Debrand for AlmaLinux OS

Use AlmaLinux OS secure boot cert

Enable Btrfs support for all kernel variants

hpsa: bring back deprecated PCI ids #CFHack #CFHack2024

mptsas: bring back deprecated PCI ids #CFHack #CFHack2024

megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024

qla2xxx: bring back deprecated PCI ids #CFHack #CFHack2024

qla4xxx: bring back deprecated PCI ids

lpfc: bring back deprecated PCI ids

be2iscsi: bring back deprecated PCI ids

kernel/rh_messages.h: enable all disabled pci devices by moving to unmaintained

.gitignore

@@ -1,7 +1,7 @@
 fedoraimaca.x509
-kernel-abi-stablelists-6.12.0-124.8.1.el10_1.tar.xz
-kernel-kabi-dw-6.12.0-124.8.1.el10_1.tar.xz
-linux-6.12.0-124.8.1.el10_1.tar.xz
+kernel-abi-stablelists-6.12.0-124.13.1.el10_1.tar.xz
+kernel-kabi-dw-6.12.0-124.13.1.el10_1.tar.xz
+linux-6.12.0-124.13.1.el10_1.tar.xz
 nvidiagpuoot001.x509
 redhatsecureboot501.cer
 redhatsecureboot504.cer

Makefile.rhelver

@@ -12,7 +12,7 @@ RHEL_MINOR = 1
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 124.8.1
+RHEL_RELEASE = 124.13.1
 
 #
 # RHEL_REBASE_NUM

kernel-aarch64-64k-debug-rhel.config

@@ -3040,7 +3040,6 @@ CONFIG_INTEL_SDSI=m
 # CONFIG_INTEL_SOC_PMIC_CHTWC is not set
 # CONFIG_INTEL_SOC_PMIC is not set
 # CONFIG_INTEL_TCC_COOLING is not set
-# CONFIG_INTEL_TDX_HOST is not set
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH is not set
 CONFIG_INTEL_UNCORE_FREQ_CONTROL=m

kernel-aarch64-64k-rhel.config

@@ -3024,7 +3024,6 @@ CONFIG_INTEL_SDSI=m
 # CONFIG_INTEL_SOC_PMIC_CHTWC is not set
 # CONFIG_INTEL_SOC_PMIC is not set
 # CONFIG_INTEL_TCC_COOLING is not set
-# CONFIG_INTEL_TDX_HOST is not set
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH is not set
 CONFIG_INTEL_UNCORE_FREQ_CONTROL=m

kernel-aarch64-debug-rhel.config

@@ -3037,7 +3037,6 @@ CONFIG_INTEL_SDSI=m
 # CONFIG_INTEL_SOC_PMIC_CHTWC is not set
 # CONFIG_INTEL_SOC_PMIC is not set
 # CONFIG_INTEL_TCC_COOLING is not set
-# CONFIG_INTEL_TDX_HOST is not set
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH is not set
 CONFIG_INTEL_UNCORE_FREQ_CONTROL=m

kernel-aarch64-rhel.config

@@ -3021,7 +3021,6 @@ CONFIG_INTEL_SDSI=m
 # CONFIG_INTEL_SOC_PMIC_CHTWC is not set
 # CONFIG_INTEL_SOC_PMIC is not set
 # CONFIG_INTEL_TCC_COOLING is not set
-# CONFIG_INTEL_TDX_HOST is not set
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH is not set
 CONFIG_INTEL_UNCORE_FREQ_CONTROL=m

kernel-aarch64-rt-64k-debug-rhel.config

@@ -3081,7 +3081,6 @@ CONFIG_INTEL_SDSI=m
 # CONFIG_INTEL_SOC_PMIC_CHTWC is not set
 # CONFIG_INTEL_SOC_PMIC is not set
 # CONFIG_INTEL_TCC_COOLING is not set
-# CONFIG_INTEL_TDX_HOST is not set
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH is not set
 CONFIG_INTEL_UNCORE_FREQ_CONTROL=m

kernel-aarch64-rt-64k-rhel.config

@@ -3065,7 +3065,6 @@ CONFIG_INTEL_SDSI=m
 # CONFIG_INTEL_SOC_PMIC_CHTWC is not set
 # CONFIG_INTEL_SOC_PMIC is not set
 # CONFIG_INTEL_TCC_COOLING is not set
-# CONFIG_INTEL_TDX_HOST is not set
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH is not set
 CONFIG_INTEL_UNCORE_FREQ_CONTROL=m

