From aed3ae164a02607584b54bfc7809a63f8d95cfcf Mon Sep 17 00:00:00 2001 From: Scott Weaver Date: Fri, 2 Aug 2024 11:47:19 -0400 Subject: [PATCH] kernel-5.14.0-490.el9 * Fri Aug 02 2024 Scott Weaver [5.14.0-490.el9] - redhat/dracut-virt.conf: add systemd-veritysetup module (Emanuele Giuseppe Esposito) [RHEL-45168] - redhat/uki_addons/virt: add common FIPS addon (Emanuele Giuseppe Esposito) [RHEL-45160] - redhat/kernel.spec: add uki_addons to create UKI kernel cmdline addons (Emanuele Giuseppe Esposito) [RHEL-45159] - gcc-plugins/stackleak: Avoid .head.text section (Bandan Das) [RHEL-39439] - x86/sev: Skip ROM range scans and validation for SEV-SNP guests (Bandan Das) [RHEL-39439] - x86/sev: Move early startup code into .head.text section (Bandan Das) [RHEL-39439] - x86/sme: Move early SME kernel encryption handling into .head.text (Bandan Das) [RHEL-39439] - x86/sev: Do the C-bit verification only on the BSP (Bandan Das) [RHEL-39439] - x86/sev: Fix kernel crash due to late update to read-only ghcb_version (Bandan Das) [RHEL-39439] - xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() (CKI Backport Bot) [RHEL-48140] {CVE-2024-40959} - eeprom: at24: fix memory corruption race condition (Mark Salter) [RHEL-37020] {CVE-2024-35848} - eeprom: at24: Probe for DDR3 thermal sensor in the SPD case (Mark Salter) [RHEL-37020] {CVE-2024-35848} - eeprom: at24: Use dev_err_probe for nvmem register failure (Mark Salter) [RHEL-37020] {CVE-2024-35848} - eeprom: at24: Add support for 24c1025 EEPROM (Mark Salter) [RHEL-37020] {CVE-2024-35848} - eeprom: at24: remove struct at24_client (Mark Salter) [RHEL-37020] {CVE-2024-35848} - at24: Support probing while in non-zero ACPI D state (Mark Salter) [RHEL-37020] {CVE-2024-35848} - selftests: forwarding: devlink_lib: Wait for udev events after reloading (Mark Langsdorf) [RHEL-47652] {CVE-2024-39501} - drivers: core: synchronize really_probe() and dev_uevent() (Mark Langsdorf) [RHEL-47652] {CVE-2024-39501} - xhci: Handle TD clearing for multiple streams case (CKI Backport Bot) [RHEL-47892] {CVE-2024-40927} - PCI: pciehp: Retain Power Indicator bits for userspace indicators (Myron Stowe) [RHEL-41181] - sched: act_ct: take care of padding in struct zones_ht_key (Xin Long) [RHEL-50682] - net: bridge: xmit: make sure we have at least eth header len bytes (cki-backport-bot) [RHEL-44297] {CVE-2024-38538} - hugetlb: force allocating surplus hugepages on mempolicy allowed nodes (Aristeu Rozanski) [RHEL-38605] - USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages (CKI Backport Bot) [RHEL-47558] {CVE-2024-40904} - scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory (CKI Backport Bot) [RHEL-47535] {CVE-2024-40901} - vmxnet3: update to version 9 (Izabela Bakollari) [RHEL-50675] - vmxnet3: add command to allow disabling of offloads (Izabela Bakollari) [RHEL-50675] - vmxnet3: add latency measurement support in vmxnet3 (Izabela Bakollari) [RHEL-50675] - vmxnet3: prepare for version 9 changes (Izabela Bakollari) [RHEL-50675] - vmxnet3: disable rx data ring on dma allocation failure (Izabela Bakollari) [RHEL-50675] - vmxnet3: Fix missing reserved tailroom (Izabela Bakollari) [RHEL-50675] - maple_tree: fix mas_empty_area_rev() null pointer dereference (Aristeu Rozanski) [RHEL-39862] {CVE-2024-36891} - rbd: don't assume rbd_is_lock_owner() for exclusive mappings (Ilya Dryomov) [RHEL-50366] - rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings (Ilya Dryomov) [RHEL-50366] - rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait (Ilya Dryomov) [RHEL-50366] - scsi: qedf: Set qed_slowpath_params to zero before use (John Meneghini) [RHEL-25193] - scsi: qedf: Wait for stag work during unload (John Meneghini) [RHEL-25193] - scsi: qedf: Don't process stag work during unload and recovery (John Meneghini) [RHEL-25193] - scsi: qedf: Use FC rport as argument for qedf_initiate_tmf() (John Meneghini) [RHEL-25193] - net: fix __dst_negative_advice() race (Xin Long) [RHEL-41185] {CVE-2024-36971} - net: annotate data-races around sk->sk_dst_pending_confirm (Xin Long) [RHEL-41185] - scsi: qla2xxx: Fix off by one in qla_edif_app_getstats() (Ewan D. Milne) [RHEL-39719] {CVE-2024-36025} - igb: Remove redundant runtime resume for ethtool_ops (Corinna Vinschen) [RHEL-17487] - net: intel: implement modern PM ops declarations (Corinna Vinschen) [RHEL-17487] - igb: simplify pci ops declaration (Corinna Vinschen) [RHEL-17487] - igb: Fix missing time sync events (Corinna Vinschen) [RHEL-17487] - intel: make module parameters readable in sys filesystem (Corinna Vinschen) [RHEL-17487 RHEL-25998] - net: adopt skb_network_offset() and similar helpers (Corinna Vinschen) [RHEL-17487] - igb: extend PTP timestamp adjustments to i211 (Corinna Vinschen) [RHEL-17487] - net: intel: igb: Use linkmode helpers for EEE (Corinna Vinschen) [RHEL-17487] - igb: Fix string truncation warnings in igb_set_fw_version (Corinna Vinschen) [RHEL-17487 RHEL-38454] {CVE-2024-36010} - intel: legacy: field get conversion (Corinna Vinschen) [RHEL-17487] - intel: legacy: field prep conversion (Corinna Vinschen) [RHEL-17487] - intel: add bit macro includes where needed (Corinna Vinschen) [RHEL-17487] - igb: Use FIELD_GET() to extract Link Width (Corinna Vinschen) [RHEL-17487] - netdevsim: fix rtnetlink.sh selftest (CKI Backport Bot) [RHEL-50016] - selinux: avoid dereference of garbage after mount failure (Ondrej Mosnacek) [RHEL-37187] {CVE-2024-35904} - calipso: fix memory leak in netlbl_calipso_add_pass() (Ondrej Mosnacek) [RHEL-37044] {CVE-2023-52698} - powerpc/pseries: Whitelist dtl slub object for copying to userspace (Mamatha Inamdar) [RHEL-51242] {CVE-2024-41065} - tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). (CKI Backport Bot) [RHEL-44414] {CVE-2024-37356} - tty: add the option to have a tty reject a new ldisc (John W. Linville) [RHEL-48254] {CVE-2024-40966} - irqchip/gic-v3-its: Prevent double free on error (Charles Mirabile) [RHEL-37024] {CVE-2024-35847} - usb-storage: alauda: Check whether the media is initialized (CKI Backport Bot) [RHEL-43714] {CVE-2024-38619} - scsi: ibmvfc: Remove BUG_ON in the case of an empty event pool (Ewan D. Milne) [RHEL-38285] {CVE-2023-52811} - gfs2: Fix potential glock use-after-free on unmount (Andreas Gruenbacher) [RHEL-44155] {CVE-2024-38570} - gfs2: simplify gdlm_put_lock with out_free label (Andreas Gruenbacher) [RHEL-44155] {CVE-2024-38570} - gfs2: Remove ill-placed consistency check (Andreas Gruenbacher) [RHEL-44155] {CVE-2024-38570} - openvswitch: Set the skbuff pkt_type for proper pmtud support. (Aaron Conole) [RHEL-37650] - scsi: mpi3mr: Driver version update to 8.8.1.0.50 (Ewan D. Milne) [RHEL-30580] - scsi: mpi3mr: Update MPI Headers to revision 31 (Ewan D. Milne) [RHEL-30580] - scsi: mpi3mr: Debug ability improvements (Ewan D. Milne) [RHEL-30580] - scsi: mpi3mr: Set the WriteSame Divert Capability in the IOCInit MPI Request (Ewan D. Milne) [RHEL-30580] - scsi: mpi3mr: Clear ioctl blocking flag for an unresponsive controller (Ewan D. Milne) [RHEL-30580] - scsi: mpi3mr: Set MPI request flags appropriately (Ewan D. Milne) [RHEL-30580] - scsi: mpi3mr: Block devices are not removed even when VDs are offlined (Ewan D. Milne) [RHEL-30580] - x86/retpoline: Add NOENDBR annotation to the