rate limit and quanta size configuration (Petr Oros) [RHEL-115351]
+- virtchnl: fix m68k build. (Petr Oros) [RHEL-115351]
+- virtchnl: support queue rate limit and quanta size configuration (Petr Oros) [RHEL-115351]
+- ice: Cleanup unused declarations (Petr Oros) [RHEL-115351]
+- ice: Use common error handling code in two functions (Petr Oros) [RHEL-115351]
+- ice: Make use of assign_bit() API (Petr Oros) [RHEL-115351]
+- ice: store max_frame and rx_buf_len only in ice_rx_ring (Petr Oros) [RHEL-115351]
+- ice: consistently use q_idx in ice_vc_cfg_qs_msg() (Petr Oros) [RHEL-115351]
+- ice: Implement ethtool reset support (Petr Oros) [RHEL-115351]
+- ice: Add correct PHY lane assignment (Petr Oros) [RHEL-115351]
+- ice: Fix ETH56G FC-FEC Rx offset value (Petr Oros) [RHEL-115351]
+- ice: Fix quad registers read on E825 (Petr Oros) [RHEL-115351]
+- ice: Fix E825 initialization (Petr Oros) [RHEL-115351]
+- unroll: add generic loop unroll helpers (CKI Backport Bot) [RHEL-115351]
+- devlink: add devlink_fmsg_dump_skb() function (Petr Oros) [RHEL-115351]
+- devlink: add devlink_fmsg_put() macro (Petr Oros) [RHEL-115351]
+- redhat: configs: enable CONFIG_PACKING (Petr Oros) [RHEL-115351]
+- lib: packing: catch kunit_kzalloc() failure in the pack() test (CKI Backport Bot) [RHEL-115351]
+- lib: packing: document recently added APIs (CKI Backport Bot) [RHEL-115351]
+- lib: packing: add pack_fields() and unpack_fields() (CKI Backport Bot) [RHEL-115351]
+- lib: packing: demote truncation error in pack() to a warning in __pack() (CKI Backport Bot) [RHEL-115351]
+- lib: packing: create __pack() and __unpack() variants without error checking (CKI Backport Bot) [RHEL-115351]
+- lib: packing: use GENMASK() for box_mask (CKI Backport Bot) [RHEL-115351]
+- lib: packing: use BITS_PER_BYTE instead of 8 (CKI Backport Bot) [RHEL-115351]
+- lib: packing: fix QUIRK_MSB_ON_THE_RIGHT behavior (CKI Backport Bot) [RHEL-115351]
+- lib: packing: add additional KUnit tests (CKI Backport Bot) [RHEL-115351]
+- lib: packing: add KUnit tests adapted from selftests (CKI Backport Bot) [RHEL-115351]
+- lib: packing: duplicate pack() and unpack() implementations (CKI Backport Bot) [RHEL-115351]
+- lib: packing: add pack() and unpack() wrappers over packing() (CKI Backport Bot) [RHEL-115351]
+- lib: packing: remove kernel-doc from header file (CKI Backport Bot) [RHEL-115351]
+- lib: packing: adjust definitions and implementation for arbitrary buffer lengths (CKI Backport Bot) [RHEL-115351]
+- lib: packing: refuse operating on bit indices which exceed size of buffer (CKI Backport Bot) [RHEL-115351]
+Resolves: RHEL-103014, RHEL-107466, RHEL-112148, RHEL-113363, RHEL-115351, RHEL-116534, RHEL-116542, RHEL-118667, RHEL-122878, RHEL-92175
+
 * Sat Oct 25 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-55.42.1.el10_0]
 - platform/x86/intel: power-domains: Use topology_logical_package_id() for package ID (CKI Backport Bot) [RHEL-123288]
 - KVM: arm64: Disable MPAM visibility by default and ignore VMM writes (Gavin Shan) [RHEL-121690]
diff --git a/kernel.spec b/kernel.spec
index a8ab0ff35..11f4c21c9 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -98,7 +98,7 @@ Summary: The Linux kernel
 %if 0%{?fedora}
 %define secure_boot_arch x86_64
 %else
-%define secure_boot_arch x86_64 aarch64 s390x ppc64le
+%define secure_boot_arch x86_64 s390x ppc64le
 %endif
 
 # Signing for secure boot authentication
@@ -162,15 +162,15 @@ Summary: The Linux kernel
 %define specrpmversion 6.12.0
 %define specversion 6.12.0
 %define patchversion 6.12
-%define pkgrelease 55.42.1
+%define pkgrelease 55.43.1
 %define kversion 6
-%define tarfile_release 6.12.0-55.42.1.el10_0
+%define tarfile_release 6.12.0-55.43.1.el10_0
 # This is needed to do merge window version magic
 %define patchlevel 12
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 55.42.1%{?buildid}%{?dist}
+%define specrelease 55.43.1%{?buildid}.0.1%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 6.12.0-55.42.1.el10_0
+%define kabiversion 6.12.0-55.43.1.el10_0
 
 # If this variable is set to 1, a bpf selftests build failure will cause a
 # fatal kernel package build error
@@ -716,6 +716,8 @@ Requires: kernel-modules-core-uname-r = %{KVERREL}
 Provides: installonlypkg(kernel)
 %endif
 
+Provides: oracle(kernel-sig-key) == 202502
+Conflicts: shim-x64 < 15.8-1.0.6
 
 #
 # List the packages used during the kernel build
@@ -875,8 +877,6 @@ BuildRequires: tpm2-tools
 %if 0%{?rhel}%{?centos} && !0%{?eln}
 %if 0%{?centos}
 BuildRequires: centos-sb-certs >= 9.0-23
-%else
-BuildRequires: redhat-sb-certs >= 9.4-0.1
 %endif
 %endif
 %endif
@@ -896,42 +896,11 @@ Source10: redhatsecurebootca5.cer
 Source13: redhatsecureboot501.cer
 