kernel-aarch64-rt-debug-rhel.config

@@ -3078,7 +3078,6 @@ CONFIG_INTEL_SDSI=m
 # CONFIG_INTEL_SOC_PMIC_CHTWC is not set
 # CONFIG_INTEL_SOC_PMIC is not set
 # CONFIG_INTEL_TCC_COOLING is not set
-# CONFIG_INTEL_TDX_HOST is not set
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH is not set
 CONFIG_INTEL_UNCORE_FREQ_CONTROL=m

kernel-aarch64-rt-rhel.config

@@ -3062,7 +3062,6 @@ CONFIG_INTEL_SDSI=m
 # CONFIG_INTEL_SOC_PMIC_CHTWC is not set
 # CONFIG_INTEL_SOC_PMIC is not set
 # CONFIG_INTEL_TCC_COOLING is not set
-# CONFIG_INTEL_TDX_HOST is not set
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH is not set
 CONFIG_INTEL_UNCORE_FREQ_CONTROL=m

kernel-ppc64le-debug-rhel.config

@@ -2701,7 +2701,6 @@ CONFIG_INTEL_SDSI=m
 # CONFIG_INTEL_SOC_PMIC_CHTWC is not set
 # CONFIG_INTEL_SOC_PMIC is not set
 # CONFIG_INTEL_TCC_COOLING is not set
-# CONFIG_INTEL_TDX_HOST is not set
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH is not set
 CONFIG_INTEL_UNCORE_FREQ_CONTROL=m

kernel-ppc64le-rhel.config

@@ -2685,7 +2685,6 @@ CONFIG_INTEL_SDSI=m
 # CONFIG_INTEL_SOC_PMIC_CHTWC is not set
 # CONFIG_INTEL_SOC_PMIC is not set
 # CONFIG_INTEL_TCC_COOLING is not set
-# CONFIG_INTEL_TDX_HOST is not set
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH is not set
 CONFIG_INTEL_UNCORE_FREQ_CONTROL=m

kernel-s390x-debug-rhel.config

@@ -2685,7 +2685,6 @@ CONFIG_INTEL_SDSI=m
 # CONFIG_INTEL_SOC_PMIC_CHTWC is not set
 # CONFIG_INTEL_SOC_PMIC is not set
 # CONFIG_INTEL_TCC_COOLING is not set
-# CONFIG_INTEL_TDX_HOST is not set
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH is not set
 CONFIG_INTEL_UNCORE_FREQ_CONTROL=m

kernel-s390x-rhel.config

@@ -2669,7 +2669,6 @@ CONFIG_INTEL_SDSI=m
 # CONFIG_INTEL_SOC_PMIC_CHTWC is not set
 # CONFIG_INTEL_SOC_PMIC is not set
 # CONFIG_INTEL_TCC_COOLING is not set
-# CONFIG_INTEL_TDX_HOST is not set
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH is not set
 CONFIG_INTEL_UNCORE_FREQ_CONTROL=m

kernel-s390x-zfcpdump-rhel.config

@@ -2675,7 +2675,6 @@ CONFIG_INTEL_SDSI=m
 # CONFIG_INTEL_SOC_PMIC_CHTWC is not set
 # CONFIG_INTEL_SOC_PMIC is not set
 # CONFIG_INTEL_TCC_COOLING is not set
-# CONFIG_INTEL_TDX_HOST is not set
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH is not set
 CONFIG_INTEL_UNCORE_FREQ_CONTROL=m

kernel-x86_64-debug-rhel.config

@@ -2916,7 +2916,7 @@ CONFIG_INTEL_SKL_INT3472=m
 CONFIG_INTEL_SPEED_SELECT_INTERFACE=m
 CONFIG_INTEL_TCC_COOLING=m
 CONFIG_INTEL_TDX_GUEST=y
-# CONFIG_INTEL_TDX_HOST is not set
+CONFIG_INTEL_TDX_HOST=y
 CONFIG_INTEL_TH_ACPI=m
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH_DEBUG is not set
@@ -3294,6 +3294,7 @@ CONFIG_KVM_GUEST=y
 CONFIG_KVM_HYPERV=y
 CONFIG_KVM_INTEL=m
 # CONFIG_KVM_INTEL_PROVE_VE is not set
+CONFIG_KVM_INTEL_TDX=y
 CONFIG_KVM=m
 CONFIG_KVM_MAX_NR_VCPUS=4096
 CONFIG_KVM_MMU_AUDIT=y
@@ -3867,6 +3868,7 @@ CONFIG_MITIGATION_SSB=y
 CONFIG_MITIGATION_TAA=y
 CONFIG_MITIGATION_TSA=y
 CONFIG_MITIGATION_UNRET_ENTRY=y
+CONFIG_MITIGATION_VMSCAPE=y
 # CONFIG_MK8 is not set
 CONFIG_MLX4_CORE_GEN2=y
 CONFIG_MLX4_CORE=m