SRSO dummy return thunk (Waiman Long) [RHEL-31230] - x86/retpoline: Do the necessary fixup to the Zen3/4 srso return thunk for !SRSO (Waiman Long) [RHEL-31230] - x86/bugs: Fix the SRSO mitigation on Zen3/4 (Waiman Long) [RHEL-31230] - redhat/configs: Rename x86 CPU mitigations config entries (Waiman Long) [RHEL-31230] - x86/bugs: Rename CONFIG_RETHUNK => CONFIG_MITIGATION_RETHUNK (Waiman Long) [RHEL-31230] - x86/bugs: Rename CONFIG_CPU_SRSO => CONFIG_MITIGATION_SRSO (Waiman Long) [RHEL-31230] - x86/bugs: Rename CONFIG_CPU_IBRS_ENTRY => CONFIG_MITIGATION_IBRS_ENTRY (Waiman Long) [RHEL-31230] - x86/bugs: Rename CONFIG_CPU_UNRET_ENTRY => CONFIG_MITIGATION_UNRET_ENTRY (Waiman Long) [RHEL-31230] - x86/bugs: Rename CONFIG_SLS => CONFIG_MITIGATION_SLS (Waiman Long) [RHEL-31230] - x86/bugs: Rename CONFIG_RETPOLINE => CONFIG_MITIGATION_RETPOLINE (Waiman Long) [RHEL-31230] - x86/bugs: Rename CONFIG_PAGE_TABLE_ISOLATION => CONFIG_MITIGATION_PAGE_TABLE_ISOLATION (Waiman Long) [RHEL-31230] - x86/bugs: Rename CONFIG_CALL_DEPTH_TRACKING => CONFIG_MITIGATION_CALL_DEPTH_TRACKING (Waiman Long) [RHEL-31230] - x86/bugs: Rename CONFIG_CPU_IBPB_ENTRY => CONFIG_MITIGATION_IBPB_ENTRY (Waiman Long) [RHEL-31230] - x86/bugs: Rename CONFIG_GDS_FORCE_MITIGATION => CONFIG_MITIGATION_GDS_FORCE (Waiman Long) [RHEL-31230] - kbuild: use objtool-args-y to clean up objtool arguments (Waiman Long) [RHEL-31230] - kbuild: do not create *.prelink.o for Clang LTO or IBT (Waiman Long) [RHEL-31230] - kbuild: replace $(linked-object) with CONFIG options (Waiman Long) [RHEL-31230] Resolves: RHEL-17487, RHEL-25193, RHEL-25998, RHEL-30580, RHEL-31230, RHEL-37020, RHEL-37024, RHEL-37044, RHEL-37187, RHEL-37650, RHEL-38285, RHEL-38454, RHEL-38605, RHEL-39439, RHEL-39719, RHEL-39862, RHEL-41181, RHEL-41185, RHEL-43714, RHEL-44155, RHEL-44297, RHEL-44414, RHEL-45159, RHEL-45160, RHEL-45168, RHEL-47535, RHEL-47558, RHEL-47652, RHEL-47892, RHEL-48140, RHEL-48254, RHEL-50016, RHEL-50366, RHEL-50675, RHEL-50682, RHEL-51242, RHEL-37025, RHEL-38286, RHEL-39720, RHEL-39863, RHEL-37021, RHEL-44156, RHEL-38455, RHEL-44298, RHEL-43715, RHEL-37045, RHEL-37188, RHEL-41186, RHEL-47536, RHEL-47559, RHEL-47893, RHEL-48141, RHEL-47653, RHEL-48255, RHEL-44415 Signed-off-by: Scott Weaver --- Makefile.rhelver | 2 +- dracut-virt.conf | 6 ++ kernel-aarch64-64k-debug-rhel.config | 2 - kernel-aarch64-64k-rhel.config | 2 - kernel-aarch64-debug-rhel.config | 2 - kernel-aarch64-rhel.config | 2 - kernel-aarch64-rt-debug-rhel.config | 2 - kernel-aarch64-rt-rhel.config | 2 - kernel-ppc64le-debug-rhel.config | 2 - kernel-ppc64le-rhel.config | 2 - kernel-s390x-debug-rhel.config | 2 - kernel-s390x-rhel.config | 2 - kernel-s390x-zfcpdump-rhel.config | 2 - kernel-x86_64-debug-rhel.config | 20 ++-- kernel-x86_64-rhel.config | 20 ++-- kernel-x86_64-rt-debug-rhel.config | 20 ++-- kernel-x86_64-rt-rhel.config | 20 ++-- kernel.changelog | 95 +++++++++++++++++ kernel.spec | 131 ++++++++++++++++++++++- sources | 6 +- uki_addons.json | 12 +++ uki_create_addons.py | 151 +++++++++++++++++++++++++++ 22 files changed, 435 insertions(+), 70 deletions(-) create mode 100644 uki_addons.json create mode 100755 uki_create_addons.py diff --git a/Makefile.rhelver b/Makefile.rhelver index 13bc1554e..363f9252d 100644 --- a/Makefile.rhelver +++ b/Makefile.rhelver @@ -12,7 +12,7 @@ RHEL_MINOR = 5 # # Use this spot to avoid future merge conflicts. # Do not trim this comment. -RHEL_RELEASE = 489 +RHEL_RELEASE = 490 # # ZSTREAM diff --git a/dracut-virt.conf b/dracut-virt.conf index 24329cde4..75c1554b7 100644 --- a/dracut-virt.conf +++ b/dracut-virt.conf @@ -17,6 +17,9 @@ dracutmodules+=" crypt crypt-loop tpm2-tss " # WALinuxagent-cvm with CVM specific udev rules dracutmodules+=" walinuxagentcvm " +# modules: root disk integrity protection +dracutmodules+=" systemd-veritysetup " + # drivers: virtual buses, pci drivers+=" virtio-pci virtio-mmio " # qemu-kvm drivers+=" hv-vmbus pci-hyperv " # hyperv @@ -31,6 +34,9 @@ drivers+=" xen-blkfront " # xen # root encryption drivers+=" dm_crypt " +# root disk integrity protection +drivers+=" dm_verity overlay " + # filesystems filesystems+=" vfat ext4 xfs overlay " diff --git a/kernel-aarch64-64k-debug-rhel.config b/kernel-aarch64-64k-debug-rhel.config index cefc4df1b..72fe055ee 100644 --- a/kernel-aarch64-64k-debug-rhel.config +++ b/kernel-aarch64-64k-debug-rhel.config @@ -4242,7 +4242,6 @@ CONFIG_PAGE_POISONING=y CONFIG_PAGE_POOL_STATS=y CONFIG_PAGE_REPORTING=y # CONFIG_PAGE_TABLE_CHECK is not set -CONFIG_PAGE_TABLE_ISOLATION=y # CONFIG_PANEL is not set CONFIG_PANIC_ON_OOPS_VALUE=1 CONFIG_PANIC_ON_OOPS=y @@ -4807,7 +4806,6 @@ CONFIG_RESET_IMX7=y # CONFIG_RESET_SCMI is not set # CONFIG_RESET_TI_SYSCON is not set CONFIG_RESOURCE_KUNIT_TEST=m -CONFIG_RETPOLINE=y # CONFIG_RFD77402 is not set # CONFIG_RFD_FTL is not set CONFIG_RFKILL_GPIO=m diff --git a/kernel-aarch64-64k-rhel.config b/kernel-aarch64-64k-rhel.config index f4718c3fd..99aa41320 100644 --- a/kernel-aarch64-64k-rhel.config +++ b/kernel-aarch64-64k-rhel.config @@ -4221,7 +4221,6 @@ CONFIG_PAGE_POISONING=y CONFIG_PAGE_POOL_STATS=y CONFIG_PAGE_REPORTING=y # CONFIG_PAGE_TABLE_CHECK is not set -CONFIG_PAGE_TABLE_ISOLATION=y # CONFIG_PANEL is not set CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=0 @@ -4785,7 +4784,6 @@ CONFIG_RESET_IMX7=y # CONFIG_RESET_SCMI is not set # CONFIG_RESET_TI_SYSCON is not set CONFIG_RESOURCE_KUNIT_TEST=m -CONFIG_RETPOLINE=y # CONFIG_RFD77402 is not set # CONFIG_RFD_FTL is not set CONFIG_RFKILL_GPIO=m diff --git a/kernel-aarch64-debug-rhel.config b/kernel-aarch64-debug-rhel.config index 31957f57f..7351b5579 100644 --- a/kernel-aarch64-debug-rhel.config +++ b/kernel-aarch64-debug-rhel.config @@ -4239,7 +4239,6 @@ CONFIG_PAGE_POISONING=y CONFIG_PAGE_POOL_STATS=y CONFIG_PAGE_REPORTING=y # CONFIG_PAGE_TABLE_CHECK is not set -CONFIG_PAGE_TABLE_ISOLATION=y # CONFIG_PANEL is not set CONFIG_PANIC_ON_OOPS_VALUE=1 CONFIG_PANIC_ON_OOPS=y @@ -4804,7 +4803,6 @@ CONFIG_RESET_IMX7=y # CONFIG_RESET_SCMI is not set # CONFIG_RESET_TI_SYSCON is not set CONFIG_RESOURCE_KUNIT_TEST=m -CONFIG_RETPOLINE=y # CONFIG_RFD77402 is not set # CONFIG_RFD_FTL is not set CONFIG_RFKILL_GPIO=m diff --git a/kernel-aarch64-rhel.config b/kernel-aarch64-rhel.config index 4d2791a3e..4e2f36f05 100644 --- a/kernel-aarch64-rhel.config +++ b/kernel-aarch64-rhel.config @@ -4218,7 +4218,6 @@ CONFIG_PAGE_POISONING=y CONFIG_PAGE_POOL_STATS=y CONFIG_PAGE_REPORTING=y # CONFIG_PAGE_TABLE_CHECK is not set -CONFIG_PAGE_TABLE_ISOLATION=y # CONFIG_PANEL is not set CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=0 @@ -4782,7 +4781,6 @@ CONFIG_RESET_IMX7=y # CONFIG_RESET_SCMI is not set # CONFIG_RESET_TI_SYSCON is not set CONFIG_RESOURCE_KUNIT_TEST=m -CONFIG_RETPOLINE=y # CONFIG_RFD77402 is not set # CONFIG_RFD_FTL is not set CONFIG_RFKILL_GPIO=m diff --git a/kernel-aarch64-rt-debug-rhel.config b/kernel-aarch64-rt-debug-rhel.config index 5bbc19656..5ab129080 100644 --- a/kernel-aarch64-rt-debug-rhel.config +++ b/kernel-aarch64-rt-debug-rhel.config @@ -4310,7 +4310,6 @@ CONFIG_PAGE_POISONING=y CONFIG_PAGE_POOL_STATS=y CONFIG_PAGE_REPORTING=y # CONFIG_PAGE_TABLE_CHECK is not set -CONFIG_PAGE_TABLE_ISOLATION=y # CONFIG_PANEL is not set