 %if %{signkernel}
-# Name of the packaged file containing signing key
-%ifarch ppc64le
-%define signing_key_filename kernel-signing-ppc.cer
-%endif
-%ifarch s390x
-%define signing_key_filename kernel-signing-s390.cer
-%endif
 
-# Fedora/ELN pesign macro expects to see these cert file names, see:
-# https://github.com/rhboot/pesign/blob/main/src/pesign-rpmbuild-helper.in#L216
-%if 0%{?fedora}%{?eln}
-%define pesign_name_0 redhatsecureboot501
-%define secureboot_ca_0 %{SOURCE10}
-%define secureboot_key_0 %{SOURCE13}
-%endif
-
-# RHEL/centos certs come from system-sb-certs
-%if 0%{?rhel} && !0%{?eln}
 %define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
 %define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer
 
-%if 0%{?centos}
-%define pesign_name_0 centossecureboot201
-%else
-%ifarch x86_64 aarch64
-%define pesign_name_0 redhatsecureboot501
-%endif
-%ifarch s390x
-%define pesign_name_0 redhatsecureboot302
-%endif
-%ifarch ppc64le
-%define pesign_name_0 redhatsecureboot701
-%endif
-%endif
-# rhel && !eln
-%endif
+%define pesign_name_0 OracleLinuxSecureBootKey3
 
 # signkernel
 %endif
@@ -1008,7 +977,10 @@ Source102: nvidiagpuoot001.x509
 Source103: rhelimaca1.x509
 Source104: rhelima.x509
 Source105: rhelima_centos.x509
-Source106: fedoraimaca.x509
+# Oracle Linux IMA CA certificate
+Source106: olimaca1.x509
+# Oracle Linux IMA signing certificate
+Source107: olima1.x509
 
 %if 0%{?fedora}%{?eln}
 %define ima_ca_cert %{SOURCE106}
@@ -1023,9 +995,11 @@ Source106: fedoraimaca.x509
 %define ima_signing_cert %{SOURCE105}
 %else
 %define ima_signing_cert %{SOURCE104}
+%define ima_signing_cert_ol %{SOURCE107}
 %endif
 
 %define ima_cert_name ima.cer
+%define ima_cert_name_ol ima_ol.cer
 
 Source200: check-kabi
 
@@ -1090,6 +1064,10 @@ Source4000: README.rst
 Source4001: rpminspect.yaml
 Source4002: gating.yaml
 
+# Oracle Linux RHCK Module Signing Key
+Source5001: olkmod_signing_key.pem
+Source5002: olkmod_signing_key1.pem
+
 ## Patches needed for building this package
 
 %if !%{nopatches}
@@ -1097,6 +1075,9 @@ Source4002: gating.yaml
 Patch1: patch-%{patchversion}-redhat.patch
 %endif
 
+# Oracle patches
+Patch1001: bug37756650-nvme-pci-remove-two-deallocate-zeroes-quirks.patch
+
 # empty final patch to facilitate testing of kernel patches
 Patch999999: linux-kernel-test.patch
 
@@ -1944,6 +1925,8 @@ ApplyOptionalPatch()
 mv linux-%{tarfile_release} linux-%{KVERREL}
 
 cd linux-%{KVERREL}
+#removal of git history
+rm -rf .git
 cp -a %{SOURCE1} .
 
 %{log_msg "Start of patch applications"}
@@ -1952,6 +1935,7 @@ cp -a %{SOURCE1} .
 ApplyOptionalPatch patch-%{patchversion}-redhat.patch
 %endif
 
+ApplyPatch bug37756650-nvme-pci-remove-two-deallocate-zeroes-quirks.patch
 ApplyOptionalPatch linux-kernel-test.patch
 
 %{log_msg "End of patch applications"}
@@ -2064,6 +2048,13 @@ openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
 openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
 openssl x509 -inform der -in %{SOURCE102} -out nvidiagpuoot001.pem
 cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem > ../certs/rhel.pem
+# Add Oracle Linux IMA CA certificate to the kernel trusted certificates list
+openssl x509 -inform der -in %{SOURCE106} -out olimaca1.pem
+cat olimaca1.pem >> ../certs/rhel.pem
+# Add olkmod_signing_key.pem to the kernel trusted certificates list
+cat %{SOURCE5001} >> ../certs/rhel.pem
+# Add olkmod_signing_key1.pem to the kernel trusted certificates list
+cat %{SOURCE5002} >> ../certs/rhel.pem
 %if %{signkernel}
 %ifarch s390x ppc64le
 openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
@@ -2086,7 +2077,7 @@ done
 %if 0%{?rhel}
 %{log_msg "Adjust FIPS module name for RHEL"}
 for i in *.config; do
-  sed -i 's/CONFIG_CRYPTO_FIPS_NAME=.*/CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux %{rhel} - Kernel Cryptographic API"/' $i
+  sed -i 's/CONFIG_CRYPTO_FIPS_NAME=.*/CONFIG_CRYPTO_FIPS_NAME="Oracle Linux 10 Kernel Crypto API Cryptographic Module"/' $i
 done
 %endif
 
@@ -2736,8 +2727,11 @@ BuildKernel() {
 %endif
         SBAT=$(cat <<- EOF
 	linux,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com
+	linux,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com
 	linux.$SBATsuffix,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com
+	linux.ol,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com
 	kernel-uki-virt.$SBATsuffix,1,Red Hat,kernel-uki-virt,$KernelVer,mailto:secalert@redhat.com
+	kernel-uki-virt.ol,1,Oracle Linux,kernel-uki-virt,$KernelVer,mailto:secalert_us@oracle.com
 	EOF
 	)
 
@@ -2765,6 +2759,7 @@ BuildKernel() {
   python3 %{SOURCE151} %{SOURCE152} $KernelAddonsDirOut virt %{primary_target} %{_target_cpu}
 
 %if %{signkernel}
+%if ! %{?oraclelinux}
 	%{log_msg "Sign the EFI UKI kernel"}
 %if 0%{?fedora}%{?eln}
         %pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
@@ -2792,6 +2787,7 @@ BuildKernel() {
       done
 