kernel-x86_64-rhel.config

@@ -2900,7 +2900,7 @@ CONFIG_INTEL_SKL_INT3472=m
 CONFIG_INTEL_SPEED_SELECT_INTERFACE=m
 CONFIG_INTEL_TCC_COOLING=m
 CONFIG_INTEL_TDX_GUEST=y
-# CONFIG_INTEL_TDX_HOST is not set
+CONFIG_INTEL_TDX_HOST=y
 CONFIG_INTEL_TH_ACPI=m
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH_DEBUG is not set
@@ -3274,6 +3274,7 @@ CONFIG_KVM_GUEST=y
 CONFIG_KVM_HYPERV=y
 CONFIG_KVM_INTEL=m
 # CONFIG_KVM_INTEL_PROVE_VE is not set
+CONFIG_KVM_INTEL_TDX=y
 CONFIG_KVM=m
 CONFIG_KVM_MAX_NR_VCPUS=4096
 CONFIG_KVM_MMU_AUDIT=y
@@ -3847,6 +3848,7 @@ CONFIG_MITIGATION_SSB=y
 CONFIG_MITIGATION_TAA=y
 CONFIG_MITIGATION_TSA=y
 CONFIG_MITIGATION_UNRET_ENTRY=y
+CONFIG_MITIGATION_VMSCAPE=y
 # CONFIG_MK8 is not set
 CONFIG_MLX4_CORE_GEN2=y
 CONFIG_MLX4_CORE=m

kernel-x86_64-rt-debug-rhel.config

@@ -2957,7 +2957,7 @@ CONFIG_INTEL_SKL_INT3472=m
 CONFIG_INTEL_SPEED_SELECT_INTERFACE=m
 CONFIG_INTEL_TCC_COOLING=m
 CONFIG_INTEL_TDX_GUEST=y
-# CONFIG_INTEL_TDX_HOST is not set
+CONFIG_INTEL_TDX_HOST=y
 CONFIG_INTEL_TH_ACPI=m
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH_DEBUG is not set
@@ -3335,6 +3335,7 @@ CONFIG_KVM_GUEST=y
 CONFIG_KVM_HYPERV=y
 CONFIG_KVM_INTEL=m
 # CONFIG_KVM_INTEL_PROVE_VE is not set
+CONFIG_KVM_INTEL_TDX=y
 CONFIG_KVM=m
 CONFIG_KVM_MAX_NR_VCPUS=4096
 CONFIG_KVM_MMU_AUDIT=y
@@ -3908,6 +3909,7 @@ CONFIG_MITIGATION_SSB=y
 CONFIG_MITIGATION_TAA=y
 CONFIG_MITIGATION_TSA=y
 CONFIG_MITIGATION_UNRET_ENTRY=y
+CONFIG_MITIGATION_VMSCAPE=y
 # CONFIG_MK8 is not set
 CONFIG_MLX4_CORE_GEN2=y
 CONFIG_MLX4_CORE=m

kernel-x86_64-rt-rhel.config

@@ -2941,7 +2941,7 @@ CONFIG_INTEL_SKL_INT3472=m
 CONFIG_INTEL_SPEED_SELECT_INTERFACE=m
 CONFIG_INTEL_TCC_COOLING=m
 CONFIG_INTEL_TDX_GUEST=y
-# CONFIG_INTEL_TDX_HOST is not set
+CONFIG_INTEL_TDX_HOST=y
 CONFIG_INTEL_TH_ACPI=m
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH_DEBUG is not set
@@ -3315,6 +3315,7 @@ CONFIG_KVM_GUEST=y
 CONFIG_KVM_HYPERV=y
 CONFIG_KVM_INTEL=m
 # CONFIG_KVM_INTEL_PROVE_VE is not set
+CONFIG_KVM_INTEL_TDX=y
 CONFIG_KVM=m
 CONFIG_KVM_MAX_NR_VCPUS=4096
 CONFIG_KVM_MMU_AUDIT=y
@@ -3888,6 +3889,7 @@ CONFIG_MITIGATION_SSB=y
 CONFIG_MITIGATION_TAA=y
 CONFIG_MITIGATION_TSA=y
 CONFIG_MITIGATION_UNRET_ENTRY=y
+CONFIG_MITIGATION_VMSCAPE=y
 # CONFIG_MK8 is not set
 CONFIG_MLX4_CORE_GEN2=y
 CONFIG_MLX4_CORE=m