CONFIG_PANIC_ON_OOPS_VALUE=1 CONFIG_PANIC_ON_OOPS=y @@ -4894,7 +4893,6 @@ CONFIG_RESET_IMX7=y # CONFIG_RESET_SCMI is not set # CONFIG_RESET_TI_SYSCON is not set CONFIG_RESOURCE_KUNIT_TEST=m -CONFIG_RETPOLINE=y # CONFIG_RFD77402 is not set # CONFIG_RFD_FTL is not set CONFIG_RFKILL_GPIO=m diff --git a/kernel-aarch64-rt-rhel.config b/kernel-aarch64-rt-rhel.config index 30027c12b..97411c4ce 100644 --- a/kernel-aarch64-rt-rhel.config +++ b/kernel-aarch64-rt-rhel.config @@ -4289,7 +4289,6 @@ CONFIG_PAGE_POISONING=y CONFIG_PAGE_POOL_STATS=y CONFIG_PAGE_REPORTING=y # CONFIG_PAGE_TABLE_CHECK is not set -CONFIG_PAGE_TABLE_ISOLATION=y # CONFIG_PANEL is not set CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=0 @@ -4872,7 +4871,6 @@ CONFIG_RESET_IMX7=y # CONFIG_RESET_SCMI is not set # CONFIG_RESET_TI_SYSCON is not set CONFIG_RESOURCE_KUNIT_TEST=m -CONFIG_RETPOLINE=y # CONFIG_RFD77402 is not set # CONFIG_RFD_FTL is not set CONFIG_RFKILL_GPIO=m diff --git a/kernel-ppc64le-debug-rhel.config b/kernel-ppc64le-debug-rhel.config index 04078ebd5..339aa234a 100644 --- a/kernel-ppc64le-debug-rhel.config +++ b/kernel-ppc64le-debug-rhel.config @@ -3877,7 +3877,6 @@ CONFIG_PAGE_POISONING=y CONFIG_PAGE_POOL_STATS=y CONFIG_PAGE_REPORTING=y # CONFIG_PAGE_TABLE_CHECK is not set -CONFIG_PAGE_TABLE_ISOLATION=y # CONFIG_PANEL is not set # CONFIG_PANIC_ON_OOPS is not set CONFIG_PANIC_TIMEOUT=180 @@ -4328,7 +4327,6 @@ CONFIG_RENESAS_PHY=m # CONFIG_RESET_QCOM_PDC is not set # CONFIG_RESET_TI_SYSCON is not set CONFIG_RESOURCE_KUNIT_TEST=m -CONFIG_RETPOLINE=y # CONFIG_RFD77402 is not set # CONFIG_RFD_FTL is not set # CONFIG_RFKILL_GPIO is not set diff --git a/kernel-ppc64le-rhel.config b/kernel-ppc64le-rhel.config index c998a5f74..d40c0907c 100644 --- a/kernel-ppc64le-rhel.config +++ b/kernel-ppc64le-rhel.config @@ -3857,7 +3857,6 @@ CONFIG_PAGE_POISONING=y CONFIG_PAGE_POOL_STATS=y CONFIG_PAGE_REPORTING=y # CONFIG_PAGE_TABLE_CHECK is not set -CONFIG_PAGE_TABLE_ISOLATION=y # CONFIG_PANEL is not set CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=180 @@ -4308,7 +4307,6 @@ CONFIG_RENESAS_PHY=m # CONFIG_RESET_QCOM_PDC is not set # CONFIG_RESET_TI_SYSCON is not set CONFIG_RESOURCE_KUNIT_TEST=m -CONFIG_RETPOLINE=y # CONFIG_RFD77402 is not set # CONFIG_RFD_FTL is not set # CONFIG_RFKILL_GPIO is not set diff --git a/kernel-s390x-debug-rhel.config b/kernel-s390x-debug-rhel.config index a93b7e639..ae3f6873c 100644 --- a/kernel-s390x-debug-rhel.config +++ b/kernel-s390x-debug-rhel.config @@ -3863,7 +3863,6 @@ CONFIG_PAGE_POISONING=y CONFIG_PAGE_POOL_STATS=y CONFIG_PAGE_REPORTING=y # CONFIG_PAGE_TABLE_CHECK is not set -CONFIG_PAGE_TABLE_ISOLATION=y # CONFIG_PANEL is not set # CONFIG_PANIC_ON_OOPS is not set CONFIG_PANIC_TIMEOUT=0 @@ -4273,7 +4272,6 @@ CONFIG_RENESAS_PHY=m # CONFIG_RESET_QCOM_PDC is not set # CONFIG_RESET_TI_SYSCON is not set CONFIG_RESOURCE_KUNIT_TEST=m -CONFIG_RETPOLINE=y # CONFIG_RFD77402 is not set # CONFIG_RFD_FTL is not set # CONFIG_RFKILL_GPIO is not set diff --git a/kernel-s390x-rhel.config b/kernel-s390x-rhel.config index 105895820..a683d3dad 100644 --- a/kernel-s390x-rhel.config +++ b/kernel-s390x-rhel.config @@ -3843,7 +3843,6 @@ CONFIG_PAGE_POISONING=y CONFIG_PAGE_POOL_STATS=y CONFIG_PAGE_REPORTING=y # CONFIG_PAGE_TABLE_CHECK is not set -CONFIG_PAGE_TABLE_ISOLATION=y # CONFIG_PANEL is not set CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=0 @@ -4253,7 +4252,6 @@ CONFIG_RENESAS_PHY=m # CONFIG_RESET_QCOM_PDC is not set # CONFIG_RESET_TI_SYSCON is not set CONFIG_RESOURCE_KUNIT_TEST=m -CONFIG_RETPOLINE=y # CONFIG_RFD77402 is not set # CONFIG_RFD_FTL is not set # CONFIG_RFKILL_GPIO is not set diff --git a/kernel-s390x-zfcpdump-rhel.config b/kernel-s390x-zfcpdump-rhel.config index f3b8c6fa4..6e82c7e9a 100644 --- a/kernel-s390x-zfcpdump-rhel.config +++ b/kernel-s390x-zfcpdump-rhel.config @@ -3857,7 +3857,6 @@ CONFIG_PAGE_POISONING=y CONFIG_PAGE_POOL_STATS=y CONFIG_PAGE_REPORTING=y # CONFIG_PAGE_TABLE_CHECK is not set -CONFIG_PAGE_TABLE_ISOLATION=y # CONFIG_PANEL is not set CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=0 @@ -4268,7 +4267,6 @@ CONFIG_RENESAS_PHY=m # CONFIG_RESET_QCOM_PDC is not set # CONFIG_RESET_TI_SYSCON is not set CONFIG_RESOURCE_KUNIT_TEST=m -CONFIG_RETPOLINE=y # CONFIG_RFD77402 is not set # CONFIG_RFD_FTL is not set # CONFIG_RFKILL_GPIO is not set diff --git a/kernel-x86_64-debug-rhel.config b/kernel-x86_64-debug-rhel.config index 5f3832708..7fcba8e8e 100644 --- a/kernel-x86_64-debug-rhel.config +++ b/kernel-x86_64-debug-rhel.config @@ -576,7 +576,6 @@ CONFIG_CACHEFILES=m CONFIG_CACHESTAT_SYSCALL=y # CONFIG_CADENCE_WATCHDOG is not set # CONFIG_CAIF is not set -CONFIG_CALL_DEPTH_TRACKING=y # CONFIG_CALL_THUNKS_DEBUG is not set CONFIG_CAN_8DEV_USB=m CONFIG_CAN_BCM=m @@ -801,8 +800,6 @@ CONFIG_CPU_FREQ_GOV_USERSPACE=y CONFIG_CPU_FREQ_STAT=y CONFIG_CPU_FREQ=y # CONFIG_CPU_HOTPLUG_STATE_CONTROL is not set -CONFIG_CPU_IBPB_ENTRY=y -CONFIG_CPU_IBRS_ENTRY=y CONFIG_CPU_IDLE_GOV_HALTPOLL=y # CONFIG_CPU_IDLE_GOV_LADDER is not set CONFIG_CPU_IDLE_GOV_MENU=y @@ -813,9 +810,7 @@ CONFIG_CPU_LITTLE_ENDIAN=y CONFIG_CPUMASK_KUNIT_TEST=m CONFIG_CPUMASK_OFFSTACK=y CONFIG_CPUSETS=y -CONFIG_CPU_SRSO=y # CONFIG_CPU_THERMAL is not set -CONFIG_CPU_UNRET_ENTRY=y # CONFIG_CRAMFS is not set # CONFIG_CRAMFS_MTD is not set CONFIG_CRASH_DUMP=y @@ -1822,7 +1817,6 @@ CONFIG_GACT_PROB=y # CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set # CONFIG_GCOV_KERNEL is not set # CONFIG_GDB_SCRIPTS is not set -# CONFIG_GDS_FORCE_MITIGATION is not set # CONFIG_GENERIC_ADC_BATTERY is not set # CONFIG_GENERIC_ADC_THERMAL is not set CONFIG_GENERIC_CPU=y @@ -3265,8 +3259,18 @@ CONFIG_MINIX_SUBPARTITION=y CONFIG_MISC_FILESYSTEMS=y CONFIG_MISC_RTSX_PCI=m CONFIG_MISC_RTSX_USB=m +CONFIG_MITIGATION_CALL_DEPTH_TRACKING=y +# CONFIG_MITIGATION_GDS_FORCE is not set +CONFIG_MITIGATION_IBPB_ENTRY=y +CONFIG_MITIGATION_IBRS_ENTRY=y +CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y +CONFIG_MITIGATION_RETHUNK=y +CONFIG_MITIGATION_RETPOLINE=y CONFIG_MITIGATION_RFDS=y +CONFIG_MITIGATION_SLS=y CONFIG_MITIGATION_SPECTRE_BHI=y +CONFIG_MITIGATION_SRSO=y +CONFIG_MITIGATION_UNRET_ENTRY=y # CONFIG_MK8 is not set # CONFIG_MLX4_CORE_GEN2 is not set CONFIG_MLX4_EN_DCB=y @@ -4071,7 +4075,6 @@ CONFIG_PAGE_POISONING=y CONFIG_PAGE_POOL_STATS=y CONFIG_PAGE_REPORTING=y # CONFIG_PAGE_TABLE_CHECK is not set -CONFIG_PAGE_TABLE_ISOLATION=y CONFIG_PANASONIC_LAPTOP=m # CONFIG_PANEL is not set # CONFIG_PANIC_ON_OOPS is not set @@ -4524,8 +4527,6 @@ CONFIG_RESET_CONTROLLER=y # CONFIG_RESET_QCOM_PDC is not set # CONFIG_RESET_TI_SYSCON is not set CONFIG_RESOURCE_KUNIT_TEST=m -CONFIG_RETHUNK=y -CONFIG_RETPOLINE=y # CONFIG_RFD77402 is not set # CONFIG_RFD_FTL is not set # CONFIG_RFKILL_GPIO is not set @@ -5235,7 +5236,6 @@ CONFIG_SLIP_COMPRESSED=y CONFIG_SLIP=m # CONFIG_SLIP_MODE_SLIP6 is not set CONFIG_SLIP_SMART=y -CONFIG_SLS=y CONFIG_SLUB_CPU_PARTIAL=y # CONFIG_SLUB_DEBUG_ON is not set CONFIG_SLUB_DEBUG=y diff --git a/kernel-x86_64-rhel.config b/kernel-x86_64-rhel.config index 75490f7b7..e68ab5995 100644 --- a/kernel-x86_64-rhel.config +++ b/kernel-x86_64-rhel.config @@ -576,7 +576,6 @@ CONFIG_CACHEFILES=m CONFIG_CACHESTAT_SYSCALL=y # CONFIG_CADENCE_WATCHDOG is not set # CONFIG_CAIF is not set -CONFIG_CALL_DEPTH_TRACKING=y # CONFIG_CALL_THUNKS_DEBUG is not set CONFIG_CAN_8DEV_USB=m CONFIG_CAN_BCM=m @@ -801,8 +800,6 @@ CONFIG_CPU_FREQ_GOV_USERSPACE=y CONFIG_CPU_FREQ_STAT=y CONFIG_CPU_FREQ=y # CONFIG_CPU_HOTPLUG_STATE_CONTROL is not set -CONFIG_CPU_IBPB_ENTRY=y -CONFIG_CPU_IBRS_ENTRY=y CONFIG_CPU_IDLE_GOV_HALTPOLL=y # CONFIG_CPU_IDLE_GOV_LADDER is not set CONFIG_CPU_IDLE_GOV_MENU=y @@ -813,9 +810,7 @@ CONFIG_CPU_LITTLE_ENDIAN=y CONFIG_CPUMASK_KUNIT_TEST=m CONFIG_CPUMASK_OFFSTACK=y CONFIG_CPUSETS=y -CONFIG_CPU_SRSO=y # CONFIG_CPU_THERMAL is not set -CONFIG_CPU_UNRET_ENTRY=y # CONFIG_CRAMFS is not set # CONFIG_CRAMFS_MTD is not set CONFIG_CRASH_DUMP=y @@ -1806,7 +1801,6 @@ CONFIG_GACT_PROB=y # CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set # CONFIG_GCOV_KERNEL is not set # CONFIG_GDB_SCRIPTS is not set -# CONFIG_GDS_FORCE_MITIGATION is not set # CONFIG_GENERIC_ADC_BATTERY is not set # CONFIG_GENERIC_ADC_THERMAL is not set CONFIG_GENERIC_CPU=y @@ -3245,8 +3239,18 @@ CONFIG_MINIX_SUBPARTITION=y CONFIG_MISC_FILESYSTEMS=y CONFIG_MISC_RTSX_PCI=m CONFIG_MISC_RTSX_USB=m +CONFIG_MITIGATION_CALL_DEPTH_TRACKING=y +# CONFIG_MITIGATION_GDS_FORCE is not set +CONFIG_MITIGATION_IBPB_ENTRY=y +CONFIG_MITIGATION_IBRS_ENTRY=y +CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y +CONFIG_MITIGATION_RETHUNK=y +CONFIG_MITIGATION_RETPOLINE=y CONFIG_MITIGATION_RFDS=y +CONFIG_MITIGATION_SLS=y CONFIG_MITIGATION_SPECTRE_BHI=y +CONFIG_MITIGATION_SRSO=y +CONFIG_MITIGATION_UNRET_ENTRY=y # CONFIG_MK8 is not set # CONFIG_MLX4_CORE_GEN2 is not set CONFIG_MLX4_EN_DCB=y @@ -4051,7 +4055,6 @@ CONFIG_PAGE_POISONING=y CONFIG_PAGE_POOL_STATS=y CONFIG_PAGE_REPORTING=y # CONFIG_PAGE_TABLE_CHECK is not set -CONFIG_PAGE_TABLE_ISOLATION=y CONFIG_PANASONIC_LAPTOP=m # CONFIG_PANEL is not set CONFIG_PANIC_ON_OOPS=y @@ -4503,8 +4506,6 @@ CONFIG_RESET_CONTROLLER=y # CONFIG_RESET_QCOM_PDC is not set # CONFIG_RESET_TI_SYSCON is not set CONFIG_RESOURCE_KUNIT_TEST=m -CONFIG_RETHUNK=y -CONFIG_RETPOLINE=y # CONFIG_RFD77402 is not set # CONFIG_RFD_FTL is not set # CONFIG_RFKILL_GPIO is not set @@ -5214,7 +5215,6 @@ CONFIG_SLIP_COMPRESSED=y CONFIG_SLIP=m # CONFIG_SLIP_MODE_SLIP6 is not set CONFIG_SLIP_SMART=y -CONFIG_SLS=y CONFIG_SLUB_CPU_PARTIAL=y # CONFIG_SLUB_DEBUG_ON is not set CONFIG_SLUB_DEBUG=y diff --git a/kernel-x86_64-rt-debug-rhel.config b/kernel-x86_64-rt-debug-rhel.config index 5b66a7e26..7a727c656 100644 --- a/kernel-x86_64-rt-debug-rhel.config +++ b/kernel-x86_64-rt-debug-rhel.config @@ -587,7 +587,6 @@ CONFIG_CACHEFILES=m CONFIG_CACHESTAT_SYSCALL=y # CONFIG_CADENCE_WATCHDOG is not set # CONFIG_CAIF is not set -CONFIG_CALL_DEPTH_TRACKING=y # CONFIG_CALL_THUNKS_DEBUG is not set CONFIG_CAN_8DEV_USB=m CONFIG_CAN_BCM=m @@ -816,8 +815,6 @@ CONFIG_CPU_FREQ_GOV_USERSPACE=y CONFIG_CPU_FREQ_STAT=y CONFIG_CPU_FREQ=y # CONFIG_CPU_HOTPLUG_STATE_CONTROL is not set -CONFIG_CPU_IBPB_ENTRY=y -CONFIG_CPU_IBRS_ENTRY=y CONFIG_CPU_IDLE_GOV_HALTPOLL=y # CONFIG_CPU_IDLE_GOV_LADDER is not set CONFIG_CPU_IDLE_GOV_MENU=y @@ -828,9 +825,7 @@ CONFIG_CPU_LITTLE_ENDIAN=y CONFIG_CPUMASK_KUNIT_TEST=m CONFIG_CPUMASK_OFFSTACK=y CONFIG_CPUSETS=y -CONFIG_CPU_SRSO=y # CONFIG_CPU_THERMAL is not set -CONFIG_CPU_UNRET_ENTRY=y # CONFIG_CRAMFS is not set # CONFIG_CRAMFS_MTD is not set CONFIG_CRASH_DUMP=y @@ -1868,7 +1863,6 @@ CONFIG_GACT_PROB=y # CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set # CONFIG_GCOV_KERNEL is not set # CONFIG_GDB_SCRIPTS is not set -# CONFIG_GDS_FORCE_MITIGATION is not set # CONFIG_GENERIC_ADC_BATTERY is not set # CONFIG_GENERIC_ADC_THERMAL is not set CONFIG_GENERIC_CPU=y @@ -3322,8 +3316,18 @@ CONFIG_MINIX_SUBPARTITION=y CONFIG_MISC_FILESYSTEMS=y CONFIG_MISC_RTSX_PCI=m CONFIG_MISC_RTSX_USB=m +CONFIG_MITIGATION_CALL_DEPTH_TRACKING=y +# CONFIG_MITIGATION_GDS_FORCE is not set +CONFIG_MITIGATION_IBPB_ENTRY=y +CONFIG_MITIGATION_IBRS_ENTRY=y +CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y +CONFIG_MITIGATION_RETHUNK=y +CONFIG_MITIGATION_RETPOLINE=y CONFIG_MITIGATION_RFDS=y +CONFIG_MITIGATION_SLS=y CONFIG_MITIGATION_SPECTRE_BHI=y +CONFIG_MITIGATION_SRSO=y +CONFIG_MITIGATION_UNRET_ENTRY=y # CONFIG_MK8 is not set # CONFIG_MLX4_CORE_GEN2 is not set CONFIG_MLX4_DEBUG=y @@ -4140,7 +4144,6 @@ CONFIG_PAGE_POISONING=y CONFIG_PAGE_POOL_STATS=y CONFIG_PAGE_REPORTING=y # CONFIG_PAGE_TABLE_CHECK is not set -CONFIG_PAGE_TABLE_ISOLATION=y CONFIG_PANASONIC_LAPTOP=m # CONFIG_PANEL is not set # CONFIG_PANIC_ON_OOPS is not set @@ -4613,8 +4616,6 @@ CONFIG_RESET_CONTROLLER=y # CONFIG_RESET_QCOM_PDC is not set # CONFIG_RESET_TI_SYSCON is not set CONFIG_RESOURCE_KUNIT_TEST=m -CONFIG_RETHUNK=y -CONFIG_RETPOLINE=y # CONFIG_RFD77402 is not set # CONFIG_RFD_FTL is not set # CONFIG_RFKILL_GPIO is not set @@ -5328,7 +5329,6 @@ CONFIG_SLIP_COMPRESSED=y CONFIG_SLIP=m # CONFIG_SLIP_MODE_SLIP6 is not set CONFIG_SLIP_SMART=y -CONFIG_SLS=y # CONFIG_SLUB_CPU_PARTIAL is not set # CONFIG_SLUB_DEBUG_ON is not set CONFIG_SLUB_DEBUG=y diff --git a/kernel-x86_64-rt-rhel.config b/kernel-x86_64-rt-rhel.config index 6cd32fe90..8b857a256 100644 --- a/kernel-x86_64-rt-rhel.config +++ b/kernel-x86_64-rt-rhel.config @@ -587,7 +587,6 @@ CONFIG_CACHEFILES=m CONFIG_CACHESTAT_SYSCALL=y # CONFIG_CADENCE_WATCHDOG is not set # CONFIG_CAIF is not set -CONFIG_CALL_DEPTH_TRACKING=y # CONFIG_CALL_THUNKS_DEBUG is not set CONFIG_CAN_8DEV_USB=m CONFIG_CAN_BCM=m @@ -816,8 +815,6 @@ CONFIG_CPU_FREQ_GOV_USERSPACE=y CONFIG_CPU_FREQ_STAT=y CONFIG_CPU_FREQ=y # CONFIG_CPU_HOTPLUG_STATE_CONTROL is not set -CONFIG_CPU_IBPB_ENTRY=y -CONFIG_CPU_IBRS_ENTRY=y CONFIG_CPU_IDLE_GOV_HALTPOLL=y # CONFIG_CPU_IDLE_GOV_LADDER is not set CONFIG_CPU_IDLE_GOV_MENU=y @@ -828,9 +825,7 @@ CONFIG_CPU_LITTLE_ENDIAN=y CONFIG_CPUMASK_KUNIT_TEST=m CONFIG_CPUMASK_OFFSTACK=y CONFIG_CPUSETS=y -CONFIG_CPU_SRSO=y # CONFIG_CPU_THERMAL is not set -CONFIG_CPU_UNRET_ENTRY=y # CONFIG_CRAMFS is not set # CONFIG_CRAMFS_MTD is not set CONFIG_CRASH_DUMP=y @@ -1852,7 +1847,6 @@ CONFIG_GACT_PROB=y # CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set # CONFIG_GCOV_KERNEL is not set # CONFIG_GDB_SCRIPTS is not set -# CONFIG_GDS_FORCE_MITIGATION is not set # CONFIG_GENERIC_ADC_BATTERY is not set # CONFIG_GENERIC_ADC_THERMAL is not set CONFIG_GENERIC_CPU=y @@ -3302,8 +3296,18 @@ CONFIG_MINIX_SUBPARTITION=y CONFIG_MISC_FILESYSTEMS=y CONFIG_MISC_RTSX_PCI=m CONFIG_MISC_RTSX_USB=m +CONFIG_MITIGATION_CALL_DEPTH_TRACKING=y +# CONFIG_MITIGATION_GDS_FORCE is not set +CONFIG_MITIGATION_IBPB_ENTRY=y +CONFIG_MITIGATION_IBRS_ENTRY=y +CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y +CONFIG_MITIGATION_RETHUNK=y +CONFIG_MITIGATION_RETPOLINE=y CONFIG_MITIGATION_RFDS=y +CONFIG_MITIGATION_SLS=y CONFIG_MITIGATION_SPECTRE_BHI=y +CONFIG_MITIGATION_SRSO=y +CONFIG_MITIGATION_UNRET_ENTRY=y # CONFIG_MK8 is not set # CONFIG_MLX4_CORE_GEN2 is not set CONFIG_MLX4_DEBUG=y @@ -4120,7 +4124,6 @@ CONFIG_PAGE_POISONING=y CONFIG_PAGE_POOL_STATS=y CONFIG_PAGE_REPORTING=y # CONFIG_PAGE_TABLE_CHECK is not set -CONFIG_PAGE_TABLE_ISOLATION=y CONFIG_PANASONIC_LAPTOP=m # CONFIG_PANEL is not set CONFIG_PANIC_ON_OOPS=y @@ -4592,8 +4595,6 @@ CONFIG_RESET_CONTROLLER=y # CONFIG_RESET_QCOM_PDC is not set # CONFIG_RESET_TI_SYSCON is not set CONFIG_RESOURCE_KUNIT_TEST=m -CONFIG_RETHUNK=y -CONFIG_RETPOLINE=y # CONFIG_RFD77402 is not set # CONFIG_RFD_FTL is not set # CONFIG_RFKILL_GPIO is not set @@ -5307,7 +5308,6 @@ CONFIG_SLIP_COMPRESSED=y CONFIG_SLIP=m # CONFIG_SLIP_MODE_SLIP6 is not set CONFIG_SLIP_SMART=y -CONFIG_SLS=y # CONFIG_SLUB_CPU_PARTIAL is not set # CONFIG_SLUB_DEBUG_ON is not set CONFIG_SLUB_DEBUG=y diff --git a/kernel.changelog b/kernel.changelog index 8696ef6ef..2f4d9376b 100644 --- a/kernel.changelog +++ b/kernel.changelog @@ -1,3 +1,98 @@ +* Fri Aug 02 2024 Scott Weaver [5.14.0-490.el9] +- redhat/dracut-virt.conf: add systemd-veritysetup module (Emanuele Giuseppe Esposito) [RHEL-45168] +- redhat/uki_addons/virt: add common FIPS addon (Emanuele Giuseppe Esposito) [RHEL-45160] +- redhat/kernel.spec: add uki_addons to create UKI kernel cmdline addons (Emanuele Giuseppe Esposito) [RHEL-45159] +- gcc-plugins/stackleak: Avoid .head.text section (Bandan Das) [RHEL-39439] +- x86/sev: Skip ROM range scans and validation for SEV-SNP guests (Bandan Das) [RHEL-39439] +- x86/sev: Move early startup code into .head.text section (Bandan Das) [RHEL-39439] +- x86/sme: Move early SME kernel encryption handling into .head.text (Bandan Das) [RHEL-39439] +- x86/sev: Do the C-bit verification only on the BSP (Bandan Das) [RHEL-39439] +- x86/sev: Fix kernel crash due to late update to read-only ghcb_version (Bandan Das) [RHEL-39439] +- xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() (CKI Backport Bot) [RHEL-48140] {CVE-2024-40959} +- eeprom: at24: fix memory corruption race condition (Mark Salter) [RHEL-37020] {CVE-2024-35848} +- eeprom: at24: Probe for DDR3 thermal sensor in the SPD case (Mark Salter) [RHEL-37020] {CVE-2024-35848} +- eeprom: at24: Use dev_err_probe for nvmem register failure (Mark Salter) [RHEL-37020] {CVE-2024-35848} +- eeprom: at24: Add support for 24c1025 EEPROM (Mark Salter) [RHEL-37020] {CVE-2024-35848} +- eeprom: at24: remove struct at24_client (Mark Salter) [RHEL-37020] {CVE-2024-35848} +- at24: Support probing while in non-zero ACPI D state (Mark Salter) [RHEL-37020] {CVE-2024-35848} +- selftests: forwarding: devlink_lib: Wait for udev events after reloading (Mark Langsdorf) [RHEL-47652] {CVE-2024-39501} +- drivers: core: synchronize really_probe() and dev_uevent() (Mark Langsdorf) [RHEL-47652] {CVE-2024-39501} +- xhci: Handle TD clearing for multiple streams case (CKI Backport Bot) [RHEL-47892] {CVE-2024-40927} +- PCI: pciehp: Retain Power Indicator bits for userspace indicators (Myron Stowe) [RHEL-41181] +- sched: act_ct: take care of padding in struct zones_ht_key (Xin Long) [RHEL-50682] +- net: bridge: xmit: make sure we have at least eth header len bytes (cki-backport-bot) [RHEL-44297] {CVE-2024-38538} +- hugetlb: force allocating surplus hugepages on mempolicy allowed nodes (Aristeu Rozanski) [RHEL-38605] +- USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages (CKI Backport Bot) [RHEL-47558] {CVE-2024-40904} +- scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory (CKI Backport Bot) [RHEL-47535] {CVE-2024-40901} +- vmxnet3: update to version 9 (Izabela Bakollari) [RHEL-50675] +- vmxnet3: add command to allow disabling of offloads (Izabela Bakollari) [RHEL-50675] +- vmxnet3: add latency measurement support in vmxnet3 (Izabela Bakollari) [RHEL-50675] +- vmxnet3: prepare for version 9 changes (Izabela Bakollari) [RHEL-50675] +- vmxnet3: disable rx data ring on dma allocation failure (Izabela Bakollari) [RHEL-50675] +- vmxnet3: Fix missing reserved tailroom (Izabela Bakollari) [RHEL-50675] +- maple_tree: fix mas_empty_area_rev() null pointer dereference (Aristeu Rozanski) [RHEL-39862] {CVE-2024-36891} +- rbd: don't assume rbd_is_lock_owner() for exclusive mappings (Ilya Dryomov) [RHEL-50366] +- rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings (Ilya Dryomov) [RHEL-50366] +- rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait (Ilya Dryomov) [RHEL-50366] +- scsi: qedf: Set qed_slowpath_params to zero before use (John Meneghini) [RHEL-25193] +- scsi: qedf: Wait for stag work during unload (John Meneghini) [RHEL-25193] +- scsi: qedf: Don't process stag work during unload and recovery (John Meneghini) [RHEL-25193] +- scsi: qedf: Use FC rport as argument for qedf_initiate_tmf() (John Meneghini) [RHEL-25193] +- net: fix __dst_negative_advice() race (Xin Long) [RHEL-41185] {CVE-2024-36971} +- net: annotate data-races around sk->sk_dst_pending_confirm (Xin Long) [RHEL-41185] +- scsi: qla2xxx: Fix off by one in qla_edif_app_getstats() (Ewan D. Milne) [RHEL-39719] {CVE-2024-36025} +- igb: Remove redundant runtime resume for ethtool_ops (Corinna Vinschen) [RHEL-17487] +- net: intel: implement modern PM ops declarations (Corinna Vinschen) [RHEL-17487] +- igb: simplify pci ops declaration (Corinna Vinschen) [RHEL-17487] +- igb: Fix missing time sync events (Corinna Vinschen) [RHEL-17487] +- intel: make module parameters readable in sys filesystem (Corinna Vinschen) [RHEL-17487 RHEL-25998] +- net: adopt skb_network_offset() and similar helpers (Corinna Vinschen) [RHEL-17487] +- igb: extend PTP timestamp adjustments to i211 (Corinna Vinschen) [RHEL-17487] +- net: intel: igb: Use linkmode helpers for EEE (Corinna Vinschen) [RHEL-17487] +- igb: Fix string truncation warnings in igb_set_fw_version (Corinna Vinschen) [RHEL-17487 RHEL-38454] {CVE-2024-36010} +- intel: legacy: field get conversion (Corinna Vinschen) [RHEL-17487] +- intel: legacy: field prep conversion (Corinna Vinschen) [RHEL-17487] +- intel: add bit macro includes where needed (Corinna Vinschen) [RHEL-17487] +- igb: Use FIELD_GET() to extract Link Width (Corinna Vinschen) [RHEL-17487] +- netdevsim: fix rtnetlink.sh selftest (CKI Backport Bot) [RHEL-50016] +- selinux: avoid dereference of garbage after mount failure (Ondrej Mosnacek) [RHEL-37187] {CVE-2024-35904} +- calipso: fix memory leak in netlbl_calipso_add_pass() (Ondrej Mosnacek) [RHEL-37044] {CVE-2023-52698} +- powerpc/pseries: Whitelist dtl slub object for copying to userspace (Mamatha Inamdar) [RHEL-51242] {CVE-2024-41065} +- tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). (CKI Backport Bot) [RHEL-44414] {CVE-2024-37356} +- tty: add the option to have a tty reject a new ldisc (John W. Linville) [RHEL-48254] {CVE-2024-40966} +- irqchip/gic-v3-its: Prevent double free on error (Charles Mirabile) [RHEL-37024] {CVE-2024-35847} +- usb-storage: alauda: Check whether the media is initialized (CKI Backport Bot) [RHEL-43714] {CVE-2024-38619} +- scsi: ibmvfc: Remove BUG_ON in the case of an empty event pool (Ewan D. Milne) [RHEL-38285] {CVE-2023-52811} +- gfs2: Fix potential glock use-after-free on unmount (Andreas Gruenbacher) [RHEL-44155] {CVE-2024-38570} +- gfs2: simplify gdlm_put_lock with out_free label (Andreas Gruenbacher) [RHEL-44155] {CVE-2024-38570} +- gfs2: Remove ill-placed consistency check (Andreas Gruenbacher) [RHEL-44155] {CVE-2024-38570} +- openvswitch: Set the skbuff pkt_type for proper pmtud support. (Aaron Conole) [RHEL-37650] +- scsi: mpi3mr: Driver version update to 8.8.1.0.50 (Ewan D. Milne) [RHEL-30580] +- scsi: mpi3mr: Update MPI Headers to revision 31 (Ewan D. Milne) [RHEL-30580] +- scsi: mpi3mr: Debug ability improvements (Ewan D. Milne) [RHEL-30580] +- scsi: mpi3mr: Set the WriteSame