 # signkernel
+%endif
 %endif
 
     # hmac sign the UKI for FIPS
@@ -2967,7 +2963,7 @@ BuildKernel() {
     # prune junk from kernel-debuginfo
     find $RPM_BUILD_ROOT/usr/src/kernels -name "*.mod.c" -delete
 
-    # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
+    # UEFI Secure Boot CA cert, which can be used to authenticate the kernel
     %{log_msg "Install certs"}
     mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
 %if %{signkernel}
@@ -2982,6 +2978,8 @@ BuildKernel() {
 %if 0%{?rhel}
     # Red Hat IMA code-signing cert, which is used to authenticate package files
     install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name}
+    # Oracle Linux IMA signing cert
+    install -m 0644 %{ima_signing_cert_ol} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name_ol}
 %endif
 
 %if %{signmodules}
@@ -4316,6 +4314,229 @@ fi\
 #
 #
 %changelog
+* Mon Nov 10 2025 Codrin Pruteanu <codrin.pruteanu@oracle.com> [6.12.0-55.43.1.0.1.el10_0.OL10]
+- nvme-pci: remove two deallocate zeroes quirks [Orabug: 37756650]
+- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985782]
+- Disable UKI signing [Orabug: 36571828]
+- Update Oracle Linux certificates (Kevin Lyons)
+- Disable signing for aarch64 (Ilya Okomin)
+- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
+- Update x509.genkey [Orabug: 24817676]
+- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5.el9
+- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
+- Add Oracle Linux IMA certificates
+- Update module name for cryptographic module [Orabug: 37400433]
+
+* Mon Nov 03 2025 Jan Stancek <jstancek@redhat.com> [6.12.0-55.43.1.el10_0]
+- wifi: cfg80211: fix use-after-free in cmp_bss() (CKI Backport Bot) [RHEL-122878] {CVE-2025-39864}
+- igc: fix lock order in igc_ptp_reset (CKI Backport Bot) [RHEL-118667]
+- igc: add lock preventing multiple simultaneous PTM transactions (CKI Backport Bot) [RHEL-118667]
+- igc: cleanup PTP module if probe fails (CKI Backport Bot) [RHEL-118667]
+- igc: handle the IGC_PTP_ENABLED flag correctly (CKI Backport Bot) [RHEL-118667]
+- igc: move ktime snapshot into PTM retry loop (CKI Backport Bot) [RHEL-118667]
+- igc: increase wait time before retrying PTM (CKI Backport Bot) [RHEL-118667]
+- igc: fix PTM cycle trigger logic (CKI Backport Bot) [RHEL-118667]
+- coredump: Only sort VMAs when core_sort_vma sysctl is set (Herton R. Krzesinski) [RHEL-113363]
+- cxgb4: Avoid removal of uninserted tid (CKI Backport Bot) [RHEL-112148]
+- powerpc/pseries/iommu: memory notifier incorrectly adds TCEs for pmemory (Mamatha Inamdar) [RHEL-103014]
+- tools arch x86: Sync the msr-index.h copy with the kernel sources (Waiman Long) [RHEL-92175]
+- Revert "mm/execmem: Unify early execmem_cache behaviour" (Waiman Long) [RHEL-92175]
+- x86/Kconfig: only enable ROX cache in execmem when STRICT_MODULE_RWX is set (Waiman Long) [RHEL-92175]
+- x86/mm/pat: don't collapse pages without PSE set (Waiman Long) [RHEL-92175]
+- tools arch x86: Sync the msr-index.h copy with the kernel sources (Waiman Long) [RHEL-92175]
+- arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (Waiman Long) [RHEL-92175]
+- arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (Waiman Long) [RHEL-92175] {CVE-2025-37963}
+- arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (Waiman Long) [RHEL-92175] {CVE-2025-37948}
+- arm64: proton-pack: Expose whether the branchy loop k value (Waiman Long) [RHEL-92175]
+- arm64: proton-pack: Expose whether the platform is mitigated by firmware (Waiman Long) [RHEL-92175]
+- arm64: insn: Add support for encoding DSB (Waiman Long) [RHEL-92175]
+- selftest/x86/bugs: Add selftests for ITS (Waiman Long) [RHEL-92175] {CVE-2024-28956}
+- x86/ibt: Keep IBT disabled during alternative patching (Waiman Long) [RHEL-92175] {CVE-2024-28956}
+- mm/execmem: Unify early execmem_cache behaviour (Waiman Long) [RHEL-92175] {CVE-2024-28956}
+- x86/its: Align RETs in BHB clear sequence to avoid thunking (Waiman Long) [RHEL-92175] {CVE-2024-28956}
+- x86/its: Add support for RSB stuffing mitigation (Waiman Long) [RHEL-92175] {CVE-2024-28956}
+- x86/its: Add "vmexit" option to skip mitigation on some CPUs (Waiman Long) [RHEL-92175] {CVE-2024-28956}