kernel.changelog

@@ -1,3 +1,116 @@
+* Thu Nov 13 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.13.1.el10_1]
+- NFSv4: handle ERR_GRACE on delegation recalls (Olga Kornievskaia) [RHEL-127623]
+- nfsd: nfserr_jukebox in nlm_fopen should lead to a retry (Olga Kornievskaia) [RHEL-127623]
+- Revert "SUNRPC: Don't allow waiting for exiting tasks" (Scott Mayhew) [RHEL-110051]
+- smb: client: get rid of d_drop() in cifs_do_rename() (Paulo Alcantara) [RHEL-124955]
+- smb: client: fix wrong index reference in smb2_compound_op() (Paulo Alcantara) [RHEL-124955]
+- smb: client: handle unlink(2) of files open by different clients (Paulo Alcantara) [RHEL-124955]
+- smb: client: fix filename matching of deferred files (Paulo Alcantara) [RHEL-124955]
+- fs/smb: Fix inconsistent refcnt update (Paulo Alcantara) [RHEL-124955] {CVE-2025-39819}
+- ice: don't leave device non-functional if Tx scheduler config fails (Petr Oros) [RHEL-116535]
+Resolves: RHEL-110051, RHEL-116535, RHEL-124955, RHEL-127623
+
+* Tue Nov 11 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.12.1.el10_1]
+- tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request(). (Antoine Tenart) [RHEL-120672]
+- tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). (Antoine Tenart) [RHEL-120672] {CVE-2025-39955}
+- NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() (CKI Backport Bot) [RHEL-113613] {CVE-2025-39730}
+Resolves: RHEL-113613, RHEL-120672
+
+* Thu Nov 06 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.11.1.el10_1]
+- of_numa: fix uninitialized memory nodes causing kernel panic (Charles Mirabile) [RHEL-123154] {CVE-2025-39903}
+- redhat: use the same cert as UKI's to sign addons (Li Tian) [RHEL-124734]
+- ibmveth: Add multi buffers rx replenishment hcall support (Mamatha Inamdar) [RHEL-116193]
+- net: ibmveth: Reset the adapter when unexpected states are detected (Mamatha Inamdar) [RHEL-116193]
+- ibmvnic: Increase max subcrq indirect entries with fallback (Mamatha Inamdar) [RHEL-116189]
+- redhat: enable TDX host config (Paolo Bonzini) [RHEL-27145]
+- KVM/TDX: Explicitly do WBINVD when no more TDX SEAMCALLs (Paolo Bonzini) [RHEL-27145]
+- x86/virt/tdx: Update the kexec section in the TDX documentation (Paolo Bonzini) [RHEL-27145]
+- x86/virt/tdx: Remove the !KEXEC_CORE dependency (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Disable kexec/kdump on platforms with TDX partial write erratum (Paolo Bonzini) [RHEL-27145]
+- x86/virt/tdx: Mark memory cache state incoherent when making SEAMCALL (Paolo Bonzini) [RHEL-27145]
+- x86/sme: Use percpu boolean to control WBINVD during kexec (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Consolidate relocate_kernel() function parameters (Paolo Bonzini) [RHEL-27145]
+- x86/paravirt: Remove the WBINVD callback (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Use typedef for relocate_kernel_fn function prototype (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Cope with relocate_kernel() not being at the start of the page (Paolo Bonzini) [RHEL-27145]
+- kexec_core: Add and update comments regarding the KEXEC_JUMP flow (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Mark machine_kexec() with __nocfi (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Fix location of relocate_kernel with -ffunction-sections (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Fix stack and handling of re-entry point for ::preserve_context (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Use correct swap page in swap_pages function (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Ensure preserve_context flag is set on return to kernel (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Disable global pages before writing to control page (Paolo Bonzini) [RHEL-27145]
+- x86: Fix build regression with CONFIG_KEXEC_JUMP enabled (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Mark relocate_kernel page as ROX instead of RWX (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Clean up register usage in relocate_kernel() (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Eliminate writes through kernel mapping of relocate_kernel page (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Drop page_list argument from relocate_kernel() (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Add data section to relocate_kernel (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Move relocate_kernel to kernel .data section (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Invoke copy of relocate_kernel() instead of the original (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Copy control page into place in machine_kexec_prepare() (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Allocate PGD for x86_64 transition page tables separately (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Only swap pages for ::preserve_context mode (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Use named labels in swap_pages in relocate_kernel_64.S (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Clean up and document register use in relocate_kernel_64.S (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Restore GDT on return from ::preserve_context kexec (Paolo Bonzini) [RHEL-27145]
+Resolves: RHEL-116189, RHEL-116193, RHEL-123154, RHEL-124734, RHEL-27145
+
+* Sat Nov 01 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.10.1.el10_1]