Divert Capability in the IOCInit MPI Request (Ewan D. Milne) [RHEL-30580] +- scsi: mpi3mr: Clear ioctl blocking flag for an unresponsive controller (Ewan D. Milne) [RHEL-30580] +- scsi: mpi3mr: Set MPI request flags appropriately (Ewan D. Milne) [RHEL-30580] +- scsi: mpi3mr: Block devices are not removed even when VDs are offlined (Ewan D. Milne) [RHEL-30580] +- x86/retpoline: Add NOENDBR annotation to the SRSO dummy return thunk (Waiman Long) [RHEL-31230] +- x86/retpoline: Do the necessary fixup to the Zen3/4 srso return thunk for !SRSO (Waiman Long) [RHEL-31230] +- x86/bugs: Fix the SRSO mitigation on Zen3/4 (Waiman Long) [RHEL-31230] +- redhat/configs: Rename x86 CPU mitigations config entries (Waiman Long) [RHEL-31230] +- x86/bugs: Rename CONFIG_RETHUNK => CONFIG_MITIGATION_RETHUNK (Waiman Long) [RHEL-31230] +- x86/bugs: Rename CONFIG_CPU_SRSO => CONFIG_MITIGATION_SRSO (Waiman Long) [RHEL-31230] +- x86/bugs: Rename CONFIG_CPU_IBRS_ENTRY => CONFIG_MITIGATION_IBRS_ENTRY (Waiman Long) [RHEL-31230] +- x86/bugs: Rename CONFIG_CPU_UNRET_ENTRY => CONFIG_MITIGATION_UNRET_ENTRY (Waiman Long) [RHEL-31230] +- x86/bugs: Rename CONFIG_SLS => CONFIG_MITIGATION_SLS (Waiman Long) [RHEL-31230] +- x86/bugs: Rename CONFIG_RETPOLINE => CONFIG_MITIGATION_RETPOLINE (Waiman Long) [RHEL-31230] +- x86/bugs: Rename CONFIG_PAGE_TABLE_ISOLATION => CONFIG_MITIGATION_PAGE_TABLE_ISOLATION (Waiman Long) [RHEL-31230] +- x86/bugs: Rename CONFIG_CALL_DEPTH_TRACKING => CONFIG_MITIGATION_CALL_DEPTH_TRACKING (Waiman Long) [RHEL-31230] +- x86/bugs: Rename CONFIG_CPU_IBPB_ENTRY => CONFIG_MITIGATION_IBPB_ENTRY (Waiman Long) [RHEL-31230] +- x86/bugs: Rename CONFIG_GDS_FORCE_MITIGATION => CONFIG_MITIGATION_GDS_FORCE (Waiman Long) [RHEL-31230] +- kbuild: use objtool-args-y to clean up objtool arguments (Waiman Long) [RHEL-31230] +- kbuild: do not create *.prelink.o for Clang LTO or IBT (Waiman Long) [RHEL-31230] +- kbuild: replace $(linked-object) with CONFIG options (Waiman Long) [RHEL-31230] +Resolves: RHEL-17487, RHEL-25193, RHEL-25998, RHEL-30580, RHEL-31230, RHEL-37020, RHEL-37024, RHEL-37044, RHEL-37187, RHEL-37650, RHEL-38285, RHEL-38454, RHEL-38605, RHEL-39439, RHEL-39719, RHEL-39862, RHEL-41181, RHEL-41185, RHEL-43714, RHEL-44155, RHEL-44297, RHEL-44414, RHEL-45159, RHEL-45160, RHEL-45168, RHEL-47535, RHEL-47558, RHEL-47652, RHEL-47892, RHEL-48140, RHEL-48254, RHEL-50016, RHEL-50366, RHEL-50675, RHEL-50682, RHEL-51242, RHEL-37025, RHEL-38286, RHEL-39720, RHEL-39863, RHEL-37021, RHEL-44156, RHEL-38455, RHEL-44298, RHEL-43715, RHEL-37045, RHEL-37188, RHEL-41186, RHEL-47536, RHEL-47559, RHEL-47893, RHEL-48141, RHEL-47653, RHEL-48255, RHEL-44415 + * Mon Jul 29 2024 Lucas Zampieri [5.14.0-489.el9] - powerpc/pseries: Fix scv instruction crash with kexec (Mamatha Inamdar) [RHEL-14159] - powerpc/numa: Online a node if PHB is attached. (Mamatha Inamdar) [RHEL-50147] diff --git a/kernel.spec b/kernel.spec index 10cf920fd..8b9b72ec1 100755 --- a/kernel.spec +++ b/kernel.spec @@ -165,15 +165,15 @@ Summary: The Linux kernel # define buildid .local %define specversion 5.14.0 %define patchversion 5.14 -%define pkgrelease 489 +%define pkgrelease 490 %define kversion 5 -%define tarfile_release 5.14.0-489.el9 +%define tarfile_release 5.14.0-490.el9 # This is needed to do merge window version magic %define patchlevel 14 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 489%{?buildid}%{?dist} +%define specrelease 490%{?buildid}%{?dist} # This defines the kabi tarball version -%define kabiversion 5.14.0-489.el9 +%define kabiversion 5.14.0-490.el9 # # End of genspec.sh variables @@ -785,6 +785,8 @@ BuildRequires: lvm2 BuildRequires: systemd-boot-unsigned # For systemd-pcrphase BuildRequires: systemd-udev >= 252-1 +# For UKI kernel cmdline addons +BuildRequires: systemd-ukify # For TPM operations in UKI initramfs BuildRequires: tpm2-tools # For Azure CVM specific udev rules @@ -929,6 +931,9 @@ Source105: nvidiagpuoot001.x509 Source150: dracut-virt.conf +Source151: uki_create_addons.py +Source152: uki_addons.json + Source200: check-kabi Source201: Module.kabi_aarch64 @@ -1504,6 +1509,11 @@ Provides: kernel-%{?1:%{1}-}uname-r = %{KVERREL}%{uname_suffix %{?1:%{1}}}\ Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{uname_suffix %{?1:%{1}}}\ Requires(pre): %{kernel_prereq}\ Requires(pre): systemd >= 252-20\ +%package %{?1:%{1}-}uki-virt-addons\ +Summary: %{variant_summary} unified kernel image addons for virtual machines\ +Provides: installonlypkg(kernel)\ +Requires: kernel%{?1:-%{1}}-uki-virt = %{version}-%{release}\ +Requires(pre): systemd >= 252-20\ %endif\ %endif\ %if "%{1}" == "rt" || "%{1}" == "rt-debug"\ @@ -1624,8 +1634,14 @@ input and output, etc. %description debug-uki-virt Prebuilt debug unified kernel image for virtual machines. +%description debug-uki-virt-addons +Prebuilt debug unified kernel image addons for virtual machines. + %description uki-virt Prebuilt default unified kernel image for virtual machines. + +%description uki-virt-addons +Prebuilt default unified kernel image addons for virtual machines. %endif %if %{with_ipaclones} @@ -2466,6 +2482,10 @@ BuildKernel() { --kernel-cmdline 'console=tty0 console=ttyS0' \ $KernelUnifiedImage + KernelAddonsDirOut="$KernelUnifiedImage.extra.d" + mkdir -p $KernelAddonsDirOut + python3 %{SOURCE151} %{SOURCE152} $KernelAddonsDirOut virt %{primary_target} %{_target_cpu} + %if %{signkernel} %if 0%{?centos} @@ -2482,6 +2502,12 @@ BuildKernel() { fi mv $KernelUnifiedImage.signed $KernelUnifiedImage + for addon in "$KernelAddonsDirOut"/*; do + %pesign -s -i $addon -o $addon.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} + rm -f $addon + mv $addon.signed $addon + done + # signkernel %endif @@ -3692,6 +3718,9 @@ fi /lib/modules/%{KVERREL}%{?3:+%{3}}/modules.builtin*\ /lib/modules/%{KVERREL}%{?3:+%{3}}/%{?-k:%{-k*}}%{!?-k:vmlinuz}-virt.efi\ %ghost /%{image_install_path}/efi/EFI/Linux/%{?-k:%{-k*}}%{!?-k:*}-%{KVERREL}%{?3:+%{3}}.efi\ +%{expand:%%files %{?3:%{3}-}uki-virt-addons}\ +/lib/modules/%{KVERREL}%{?3:+%{3}}/%{?-k:%{-k*}}%{!?-k:vmlinuz}-virt.efi.extra.d/ \ +/lib/modules/%{KVERREL}%{?3:+%{3}}/%{?-k:%{-k*}}%{!?-k:vmlinuz}-virt.efi.extra.d/*.addon.efi\ %endif\ %endif\ %if %{?3:1} %{!?3:0}\ @@ -3753,6 +3782,100 @@ fi # # %changelog +* Fri Aug 02 2024 Scott Weaver [5.14.0-490.el9] +- redhat/dracut-virt.conf: add systemd-veritysetup module (Emanuele Giuseppe Esposito) [RHEL-45168] +- redhat/uki_addons/virt: add common FIPS addon (Emanuele Giuseppe Esposito) [RHEL-45160] +- redhat/kernel.spec: add uki_addons to create UKI kernel cmdline addons (Emanuele Giuseppe Esposito) [RHEL-45159] +- gcc-plugins/stackleak: Avoid .head.text section (Bandan Das) [RHEL-39439] +- x86/sev: Skip ROM range scans and validation for SEV-SNP guests (Bandan Das) [RHEL-39439] +- x86/sev: Move early startup code into .head.text section (Bandan Das) [RHEL-39439] +- x86/sme: Move early SME kernel encryption handling into .head.text (Bandan Das) [RHEL-39439] +- x86/sev: Do the C-bit verification only on the BSP (Bandan Das) [RHEL-39439] +- x86/sev: Fix kernel crash due to late update to read-only ghcb_version (Bandan Das) [RHEL-39439] +- xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() (CKI Backport