+- x86/its: Enable Indirect Target Selection mitigation (Waiman Long) [RHEL-92175] {CVE-2024-28956}
+- redhat/configs: Enable CONFIG_MITIGATION_ITS for x86 (Waiman Long) [RHEL-92175]
+- x86/its: Add support for ITS-safe return thunk (Waiman Long) [RHEL-92175] {CVE-2024-28956}
+- x86/its: Add support for ITS-safe indirect thunk (Waiman Long) [RHEL-92175] {CVE-2024-28956}
+- x86/its: Enumerate Indirect Target Selection (ITS) bug (Waiman Long) [RHEL-92175] {CVE-2024-28956}
+- Documentation: x86/bugs/its: Add ITS documentation (Waiman Long) [RHEL-92175] {CVE-2024-28956}
+- KVM: SVM: Set/clear SRSO's BP_SPEC_REDUCE on 0 <=> 1 VM count transitions (Waiman Long) [RHEL-92175]
+- x86/bugs: Add RSB mitigation document (Waiman Long) [RHEL-92175]
+- x86/bugs: Don't fill RSB on context switch with eIBRS (Waiman Long) [RHEL-92175]
+- x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline (Waiman Long) [RHEL-92175]
+- x86/bugs: Fix RSB clearing in indirect_branch_prediction_barrier() (Waiman Long) [RHEL-92175]
+- x86/bugs: Use SBPB in write_ibpb() if applicable (Waiman Long) [RHEL-92175]
+- x86/bugs: Rename entry_ibpb() to write_ibpb() (Waiman Long) [RHEL-92175]
+- x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2 (Waiman Long) [RHEL-92175]
+- x86/bugs: Use the cpu_smt_possible() helper instead of open-coded code (Waiman Long) [RHEL-92175]
+- x86/bugs: Add AUTO mitigations for mds/taa/mmio/rfds (Waiman Long) [RHEL-92175]
+- x86/bugs: Relocate mds/taa/mmio/rfds defines (Waiman Long) [RHEL-92175]
+- x86/bugs: Add X86_BUG_SPECTRE_V2_USER (Waiman Long) [RHEL-92175]
+- x86/bugs: Remove X86_FEATURE_USE_IBPB (Waiman Long) [RHEL-92175]
+- KVM: nVMX: Always use IBPB to properly virtualize IBRS (Waiman Long) [RHEL-92175]
+- x86/bugs: Use a static branch to guard IBPB on vCPU switch (Waiman Long) [RHEL-92175]
+- x86/bugs: Remove the X86_FEATURE_USE_IBPB check in ib_prctl_set() (Waiman Long) [RHEL-92175]
+- x86/mm: Remove X86_FEATURE_USE_IBPB checks in cond_mitigation() (Waiman Long) [RHEL-92175]
+- x86/bugs: Move the X86_FEATURE_USE_IBPB check into callers (Waiman Long) [RHEL-92175]
+- x86/bugs: KVM: Add support for SRSO_MSR_FIX (Waiman Long) [RHEL-92175]
+- arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB (Waiman Long) [RHEL-92175]
+- arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list (Waiman Long) [RHEL-92175]
+- x86/rfds: Exclude P-only parts from the RFDS affected list (Waiman Long) [RHEL-92175]
+- x86/cpu: Update x86_match_cpu() to also use cpu-type (Waiman Long) [RHEL-92175]
+- x86/cpu: Add cpu_type to struct x86_cpu_id (Waiman Long) [RHEL-92175]
+- x86/cpu: Shorten CPU matching macro (Waiman Long) [RHEL-92175]
+- x86/cpu: Fix the description of X86_MATCH_VFM_STEPS() (Waiman Long) [RHEL-92175]
+- module: don't annotate ROX memory as kmemleak_not_leak() (Waiman Long) [RHEL-92175]
+- module: drop unused module_writable_address() (Waiman Long) [RHEL-92175]
+- Revert "x86/module: prepare module loading for ROX allocations of text" (Waiman Long) [RHEL-92175]
+- module: switch to execmem API for remapping as RW and restoring ROX (Waiman Long) [RHEL-92175]
+- execmem: add API for temporal remapping as RW and restoring ROX afterwards (Waiman Long) [RHEL-92175]
+- execmem: don't remove ROX cache from the direct map (Waiman Long) [RHEL-92175]
+- x86/mm/pat: restore large ROX pages after fragmentation (Waiman Long) [RHEL-92175]
+- x86/mm/pat: drop duplicate variable in cpa_flush() (Waiman Long) [RHEL-92175]
+- x86/mm/pat: cpa-test: fix length for CPA_ARRAY test (Waiman Long) [RHEL-92175]
+- x86/cpu/kvm: SRSO: Fix possible missing IBPB on VM-Exit (Waiman Long) [RHEL-92175]
+- x86/cpu: Fix typo in x86_match_cpu()'s doc (Waiman Long) [RHEL-92175]
+- x86/cpu: Expose only stepping min/max interface (Waiman Long) [RHEL-92175]
+- x86/cpu: Introduce new microcode matching helper (Waiman Long) [RHEL-92175]
+- KVM: x86: Advertise SRSO_USER_KERNEL_NO to userspace (Waiman Long) [RHEL-92175]
+- x86/bugs: Add SRSO_USER_KERNEL_NO support (Waiman Long) [RHEL-92175]
+- module: fix writing of livepatch relocations in ROX text (Waiman Long) [RHEL-92175]
+- x86/execmem: fix ROX cache usage in Xen PV guests (Waiman Long) [RHEL-92175]