+- wifi: cfg80211: fix use-after-free in cmp_bss() (CKI Backport Bot) [RHEL-122880] {CVE-2025-39864}
+- selftests: tls: test skb copy under mem pressure and OOB (CKI Backport Bot) [RHEL-120380] {CVE-2025-39946}
+- tls: make sure to abort the stream if headers are bogus (CKI Backport Bot) [RHEL-120380] {CVE-2025-39946}
+- ixgbe: fix ixgbe_orom_civd_info struct layout (Michal Schmidt) [RHEL-119079]
+- ice: fix Rx page leak on multi-buffer frames (Petr Oros) [RHEL-116543]
+- eventpoll: Fix semi-unbounded recursion (CKI Backport Bot) [RHEL-111055] {CVE-2025-38614}
+Resolves: RHEL-111055, RHEL-116543, RHEL-119079, RHEL-120380, RHEL-122880
+
+* Tue Oct 28 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.9.1.el10_1]
+- platform/x86/intel: power-domains: Use topology_logical_package_id() for package ID (CKI Backport Bot) [RHEL-123290]
+- smb: client: fix file open check in __cifs_unlink() (Paulo Alcantara) [RHEL-122417]
+- smb: client: fix data loss due to broken rename(2) (Paulo Alcantara) [RHEL-122417]
+- smb: client: fix compound alignment with encryption (Paulo Alcantara) [RHEL-122417]
+- smb: client: fix race with concurrent opens in rename(2) (Paulo Alcantara) [RHEL-122417]
+- smb: client: fix race with concurrent opens in unlink(2) (Paulo Alcantara) [RHEL-122417]
+- use uniform permission checks for all mount propagation changes (Ian Kent) [RHEL-121702] {CVE-2025-38498}
+- do_change_type(): refuse to operate on unmounted/not ours mounts (Ian Kent) [RHEL-121702] {CVE-2025-38498}
+- cgroup/psi: Set of->priv to NULL upon file release (CKI Backport Bot) [RHEL-119143] {CVE-2025-39881}
+- kernfs: Fix UAF in polling when open file is released (CKI Backport Bot) [RHEL-119143] {CVE-2025-39881}
+- redhat: rpminspect: update emptyrpm list for kernel variants (Alexandra Hájková)
+- scsi: lpfc: Fix buffer free/clear order in deferred receive path (CKI Backport Bot) [RHEL-119132] {CVE-2025-39841}
+- efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare (CKI Backport Bot) [RHEL-118462] {CVE-2025-39817}
+- wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() (CKI Backport Bot) [RHEL-117585] {CVE-2025-39849}
+- xfs: do not propagate ENODATA disk errors into xattr code (Carlos Maiolino) [RHEL-115733]
+- ipv6: sr: Fix MAC comparison to be constant-time (CKI Backport Bot) [RHEL-116387] {CVE-2025-39702}
+- s390/ism: fix concurrency management in ism_cmd() (CKI Backport Bot) [RHEL-114500]
+- s390/hypfs: Enable limited access during lockdown (CKI Backport Bot) [RHEL-114431]
+- s390/hypfs: Avoid unnecessary ioctl registration in debugfs (CKI Backport Bot) [RHEL-114431]
+- redhat/configs: Enable CONFIG_MITIGATION_VMSCAPE for x86 (Waiman Long) [RHEL-114276]
+- x86/vmscape: Add old Intel CPUs to affected list (Waiman Long) [RHEL-114276] {CVE-2025-40300}
+- x86/vmscape: Warn when STIBP is disabled with SMT (Waiman Long) [RHEL-114276] {CVE-2025-40300}
+- x86/bugs: Move cpu_bugs_smt_update() down (Waiman Long) [RHEL-114276] {CVE-2025-40300}
+- x86/vmscape: Enable the mitigation (Waiman Long) [RHEL-114276] {CVE-2025-40300}
+- x86/vmscape: Add conditional IBPB mitigation (Waiman Long) [RHEL-114276] {CVE-2025-40300}
+- x86/vmscape: Enumerate VMSCAPE bug (Waiman Long) [RHEL-114276] {CVE-2025-40300}
+- Documentation/hw-vuln: Add VMSCAPE documentation (Waiman Long) [RHEL-114276] {CVE-2025-40300}
+- RDMA/mana_ib: Fix DSCP value in modify QP (Maxim Levitsky) [RHEL-114931]
+- net: mana: Handle Reset Request from MANA NIC (Maxim Levitsky) [RHEL-114931]
+- net: mana: Set tx_packets to post gso processing packet count (Maxim Levitsky) [RHEL-114931]
+- net: mana: Handle unsupported HWC commands (Maxim Levitsky) [RHEL-114931]
+- net: mana: Add handler for hardware servicing events (Maxim Levitsky) [RHEL-114931]
+- net: mana: Expose additional hardware counters for drop and TC via ethtool. (Maxim Levitsky) [RHEL-114931]
+- mm: swap: fix potential buffer overflow in setup_clusters() (CKI Backport Bot) [RHEL-114862] {CVE-2025-39727}
+- ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control (CKI Backport Bot) [RHEL-114852] {CVE-2025-39751}
+- ALSA: usb-audio: Validate UAC3 power domain descriptors, too (Jaroslav Kysela) [RHEL-114693] {CVE-2025-38729}
+- ALSA: usb-audio: Fix size validation in convert_chmap_v3() (Jaroslav Kysela) [RHEL-114693]
+- ALSA: usb-audio: Validate UAC3 cluster segment descriptors (CKI Backport Bot) [RHEL-114693] {CVE-2025-39757}
+- ibmvnic: Use ndo_get_stats64 to fix inaccurate SAR reporting (Mamatha Inamdar) [RHEL-114439]
+- ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof (Mamatha Inamdar) [RHEL-114439]
+- ibmvnic: Add stat for tx direct vs tx batched (Mamatha Inamdar) [RHEL-114439]
+- vsock/virtio: Validate length in packet header before skb_put() (CKI Backport Bot) [RHEL-114301] {CVE-2025-39718}
+- NFS: Fix a race when updating an existing write (CKI Backport Bot) [RHEL-113861] {CVE-2025-39697}
+Resolves: RHEL-113861, RHEL-114276, RHEL-114301, RHEL-114431, RHEL-114439, RHEL-114500, RHEL-114693, RHEL-114852, RHEL-114862, RHEL-114931, RHEL-115733, RHEL-116387, RHEL-117585, RHEL-118462, RHEL-119132, RHEL-119143, RHEL-121702, RHEL-122417, RHEL-123290
+
 * Fri Oct 17 2025 Jan Stancek <jstancek@redhat.com> [6.12.0-124.8.1.el10_1]
 - redhat: revert to using redhatsecureboot504 for RHEL UKI (Vitaly Kuznetsov) [RHEL-122226]
 Resolves: RHEL-122226