Bot) [RHEL-48140] {CVE-2024-40959} +- eeprom: at24: fix memory corruption race condition (Mark Salter) [RHEL-37020] {CVE-2024-35848} +- eeprom: at24: Probe for DDR3 thermal sensor in the SPD case (Mark Salter) [RHEL-37020] {CVE-2024-35848} +- eeprom: at24: Use dev_err_probe for nvmem register failure (Mark Salter) [RHEL-37020] {CVE-2024-35848} +- eeprom: at24: Add support for 24c1025 EEPROM (Mark Salter) [RHEL-37020] {CVE-2024-35848} +- eeprom: at24: remove struct at24_client (Mark Salter) [RHEL-37020] {CVE-2024-35848} +- at24: Support probing while in non-zero ACPI D state (Mark Salter) [RHEL-37020] {CVE-2024-35848} +- selftests: forwarding: devlink_lib: Wait for udev events after reloading (Mark Langsdorf) [RHEL-47652] {CVE-2024-39501} +- drivers: core: synchronize really_probe() and dev_uevent() (Mark Langsdorf) [RHEL-47652] {CVE-2024-39501} +- xhci: Handle TD clearing for multiple streams case (CKI Backport Bot) [RHEL-47892] {CVE-2024-40927} +- PCI: pciehp: Retain Power Indicator bits for userspace indicators (Myron Stowe) [RHEL-41181] +- sched: act_ct: take care of padding in struct zones_ht_key (Xin Long) [RHEL-50682] +- net: bridge: xmit: make sure we have at least eth header len bytes (cki-backport-bot) [RHEL-44297] {CVE-2024-38538} +- hugetlb: force allocating surplus hugepages on mempolicy allowed nodes (Aristeu Rozanski) [RHEL-38605] +- USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages (CKI Backport Bot) [RHEL-47558] {CVE-2024-40904} +- scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory (CKI Backport Bot) [RHEL-47535] {CVE-2024-40901} +- vmxnet3: update to version 9 (Izabela Bakollari) [RHEL-50675] +- vmxnet3: add command to allow disabling of offloads (Izabela Bakollari) [RHEL-50675] +- vmxnet3: add latency measurement support in vmxnet3 (Izabela Bakollari) [RHEL-50675] +- vmxnet3: prepare for version 9 changes (Izabela Bakollari) [RHEL-50675] +- vmxnet3: disable rx data ring on dma allocation failure (Izabela Bakollari) [RHEL-50675] +- vmxnet3: Fix missing reserved tailroom (Izabela Bakollari) [RHEL-50675] +- maple_tree: fix mas_empty_area_rev() null pointer dereference (Aristeu Rozanski) [RHEL-39862] {CVE-2024-36891} +- rbd: don't assume rbd_is_lock_owner() for exclusive mappings (Ilya Dryomov) [RHEL-50366] +- rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings (Ilya Dryomov) [RHEL-50366] +- rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait (Ilya Dryomov) [RHEL-50366] +- scsi: qedf: Set qed_slowpath_params to zero before use (John Meneghini) [RHEL-25193] +- scsi: qedf: Wait for stag work during unload (John Meneghini) [RHEL-25193] +- scsi: qedf: Don't process stag work during unload and recovery (John Meneghini) [RHEL-25193] +- scsi: qedf: Use FC rport as argument for qedf_initiate_tmf() (John Meneghini) [RHEL-25193] +- net: fix __dst_negative_advice() race (Xin Long) [RHEL-41185] {CVE-2024-36971} +- net: annotate data-races around sk->sk_dst_pending_confirm (Xin Long) [RHEL-41185] +- scsi: qla2xxx: Fix off by one in qla_edif_app_getstats() (Ewan D. Milne) [RHEL-39719] {CVE-2024-36025} +- igb: Remove redundant runtime resume for ethtool_ops (Corinna Vinschen) [RHEL-17487] +- net: intel: implement modern PM ops declarations (Corinna Vinschen) [RHEL-17487] +- igb: simplify pci ops declaration (Corinna Vinschen) [RHEL-17487] +- igb: Fix missing time sync events (Corinna Vinschen) [RHEL-17487] +- intel: make module parameters readable in sys filesystem (Corinna Vinschen) [RHEL-17487 RHEL-25998] +- net: adopt skb_network_offset() and similar helpers (Corinna Vinschen) [RHEL-17487] +- igb: extend PTP timestamp adjustments to i211 (Corinna Vinschen) [RHEL-17487] +- net: intel: igb: Use linkmode helpers for EEE (Corinna Vinschen) [RHEL-17487] +- igb: Fix string truncation warnings in igb_set_fw_version (Corinna Vinschen) [RHEL-17487 RHEL-38454] {CVE-2024-36010} +- intel: legacy: field get conversion (Corinna Vinschen) [RHEL-17487] +- intel: legacy: field prep conversion (Corinna Vinschen) [RHEL-17487] +- intel: add bit macro includes where needed (Corinna Vinschen) [RHEL-17487] +- igb: Use FIELD_GET() to extract Link Width (Corinna Vinschen) [RHEL-17487] +- netdevsim: fix rtnetlink.sh selftest (CKI Backport Bot) [RHEL-50016] +- selinux: avoid dereference of garbage after mount failure (Ondrej Mosnacek) [RHEL-37187] {CVE-2024-35904} +- calipso: fix memory leak in netlbl_calipso_add_pass() (Ondrej Mosnacek) [RHEL-37044] {CVE-2023-52698} +- powerpc/pseries: Whitelist dtl slub object for copying to userspace (Mamatha Inamdar) [RHEL-51242] {CVE-2024-41065} +- tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). (CKI Backport Bot) [RHEL-44414] {CVE-2024-37356} +- tty: add the option to have a tty reject a new ldisc (John W. Linville) [RHEL-48254] {CVE-2024-40966} +- irqchip/gic-v3-its: Prevent double free on error (Charles Mirabile) [RHEL-37024] {CVE-2024-35847} +- usb-storage: alauda: Check whether the media is initialized (CKI Backport Bot) [RHEL-43714] {CVE-2024-38619} +- scsi: ibmvfc: Remove BUG_ON in the case of an empty event pool (Ewan D. Milne) [RHEL-38285] {CVE-2023-52811} +- gfs2: Fix potential glock use-after-free on unmount (Andreas Gruenbacher) [RHEL-44155] {CVE-2024-38570} +- gfs2: simplify gdlm_put_lock with out_free label (Andreas Gruenbacher) [RHEL-44155] {CVE-2024-38570} +- gfs2: Remove ill-placed consistency check (Andreas Gruenbacher) [RHEL-44155] {CVE-2024-38570} +- openvswitch: Set the skbuff pkt_type for proper pmtud support. (Aaron Conole) [RHEL-37650] +- scsi: mpi3mr: Driver version update to 8.8.1.0.50 (Ewan D. Milne) [RHEL-30580] +- scsi: mpi3mr: Update MPI Headers to revision 31 (Ewan D. Milne) [RHEL-30580] +- scsi: mpi3mr: Debug ability improvements (Ewan D. Milne) [RHEL-30580] +- scsi: mpi3mr: Set the WriteSame Divert Capability in the IOCInit MPI Request (Ewan D. Milne) [RHEL-30580] +- scsi: mpi3mr: Clear ioctl blocking flag for an unresponsive controller (Ewan D. Milne) [RHEL-30580] +- scsi: mpi3mr: Set MPI request flags appropriately (Ewan D. Milne) [RHEL-30580] +- scsi: mpi3mr: Block devices are not removed even when VDs are offlined (Ewan D. Milne) [RHEL-30580] +- x86/retpoline: Add NOENDBR annotation to the SRSO dummy return thunk (Waiman Long) [RHEL-31230] +- x86/retpoline: Do the necessary fixup to the Zen3/4 srso return thunk for !SRSO (Waiman Long) [RHEL-31230] +- x86/bugs: Fix the SRSO mitigation on Zen3/4 (Waiman Long) [RHEL-31230] +- redhat/configs: Rename x86 CPU mitigations config entries (Waiman Long) [RHEL-31230] +- x86/bugs: Rename CONFIG_RETHUNK => CONFIG_MITIGATION_RETHUNK (Waiman Long) [RHEL-31230] +- x86/bugs: Rename CONFIG_CPU_SRSO => CONFIG_MITIGATION_SRSO (Waiman Long) [RHEL-31230] +- x86/bugs: Rename CONFIG_CPU_IBRS_ENTRY => CONFIG_MITIGATION_IBRS_ENTRY (Waiman Long) [RHEL-31230] +- x86/bugs: Rename CONFIG_CPU_UNRET_ENTRY => CONFIG_MITIGATION_UNRET_ENTRY (Waiman Long) [RHEL-31230] +- x86/bugs: Rename CONFIG_SLS => CONFIG_MITIGATION_SLS (Waiman Long) [RHEL-31230] +- x86/bugs: Rename CONFIG_RETPOLINE => CONFIG_MITIGATION_RETPOLINE (Waiman Long) [RHEL-31230] +- x86/bugs: Rename CONFIG_PAGE_TABLE_ISOLATION => CONFIG_MITIGATION_PAGE_TABLE_ISOLATION (Waiman Long) [RHEL-31230] +- x86/bugs: Rename CONFIG_CALL_DEPTH_TRACKING => CONFIG_MITIGATION_CALL_DEPTH_TRACKING (Waiman Long) [RHEL-31230] +- x86/bugs: Rename CONFIG_CPU_IBPB_ENTRY => CONFIG_MITIGATION_IBPB_ENTRY (Waiman Long) [RHEL-31230] +- x86/bugs: Rename CONFIG_GDS_FORCE_MITIGATION => CONFIG_MITIGATION_GDS_FORCE (Waiman Long) [RHEL-31230] +- kbuild: use objtool-args-y to clean up objtool arguments (Waiman Long) [RHEL-31230] +- kbuild: do not create *.prelink.o for Clang LTO or IBT (Waiman Long) [RHEL-31230] +- kbuild: replace $(linked-object) with CONFIG options (Waiman Long) [RHEL-31230] + * Mon Jul 29 2024 Lucas Zampieri [5.14.0-489.el9] - powerpc/pseries: Fix scv instruction crash with kexec (Mamatha Inamdar) [RHEL-14159] - powerpc/numa: Online a node if PHB is attached. (Mamatha Inamdar) [RHEL-50147] diff --git a/sources b/sources index 74a175fb9..8aa5f245c 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (linux-5.14.0-489.el9.tar.xz) = 53302439fea073b28d8d2f9f2ca7cfabc6af64149feeeeeb2e7d52edecff638ef3bbd3eace597dcb9c9b68e445c2e34d592457a1427a4424f6bfd69912dde8b8 -SHA512 (kernel-abi-stablelists-5.14.0-489.el9.tar.bz2) = 2634d35ca0b0434a6d45cdfe68452a35f4fc7a12132b8171aeaf89410d6f355166d2c0b5035dabd723a5a9d01ab40cde03f90a2592d930dba0078a0251dae69c -SHA512 (kernel-kabi-dw-5.14.0-489.el9.tar.bz2) = 0ee3b0ebda6c8df00c3202837cb847178fc35eb0d858e9320796b32f33737ac1be6abc5a8fd5610d47eb6e3db34d33fe0a2ad9bbfbaebe471d8d7cba7ae8a9b1 +SHA512 (linux-5.14.0-490.el9.tar.xz) = 37091167ab8f73f8786904c5bfaca97bd93f59dff29ee4d9fc4fa833a6eaa0573531f120bba01decc4a07a8fb5edd8635b76e6d3949afd7900c5f7e21eec33e6 +SHA512 (kernel-abi-stablelists-5.14.0-490.el9.tar.bz2) = d1989c0849be7a03500676693e36377f86e816490acdb0728391b32629cad6f1ba2822fa87c1fc7e86590ec3af0dc8f54627660915d08a33cbc06c1b4f64527d +SHA512 (kernel-kabi-dw-5.14.0-490.el9.tar.bz2) = b17109eace0208143d30ea409320ea3d42804719f8c38a3d9c775d795b7c2864ad8a08601a968ed48882ad3d3d0ae989994d3cd882afa0d132b5b56268992668 diff --git a/uki_addons.json b/uki_addons.json new file mode 100644 index 000000000..d82dc87d6 --- /dev/null +++ b/uki_addons.json @@ -0,0 +1,12 @@ +{ + "virt": { + "common": { + "fips-disable.addon": [ + "fips=0\n" + ], + "fips-enable.addon": [ + "fips=1\n" + ] + } + } +} \ No newline at end of file diff --git a/uki_create_addons.py b/uki_create_addons.py new file mode 100755 index 000000000..e30d43b2a --- /dev/null +++ b/uki_create_addons.py @@ -0,0 +1,151 @@ +#!/usr/bin/env python3 +# +# This script inspects a given json proving a list of addons, and +# creates an addon for each key/value pair matching the given uki, distro and +# arch provided in input. +# +# Usage: python uki_create_addons.py input_json out_dir uki distro arch +# +# This tool requires the systemd-ukify and systemd-boot packages. +# +# Addon file +#----------- +# Each addon terminates with .addon +# Each addon contains only two types of lines: +# Lines beginning with '#' are description and thus ignored +# All other lines are command line to be added. +# The name of the end resulting addon is taken from the json hierarchy. +# For example, and addon in json['virt']['rhel']['x86_64']['hello.addon'] will +# result in an UKI addon file generated in out_dir called +# hello-virt.rhel.x86_64.addon.efi +# +# The common key, present in any sub-dict in the provided json (except the leaf dict) +# is used as place for default addons when the same addon is not defined deep +# in the hierarchy. For example, if we define test.addon (text: 'test1\n') in +# json['common']['test.addon'] = ['test1\n'] and another test.addon (text: test2) in +# json['virt']['common']['test.addon'] = ['test2'], any other uki except virt +# will have a test.addon.efi with text "test1", and virt will have a +# test.addon.efi with "test2" +# +# sbat.conf +#---------- +# This dict is containing the sbat string for *all* addons being created. +# This dict is optional, but when used has to be put in a sub-dict with +# { 'sbat' : { 'sbat.conf' : ['your text here'] }} +# It follows the same syntax as the addon files, meaning '#' is comment and +# the rest is taken as sbat string and feed to ukify. + +import os +import sys +import json +import collections +import subprocess + + +UKIFY_PATH = '/usr/lib/systemd/ukify' + +def usage(err): + print(f'Usage: {os.path.basename(__file__)} input_json output_dir uki distro arch') + print(f'Error:{err}') + sys.exit(1) + +def check_clean_arguments(input_json, out_dir): + # Remove end '/' + if out_dir[-1:] == '/': + out_dir = out_dir[:-1] + if not os.path.isfile(input_json): + usage(f'input_json {input_json} is not a file, or does not exist!') + if not os.path.isdir(out_dir): + usage(f'out_dir_dir {out_dir} is not a dir, or does not exist!') + return out_dir + +UKICmdlineAddon = collections.namedtuple('UKICmdlineAddon', ['name', 'cmdline']) +uki_addons_list = [] +uki_addons = {} +addon_sbat_string = None + +def parse_lines(lines, rstrip=True): + cmdline = '' + for l in lines: + l = l.lstrip() + if not l: + continue + if l[0] == '#': + continue + # rstrip is used only for addons cmdline, not sbat.conf, as it replaces + # return lines with spaces. + if rstrip: + l = l.rstrip() + ' ' + cmdline += l + if cmdline == '': + return '' + return cmdline + +def parse_all_addons(in_obj): + global addon_sbat_string + + for el in in_obj.keys(): + # addon found: copy it in our global dict uki_addons + if el.endswith('.addon'): + uki_addons[el] = in_obj[el] + + if 'sbat' in in_obj and 'sbat.conf' in in_obj['sbat']: + # sbat.conf found: override sbat with the most specific one found + addon_sbat_string = parse_lines(in_obj['sbat']['sbat.conf'], rstrip=False) + +def recursively_find_addons(in_obj, folder_list): + # end of recursion, leaf directory. Search all addons here + if len(folder_list) == 0: + parse_all_addons(in_obj) + return + + # first, check for common folder + if 'common' in in_obj: + parse_all_addons(in_obj['common']) + + # second, check if there is a match with the searched folder + if folder_list[0] in in_obj: + folder_next = in_obj[folder_list[0]] + folder_list = folder_list[1:] + recursively_find_addons(folder_next, folder_list) + +def parse_in_json(in_json, uki_name, distro, arch): + with open(in_json, 'r') as f: + in_obj = json.load(f) + recursively_find_addons(in_obj, [uki_name, distro, arch]) + + for addon_name, cmdline in uki_addons.items(): + addon_name = addon_name.replace(".addon","") + addon_full_name = f'{addon_name}-{uki_name}.{distro}.{arch}.addon.efi' + cmdline = parse_lines(cmdline).rstrip() + if cmdline: + uki_addons_list.append(UKICmdlineAddon(addon_full_name, cmdline)) + +def create_addons(out_dir): + for uki_addon in uki_addons_list: + out_path = os.path.join(out_dir, uki_addon.name) + cmd = [ + f'{UKIFY_PATH}', 'build', + f'--cmdline="{uki_addon.cmdline}"', + f'--output={out_path}'] + if addon_sbat_string: + cmd.append('--sbat="' + addon_sbat_string.rstrip() +'"') + + subprocess.check_call(cmd, text=True) + +if __name__ == "__main__": + argc = len(sys.argv) - 1 + if argc != 5: + usage('too few or too many parameters!') + + input_json = sys.argv[1] + out_dir = sys.argv[2] + uki_name = sys.argv[3] + distro = sys.argv[4] + arch = sys.argv[5] + + out_dir = check_clean_arguments(input_json, out_dir) + parse_in_json(input_json, uki_name, distro, arch) + create_addons(out_dir) + +