+- alloc_tag: load module tags into separate contiguous memory (Waiman Long) [RHEL-92175]
+- alloc_tag: introduce shutdown_mem_profiling helper function (Waiman Long) [RHEL-92175]
+- maple_tree: add mas_for_each_rev() helper (Waiman Long) [RHEL-92175]
+- x86/module: enable ROX caches for module text on 64 bit (Waiman Long) [RHEL-92175]
+- execmem: add support for cache of large ROX pages (Waiman Long) [RHEL-92175]
+- x86/module: prepare module loading for ROX allocations of text (Waiman Long) [RHEL-92175]
+- arch: introduce set_direct_map_valid_noflush() (Waiman Long) [RHEL-92175]
+- module: prepare to handle ROX allocations for text (Waiman Long) [RHEL-92175]
+- asm-generic: introduce text-patching.h (Waiman Long) [RHEL-92175]
+- mm: vmalloc: don't account for number of nodes for HUGE_VMAP allocations (Waiman Long) [RHEL-92175]
+- mm: vmalloc: group declarations depending on CONFIG_MMU together (Waiman Long) [RHEL-92175]
+- x86/cpu: Add CPU type to struct cpuinfo_topology (Waiman Long) [RHEL-92175]
+- x86/cpufeatures: Add X86_FEATURE_AMD_HETEROGENEOUS_CORES (Waiman Long) [RHEL-92175]
+- ice: fix Rx page leak on multi-buffer frames (Petr Oros) [RHEL-116542]
+- ice: fix NULL access of tx->in_use in ice_ll_ts_intr (Petr Oros) [RHEL-116534]
+- ice: fix NULL access of tx->in_use in ice_ptp_ts_irq (Petr Oros) [RHEL-116534]
+- ice: default to TIME_REF instead of TXCO on E825-C (Petr Oros) [RHEL-107466]
+- ice: move TSPLL init calls to ice_ptp.c (Petr Oros) [RHEL-107466]
+- ice: fall back to TCXO on TSPLL lock fail (Petr Oros) [RHEL-107466]
+- ice: wait before enabling TSPLL (Petr Oros) [RHEL-107466]
+- ice: add multiple TSPLL helpers (Petr Oros) [RHEL-107466]
+- ice: use bitfields instead of unions for CGU regs (Petr Oros) [RHEL-107466]
+- ice: read TSPLL registers again before reporting status (Petr Oros) [RHEL-107466]
+- ice: clear time_sync_en field for E825-C during reprogramming (Petr Oros) [RHEL-107466]
+- ice: add TSPLL log config helper (Petr Oros) [RHEL-107466]
+- ice: use designated initializers for TSPLL consts (Petr Oros) [RHEL-107466]
+- ice: remove ice_tspll_params_e825 definitions (Petr Oros) [RHEL-107466]
+- ice: fix E825-C TSPLL register definitions (Petr Oros) [RHEL-107466]
+- ice: rename TSPLL and CGU functions and definitions (Petr Oros) [RHEL-107466]
+- ice: move TSPLL functions to a separate file (Petr Oros) [RHEL-107466]
+- ice: enable timesync operation on 2xNAC E825 devices (Petr Oros) [RHEL-107466]
+- ice: refactor ice_sbq_msg_dev enum (Petr Oros) [RHEL-107466]
+- ice: remove SW side band access workaround for E825 (Petr Oros) [RHEL-107466]
+- ice/ptp: fix crosstimestamp reporting (Petr Oros) [RHEL-115351]
+- ice: fix rebuilding the Tx scheduler tree for large queue counts (Petr Oros) [RHEL-115351]
+- ice: create new Tx scheduler nodes for new queues only (Petr Oros) [RHEL-115351]
+- ice: fix Tx scheduler error handling in XDP callback (Petr Oros) [RHEL-115351]
+- ice: Fix LACP bonds without SRIOV environment (Petr Oros) [RHEL-115351]
+- ice: fix vf->num_mac count with port representors (Petr Oros) [RHEL-115351]
+- ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() (Petr Oros) [RHEL-115351]
+- ice: fix Get Tx Topology AQ command error on E830 (Petr Oros) [RHEL-115351]
+- ice: fix using untrusted value of pkt_len in ice_vc_fdir_parse_raw() (Petr Oros) [RHEL-115351]
+- ice: fix input validation for virtchnl BW (Petr Oros) [RHEL-115351]
+- ice: validate queue quanta parameters to prevent OOB access (Petr Oros) [RHEL-115351]
+- ice: stop truncating queue ids when checking (Petr Oros) [RHEL-115351]
+- virtchnl: make proto and filter action count unsigned (Petr Oros) [RHEL-115351]
+- ice: fix reservation of resources for RDMA when disabled (Petr Oros) [RHEL-115351]
+- ice: health.c: fix compilation on gcc 7.5 (Petr Oros) [RHEL-115351]
+- ice: E825C PHY register cleanup (Petr Oros) [RHEL-115351]
+- ice: Refactor E825C PHY registers info struct (Petr Oros) [RHEL-115351]
+- ice: rename ice_ptp_init_phc_eth56g function (Petr Oros) [RHEL-115351]
+- ice: Add E830 checksum offload support (Petr Oros) [RHEL-115351]
+- ice: register devlink prior to creating health reporters (Petr Oros) [RHEL-115351]
+- ice: Fix switchdev slow-path in LAG (Petr Oros) [RHEL-115351]