kernel.spec

@@ -176,15 +176,15 @@ Summary: The Linux kernel
 %define specrpmversion 6.12.0
 %define specversion 6.12.0
 %define patchversion 6.12
-%define pkgrelease 124.8.1
+%define pkgrelease 124.13.1
 %define kversion 6
-%define tarfile_release 6.12.0-124.8.1.el10_1
+%define tarfile_release 6.12.0-124.13.1.el10_1
 # This is needed to do merge window version magic
 %define patchlevel 12
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 124.8.1%{?buildid}%{?dist}
+%define specrelease 124.13.1%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 6.12.0-124.8.1.el10_1
+%define kabiversion 6.12.0-124.13.1.el10_1
 
 # If this variable is set to 1, a bpf selftests build failure will cause a
 # fatal kernel package build error
@@ -2836,6 +2836,11 @@ BuildKernel() {
 %endif
 
         %pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.signed -a %{secureboot_ca_0} -c $UKI_secureboot_cert -n $UKI_secureboot_name
+        for addon in "$KernelAddonsDirOut"/*; do
+            %pesign -s -i $addon -o $addon.signed -a %{secureboot_ca_0} -c $UKI_secureboot_cert -n $UKI_secureboot_name
+            rm -f $addon
+            mv $addon.signed $addon
+        done
 # 0%{?fedora}%{?eln}
 %endif
         if [ ! -s $KernelUnifiedImage.signed ]; then
@@ -2844,12 +2849,6 @@ BuildKernel() {
         fi
         mv $KernelUnifiedImage.signed $KernelUnifiedImage
 
-      for addon in "$KernelAddonsDirOut"/*; do
-        %pesign -s -i $addon -o $addon.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
-        rm -f $addon
-        mv $addon.signed $addon
-      done
-
       mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
       cp -a $UKI_secureboot_cert $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/secureboot-uki-%{_arch}.cer
 
@@ -4390,14 +4389,14 @@ fi\
 #
 #
 %changelog
-* Tue Nov 11 2025 Eduard Abdullin <eabdullin@almalinux.org> - 6.12.0-124.8.1
+* Thu Dec 04 2025 Eduard Abdullin <eabdullin@almalinux.org> - 6.12.0-124.13.1
 - Debrand for AlmaLinux OS
 - Use AlmaLinux OS secure boot cert
 
-* Tue Nov 11 2025 Neal Gompa <ngompa@almalinux.org> - 6.12.0-124.8.1
+* Thu Dec 04 2025 Neal Gompa <ngompa@almalinux.org> - 6.12.0-124.13.1
 - Enable Btrfs support for all kernel variants
 
-* Tue Nov 11 2025 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-124.8.1
+* Thu Dec 04 2025 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-124.13.1
 - hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
 - mptsas: bring back deprecated PCI ids #CFHack #CFHack2024
 - megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024
@@ -4408,16 +4407,113 @@ fi\
 - kernel/rh_messages.h: enable all disabled pci devices by moving to
   unmaintained
 