+- ice: fix memory leak in aRFS after reset (Petr Oros) [RHEL-115351]
+- ice: do not configure destination override for switchdev (Petr Oros) [RHEL-115351]
+- ice: dpll: Remove newline at the end of a netlink error message (Petr Oros) [RHEL-115351]
+- virtchnl: add enumeration for the rxdid format (Petr Oros) [RHEL-115351]
+- ice: support Rx timestamp on flex descriptor (Petr Oros) [RHEL-115351]
+- virtchnl: add support for enabling PTP on iAVF (Petr Oros) [RHEL-115351]
+- ice: refactor ice_fdir_create_dflt_rules() function (Petr Oros) [RHEL-115351]
+- ice: Implement PTP support for E830 devices (Petr Oros) [RHEL-115351]
+- ice: Refactor ice_ptp_init_tx_* (Petr Oros) [RHEL-115351]
+- ice: Add unified ice_capture_crosststamp (Petr Oros) [RHEL-115351]
+- ice: Process TSYN IRQ in a separate function (Petr Oros) [RHEL-115351]
+- ice: Use FIELD_PREP for timestamp values (Petr Oros) [RHEL-115351]
+- ice: Remove unnecessary ice_is_e8xx() functions (Petr Oros) [RHEL-115351]
+- ice: Don't check device type when checking GNSS presence (Petr Oros) [RHEL-115351]
+- ice: use generic unrolled_count() macro (Petr Oros) [RHEL-115351]
+- ice: count combined queues using Rx/Tx count (Petr Oros) [RHEL-115351]
+- ice: Add check for devm_kzalloc() (Petr Oros) [RHEL-115351]
+- ice: remove invalid parameter of equalizer (Petr Oros) [RHEL-115351]
+- ice: fix ice_parser_rt::bst_key array size (Petr Oros) [RHEL-115351]
+- ice: Add in/out PTP pin delays (Petr Oros) [RHEL-115351]
+- ice: use string choice helpers (Petr Oros) [RHEL-115351]
+- ice: add fw and port health reporters (Petr Oros) [RHEL-115351]
+- ice: add recipe priority check in search (Petr Oros) [RHEL-115351]
+- ice: Add MDD logging via devlink health (Petr Oros) [RHEL-115351]
+- ice: add Tx hang devlink health reporter (Petr Oros) [RHEL-115351]
+- ice: rename devlink_port.[ch] to port.[ch] (Petr Oros) [RHEL-115351]
+- ice: cleanup Rx queue context programming functions (Petr Oros) [RHEL-115351]
+- ice: move prefetch enable to ice_setup_rx_ctx (Petr Oros) [RHEL-115351]
+- ice: reduce size of queue context fields (Petr Oros) [RHEL-115351]
+- ice: use <linux/packing.h> for Tx and Rx queue context data (Petr Oros) [RHEL-115351]
+- ice: use structures to keep track of queue context size (Petr Oros) [RHEL-115351]
+- ice: remove int_q_state from ice_tlan_ctx (Petr Oros) [RHEL-115351]
+- ice: fix incorrect PHY settings for 100 GB/s (Petr Oros) [RHEL-115351]
+- ice: fix max values for dpll pin phase adjust (Petr Oros) [RHEL-115351]
+- ice: Fix VLAN pruning in switchdev mode (Petr Oros) [RHEL-115351]
+- ice: Fix NULL pointer dereference in switchdev (Petr Oros) [RHEL-115351]
+- ice: fix PHY timestamp extraction for ETH56G (Petr Oros) [RHEL-115351]
+- ice: Unbind the workqueue (Petr Oros) [RHEL-115351]
+- ice: use stack variable for virtchnl_supported_rxdids (Petr Oros) [RHEL-115351]
+- ice: initialize pf->supported_rxdids immediately after loading DDP (Petr Oros) [RHEL-115351]
+- ice: only allow Tx promiscuous for multicast (Petr Oros) [RHEL-115351]
+- ice: support optional flags in signature segment header (Petr Oros) [RHEL-115351]
+- ice: refactor "last" segment of DDP pkg (Petr Oros) [RHEL-115351]
+- ice: extend dump serdes equalizer values feature (Petr Oros) [RHEL-115351]
+- ice: rework of dump serdes equalizer values feature (Petr Oros) [RHEL-115351]
+- ice: Support VF queue rate limit and quanta size configuration (Petr Oros) [RHEL-115351]
+- virtchnl: fix m68k build. (Petr Oros) [RHEL-115351]
+- virtchnl: support queue rate limit and quanta size configuration (Petr Oros) [RHEL-115351]
+- ice: Cleanup unused declarations (Petr Oros) [RHEL-115351]
+- ice: Use common error handling code in two functions (Petr Oros) [RHEL-115351]
+- ice: Make use of assign_bit() API (Petr Oros) [RHEL-115351]
+- ice: store max_frame and rx_buf_len only in ice_rx_ring (Petr Oros) [RHEL-115351]
+- ice: consistently use q_idx in ice_vc_cfg_qs_msg() (Petr Oros) [RHEL-115351]
+- ice: Implement ethtool reset support (Petr Oros) [RHEL-115351]
+- ice: Add correct PHY lane assignment (Petr Oros) [RHEL-115351]
+- ice: Fix ETH56G FC-FEC Rx offset value (Petr Oros) [RHEL-115351]
+- ice: Fix quad registers read on E825 (Petr Oros) [RHEL-115351]