-* Tue Nov 11 2025 Andrew Lukoshko <alukoshko@almalinux.org> [6.12.0-124.8.1.el10_1]
-- Update RHEL_RELEASE, ZSTREAM, and DIST (Andrew Lukoshko)
-- Merge tag 'kernel-6.12.0-124.8.1.el10_1' into main (Julio Faracco)
-- Merge tag 'kernel-6.12.0-124.7.1.el10_1' into main (Jan Stancek)
-- Merge: kabi: add symbols to stablelist and enable check-kabi (Jan Stancek) [RHEL-113009]
-- Merge tag 'kernel-6.12.0-124.5.1.el10_1' into main (Jan Stancek)
-- Merge tag 'kernel-6.12.0-124.4.1.el10_1' into main (Jan Stancek)
-- Merge tag 'kernel-6.12.0-124.2.1.el10_1' into main (Jan Stancek)
-- x86/split_lock: Move Split and Bus lock code to a dedicated file (John Allen) [RHEL-50321]
-- Merge tag 'kernel-6.12.0-124.1.1.el10_1' into main (Julio Faracco)
+* Thu Nov 13 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.13.1.el10_1]
+- NFSv4: handle ERR_GRACE on delegation recalls (Olga Kornievskaia) [RHEL-127623]
+- nfsd: nfserr_jukebox in nlm_fopen should lead to a retry (Olga Kornievskaia) [RHEL-127623]
+- Revert "SUNRPC: Don't allow waiting for exiting tasks" (Scott Mayhew) [RHEL-110051]
+- smb: client: get rid of d_drop() in cifs_do_rename() (Paulo Alcantara) [RHEL-124955]
+- smb: client: fix wrong index reference in smb2_compound_op() (Paulo Alcantara) [RHEL-124955]
+- smb: client: handle unlink(2) of files open by different clients (Paulo Alcantara) [RHEL-124955]
+- smb: client: fix filename matching of deferred files (Paulo Alcantara) [RHEL-124955]
+- fs/smb: Fix inconsistent refcnt update (Paulo Alcantara) [RHEL-124955] {CVE-2025-39819}
+- ice: don't leave device non-functional if Tx scheduler config fails (Petr Oros) [RHEL-116535]
+
+* Tue Nov 11 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.12.1.el10_1]
+- tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request(). (Antoine Tenart) [RHEL-120672]
+- tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). (Antoine Tenart) [RHEL-120672] {CVE-2025-39955}
+- NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() (CKI Backport Bot) [RHEL-113613] {CVE-2025-39730}
+
+* Thu Nov 06 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.11.1.el10_1]
+- of_numa: fix uninitialized memory nodes causing kernel panic (Charles Mirabile) [RHEL-123154] {CVE-2025-39903}
+- redhat: use the same cert as UKI's to sign addons (Li Tian) [RHEL-124734]
+- ibmveth: Add multi buffers rx replenishment hcall support (Mamatha Inamdar) [RHEL-116193]
+- net: ibmveth: Reset the adapter when unexpected states are detected (Mamatha Inamdar) [RHEL-116193]
+- ibmvnic: Increase max subcrq indirect entries with fallback (Mamatha Inamdar) [RHEL-116189]
+- redhat: enable TDX host config (Paolo Bonzini) [RHEL-27145]
+- KVM/TDX: Explicitly do WBINVD when no more TDX SEAMCALLs (Paolo Bonzini) [RHEL-27145]
+- x86/virt/tdx: Update the kexec section in the TDX documentation (Paolo Bonzini) [RHEL-27145]
+- x86/virt/tdx: Remove the !KEXEC_CORE dependency (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Disable kexec/kdump on platforms with TDX partial write erratum (Paolo Bonzini) [RHEL-27145]
+- x86/virt/tdx: Mark memory cache state incoherent when making SEAMCALL (Paolo Bonzini) [RHEL-27145]
+- x86/sme: Use percpu boolean to control WBINVD during kexec (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Consolidate relocate_kernel() function parameters (Paolo Bonzini) [RHEL-27145]
+- x86/paravirt: Remove the WBINVD callback (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Use typedef for relocate_kernel_fn function prototype (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Cope with relocate_kernel() not being at the start of the page (Paolo Bonzini) [RHEL-27145]
+- kexec_core: Add and update comments regarding the KEXEC_JUMP flow (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Mark machine_kexec() with __nocfi (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Fix location of relocate_kernel with -ffunction-sections (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Fix stack and handling of re-entry point for ::preserve_context (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Use correct swap page in swap_pages function (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Ensure preserve_context flag is set on return to kernel (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Disable global pages before writing to control page (Paolo Bonzini) [RHEL-27145]