+- ice: Fix E825 initialization (Petr Oros) [RHEL-115351]
+- unroll: add generic loop unroll helpers (CKI Backport Bot) [RHEL-115351]
+- devlink: add devlink_fmsg_dump_skb() function (Petr Oros) [RHEL-115351]
+- devlink: add devlink_fmsg_put() macro (Petr Oros) [RHEL-115351]
+- redhat: configs: enable CONFIG_PACKING (Petr Oros) [RHEL-115351]
+- lib: packing: catch kunit_kzalloc() failure in the pack() test (CKI Backport Bot) [RHEL-115351]
+- lib: packing: document recently added APIs (CKI Backport Bot) [RHEL-115351]
+- lib: packing: add pack_fields() and unpack_fields() (CKI Backport Bot) [RHEL-115351]
+- lib: packing: demote truncation error in pack() to a warning in __pack() (CKI Backport Bot) [RHEL-115351]
+- lib: packing: create __pack() and __unpack() variants without error checking (CKI Backport Bot) [RHEL-115351]
+- lib: packing: use GENMASK() for box_mask (CKI Backport Bot) [RHEL-115351]
+- lib: packing: use BITS_PER_BYTE instead of 8 (CKI Backport Bot) [RHEL-115351]
+- lib: packing: fix QUIRK_MSB_ON_THE_RIGHT behavior (CKI Backport Bot) [RHEL-115351]
+- lib: packing: add additional KUnit tests (CKI Backport Bot) [RHEL-115351]
+- lib: packing: add KUnit tests adapted from selftests (CKI Backport Bot) [RHEL-115351]
+- lib: packing: duplicate pack() and unpack() implementations (CKI Backport Bot) [RHEL-115351]
+- lib: packing: add pack() and unpack() wrappers over packing() (CKI Backport Bot) [RHEL-115351]
+- lib: packing: remove kernel-doc from header file (CKI Backport Bot) [RHEL-115351]
+- lib: packing: adjust definitions and implementation for arbitrary buffer lengths (CKI Backport Bot) [RHEL-115351]
+- lib: packing: refuse operating on bit indices which exceed size of buffer (CKI Backport Bot) [RHEL-115351]
+
 * Sat Oct 25 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-55.42.1.el10_0]
 - platform/x86/intel: power-domains: Use topology_logical_package_id() for package ID (CKI Backport Bot) [RHEL-123288]
 - KVM: arm64: Disable MPAM visibility by default and ignore VMM writes (Gavin Shan) [RHEL-121690]
diff --git a/olkmod_signing_key.pem b/olkmod_signing_key.pem
new file mode 100644
index 000000000..7a51daf16
--- /dev/null
+++ b/olkmod_signing_key.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEETCCAvmgAwIBAgIJANw8y5k9b7SaMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEXMBUGA1UEBwwOUmVkd29vZCBT
+aG9yZXMxGzAZBgNVBAoMEk9yYWNsZSBDb3Jwb3JhdGlvbjEVMBMGA1UECwwMT3Jh
+Y2xlIExpbnV4MS0wKwYDVQQDDCRPcmFjbGUgTGludXggUkhDSyBNb2R1bGUgU2ln
+bmluZyBLZXkwHhcNMTYwNTA5MjMzNjA4WhcNMjYwNTA3MjMzNjA4WjCBnjELMAkG
+A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFzAVBgNVBAcMDlJlZHdvb2Qg
+U2hvcmVzMRswGQYDVQQKDBJPcmFjbGUgQ29ycG9yYXRpb24xFTATBgNVBAsMDE9y
+YWNsZSBMaW51eDEtMCsGA1UEAwwkT3JhY2xlIExpbnV4IFJIQ0sgTW9kdWxlIFNp
+Z25pbmcgS2V5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl6bUDNNZ
+jIqgsqgspwBIQ18keDxQeGnWgubZZhHrQU3GpeSRPM4lNTHc+UjMjNXrv/CENZdv
+4cETRsxT1VFhGG3CvkbQdzc8v4JOQvWSSJqmViPa1eC+yGaMRnGcFXzKsHiTLA4y
+WMjpJnVowFkwTzscRBlN0AysUg/hT/74DE0oqVnlCJNynqccNWpx8MtNRD55ay9A
+73yJinYES14rXcU3QbJoO0ZxtRz83ZACDUGX0GORT3+NbB0RK0sttogzA3eLvxKw
+umWsWZAHmTuHdWgUjSqqZr34VNLPVcsTHAW8X4bq6rRVcB2lMJ3kJfDP8BJyTn99
+37UmA+/ld47cnwIDAQABo1AwTjAdBgNVHQ4EFgQU3ZlbFVwZs6fD73cHuWniX5Y5
+Zm4wHwYDVR0jBBgwFoAU3ZlbFVwZs6fD73cHuWniX5Y5Zm4wDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEAF7nfhWfsk4uEDquLj7nJE0wPlVvllVDugzOk
+R15pnQ7P+HTyz3sLaLJE4N5oWt6pFzDGDYEtPeoMCn1l447tX179Nf5SMZba9ut8
+3Vxbe7jAn9sQO7ArQR1swf1r101Me4+1oHq7rxPRizOOXrKeEvf5NSAUbSzzXfz6
+TEp21KTIQO7MjqpsKshRQbpPeiReaYy3A6gJftun5xekP04QTLZVBR4dL7tvZf0S
+y9SjVg158lONXHfjBekyYTzSFBn/7v+AS8S+cAGRfYteE0Syxl7zJt3GUoEWau/e
+kXHT+hd/hkdSQKZZWZo1380M1pVZZAvntLRBU6IN9SswafhiVg==
+-----END CERTIFICATE-----
diff --git a/olkmod_signing_key1.pem b/olkmod_signing_key1.pem
new file mode 100644
index 000000000..b99afba7a
--- /dev/null
+++ b/olkmod_signing_key1.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGBjCCA+6gAwIBAgIUf99zHRXkhhuQepjkXdIfz1kNGiwwDQYJKoZIhvcNAQEL
+BQAwgZ4xKTAnBgNVBAMMIE9yYWNsZSBMaW51eCBEcml2ZXIgU2lnbmluZyBDQSAx
+MQswCQYDVQQGEwJ1czEVMBMGA1UEBwwMUmVkd29vZCBDaXR5MRswGQYDVQQKDBJP
+cmFjbGUgQ29ycG9yYXRpb24xGzAZBgNVBAsMEk9yYWNsZSBDb3Jwb3JhdGlvbjET
+MBEGA1UECAwKQ2FsaWZvcm5pYTAeFw0yNTA1MDIwOTIzNDFaFw0zNjA0MTIyMTEw
+MjlaMGcxLDAqBgNVBAMMI09yYWNsZSBMaW51eCBEcml2ZXIgU2lnbmluZyAoa2V5
+IDEpMQswCQYDVQQGEwJ1czEVMBMGA1UEBwwMUmVkd29vZCBDaXR5MRMwEQYDVQQI
+DApDYWxpZm9ybmlhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5dMQ
+z4EwgCYLrxJCYTn0H5yncdJREDgAgkne3nQAmtJjfcoKNqRxieK5j1KjloF3Qvjt
+c5gITvjpne1UrHTodPF9qpJrFieDPb9+CMUGg/R/gk20PofKa5+DhTMyeIEpBOa7
+P6/OdCGiwaGI85Js6JMnNX2YKerehKB44zVfiNmddn7T/3y2QFFNj3VH62tC4XNt
+wZLCHnnO0JzOcZht5KA1JsITSLkT6/o//SZLpaNSAQkkanymdvszV5b0PDu4A0Fi
+5Ch41Akset2kAlpRoRBaVVdNhqKDyzsGRFyzHD57EyyY4M6H3yh2T6SPPOTUOKgn
+tcBfnFuijl2K/d87cnky1v1XzrvZqLzRz11ksLmZrUHZZ3PWfq2EndG8OiO4PdcF
+sF4nd20yuUywW4nj5iZT5h6f8P06C62ILe+dJWNzpGm6JgyYvTnHoUXjoQR+TLs/
+WY1l1N2uf3lc5rkof4g+Ckh/6uI1k5XfyHIzw8Z9wEOliUvHXq/8TVZ653IMmfC8
+gIrIMNOXONMdG7ReTnsr9z7ckv/dYKbW1gWtyY8o92N3dLuYb8MpfvCHkVF5ItUR
+52ay2wOQ1tDlfLUiU21yiglyW4rKanH6mrLd4mM8cphnPvRpZ9SM0qykwHrNqKOA
+m9p0AwIf1zmUL6boX/Xd+6zM2HAXOPMS1EGjA6MCAwEAAaNyMHAwDAYDVR0TAQH/
+BAIwADALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYE
+FDUwOWM0ZjZkYmZjMGUyODhjOGM4MB8GA1UdIwQYMBaAFGM2NDkzM2I4OWUzNTYw
+ZmVhNWQzMA0GCSqGSIb3DQEBCwUAA4ICAQAmZbUs5P2HGRHt4W/QhGyfxxa/Go8K
+6a1VZlh71OURsbQ42ZDCfrYgw8LtDPqx7ySlUlkjDcc7ZvRh6RzLyn+ARIohhKNH
+PpEzIpOGm5P4zqY9R36STRSgCDl9iCNlk8pGKzqEIT+aCaZUWF+7NcFgePFDuN9W
+FX5tXhxEqqn8rmvGMQ3ZtodxIJb6ksKz6j/JWnuvcD4EgI1ykyc8MAtIm2/qVmPQ
+IofwXo6yL6ygT5K7cMsrte4EbzrHvuhuz89RHDmwmgB6XmZCWBOGYrO7lza2Yx0C
+/m4LcUHPW6XgrtkvIcLST90Ng9fp8EQl7Rp3med0K83kdwKUt7Ju9aPze049tuTQ
+QoHsIHDgsExK4wXUayHNgNNr8lMFm42gTB2DqP9F/Ihq7YhIdfXbOsVdS38Il9+Y
+8RWI87H+0mAxsv2RnaNkEbmd+2vY9j1ebHyblN59mxDEY+h3W7v402ay01Ia2Lnw
+szOAPq6AKZdfi0nan6zunurwEGKGeF4+Gr42RlA0Pcu1ZltBQVuMhvkO1wKZ5vO6
+MNR7swI0fH6VsyUms8wQbR85MCJg0MhpzRKw0g0Ka+c4nF1c4EmU4GaIbCNfzJy+
+68wdJDHhX+sbD7+AJBQ9i6TmtbPIGKNDHh9cMIXs+jMRtia/ZCYEsOOO5B+xrawF
+JuZ4rgQv9ghmhQ==
+-----END CERTIFICATE-----
diff --git a/sources b/sources
index ed5bbee79..1d174819e 100644
--- a/sources
+++ b/sources
@@ -1,7 +1,7 @@
 SHA512 (fedoraimaca.x509) = e04809394f4472c17e86d7024dee34f03fb68e82a85502fd5b00535202c72e57626a8376b2cf991b7e1e46404aa5ab8d189ebf320e0dd37d49e7efbc925c7a2e
-SHA512 (kernel-abi-stablelists-6.12.0-55.42.1.el10_0.tar.xz) = 86d1ea078efef95d2fd0a2db2fd2cd0c20358bc8672058fbb5aeab808b5329a09364a42f55e78f978d66bb352abe613737908d983a2867e914809d1d2d48ea9f
-SHA512 (kernel-kabi-dw-6.12.0-55.42.1.el10_0.tar.xz) = 104ec1b56b9d05a1be1a651cc71ad2dbc73552f99ec46efdbb9509356f47de48e64899e768561bd9a0e3ae8ef382bb1ec2595022bb03daeeff55bec5551fdd7d
-SHA512 (linux-6.12.0-55.42.1.el10_0.tar.xz) = 0add580d6cb60c61e4955ee83bb0ebe9657737eb009b549ac31d29fa4cef21a7317ddf2dbe9d1d22a9e0d52920d98fddcfe326c20b693eb2163fd25d4b5d5d0c
+SHA512 (kernel-abi-stablelists-6.12.0-55.43.1.el10_0.tar.xz) = 9b7ab354e0e9cfb6b1880045f5817362fcc9ba7113193f34feca6c4639f4ab2960499bc9d9e26ec86028d31d93e5f3ae733fc99bcb69af739edc50a6cabb194e
+SHA512 (kernel-kabi-dw-6.12.0-55.43.1.el10_0.tar.xz) = c6780b79970d95793c71f2602a1c59e0b5c56c77adde169e584331e0bb57b29d57045680590327adac3a4a459db21407faa257a2126b63abe4821ef0812b7c65
+SHA512 (linux-6.12.0-55.43.1.el10_0.tar.xz) = 0a9eee7170b0d297d720f53dc5c385efd17fedfd0ec3f97204757cd2004ba2bb9fe6fb48559f57de5f7f5487a2759b8fbc2191a300a220ac25f838c1071e7dbd
 SHA512 (nvidiagpuoot001.x509) = b42f836e1cfa07890cb6ca13de9c3950e306c9ec7686c4c09f050bb68869f5d82962b2cd5f3aa0eb7a0f3a3ae54e9c480eafbac5df53aa92c295ff511a8c59fe
 SHA512 (olima1.x509) = 123c26c1d698cc8523845c6e1103b9c72abf855acd225d37baf1f3388a47f912166d6d786fb367fe46de39e011b586ad7f3963aa2e8923da30a6ea9ae0d76ad3
 SHA512 (olimaca1.x509) = 3a779415fad29d6f7250ec97ab1f0a5eb62c351b724feee06b22e17f065bf74a558f32cc524d3222c4485635ae5b9cd5287855c94010fe743b51a4d954340c4c
diff --git a/x509.genkey.rhel b/x509.genkey.rhel
index b1bbe387f..5b7056d65 100644
--- a/x509.genkey.rhel
+++ b/x509.genkey.rhel
@@ -5,9 +5,9 @@ prompt = no
 x509_extensions = myexts
 
 [ req_distinguished_name ]
-O = Red Hat
-CN = Red Hat Enterprise Linux kernel signing key
-emailAddress = secalert@redhat.com
+O = Oracle America, Inc.,c=US
+CN = Oracle CA Server
+emailAddress = support@oracle.com
 
 [ myexts ]
 basicConstraints=critical,CA:FALSE