+- x86: Fix build regression with CONFIG_KEXEC_JUMP enabled (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Mark relocate_kernel page as ROX instead of RWX (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Clean up register usage in relocate_kernel() (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Eliminate writes through kernel mapping of relocate_kernel page (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Drop page_list argument from relocate_kernel() (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Add data section to relocate_kernel (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Move relocate_kernel to kernel .data section (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Invoke copy of relocate_kernel() instead of the original (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Copy control page into place in machine_kexec_prepare() (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Allocate PGD for x86_64 transition page tables separately (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Only swap pages for ::preserve_context mode (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Use named labels in swap_pages in relocate_kernel_64.S (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Clean up and document register use in relocate_kernel_64.S (Paolo Bonzini) [RHEL-27145]
+- x86/kexec: Restore GDT on return from ::preserve_context kexec (Paolo Bonzini) [RHEL-27145]
+
+* Sat Nov 01 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.10.1.el10_1]
+- wifi: cfg80211: fix use-after-free in cmp_bss() (CKI Backport Bot) [RHEL-122880] {CVE-2025-39864}
+- selftests: tls: test skb copy under mem pressure and OOB (CKI Backport Bot) [RHEL-120380] {CVE-2025-39946}
+- tls: make sure to abort the stream if headers are bogus (CKI Backport Bot) [RHEL-120380] {CVE-2025-39946}
+- ixgbe: fix ixgbe_orom_civd_info struct layout (Michal Schmidt) [RHEL-119079]
+- ice: fix Rx page leak on multi-buffer frames (Petr Oros) [RHEL-116543]
+- eventpoll: Fix semi-unbounded recursion (CKI Backport Bot) [RHEL-111055] {CVE-2025-38614}
+
+* Tue Oct 28 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.9.1.el10_1]
+- platform/x86/intel: power-domains: Use topology_logical_package_id() for package ID (CKI Backport Bot) [RHEL-123290]
+- smb: client: fix file open check in __cifs_unlink() (Paulo Alcantara) [RHEL-122417]
+- smb: client: fix data loss due to broken rename(2) (Paulo Alcantara) [RHEL-122417]
+- smb: client: fix compound alignment with encryption (Paulo Alcantara) [RHEL-122417]
+- smb: client: fix race with concurrent opens in rename(2) (Paulo Alcantara) [RHEL-122417]
+- smb: client: fix race with concurrent opens in unlink(2) (Paulo Alcantara) [RHEL-122417]
+- use uniform permission checks for all mount propagation changes (Ian Kent) [RHEL-121702] {CVE-2025-38498}
+- do_change_type(): refuse to operate on unmounted/not ours mounts (Ian Kent) [RHEL-121702] {CVE-2025-38498}
+- cgroup/psi: Set of->priv to NULL upon file release (CKI Backport Bot) [RHEL-119143] {CVE-2025-39881}
+- kernfs: Fix UAF in polling when open file is released (CKI Backport Bot) [RHEL-119143] {CVE-2025-39881}
+- redhat: rpminspect: update emptyrpm list for kernel variants (Alexandra Hájková)
+- scsi: lpfc: Fix buffer free/clear order in deferred receive path (CKI Backport Bot) [RHEL-119132] {CVE-2025-39841}
+- efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare (CKI Backport Bot) [RHEL-118462] {CVE-2025-39817}
+- wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() (CKI Backport Bot) [RHEL-117585] {CVE-2025-39849}
+- xfs: do not propagate ENODATA disk errors into xattr code (Carlos Maiolino) [RHEL-115733]
+- ipv6: sr: Fix MAC comparison to be constant-time (CKI Backport Bot) [RHEL-116387] {CVE-2025-39702}
+- s390/ism: fix concurrency management in ism_cmd() (CKI Backport Bot) [RHEL-114500]
+- s390/hypfs: Enable limited access during lockdown (CKI Backport Bot) [RHEL-114431]
+- s390/hypfs: Avoid unnecessary ioctl registration in debugfs (CKI Backport Bot) [RHEL-114431]
+- redhat/configs: Enable CONFIG_MITIGATION_VMSCAPE for x86 (Waiman Long) [RHEL-114276]
+- x86/vmscape: Add old Intel CPUs to affected list (Waiman Long) [RHEL-114276] {CVE-2025-40300}
+- x86/vmscape: Warn when STIBP is disabled with SMT (Waiman Long) [RHEL-114276] {CVE-2025-40300}
+- x86/bugs: Move cpu_bugs_smt_update() down (Waiman Long) [RHEL-114276] {CVE-2025-40300}
+- x86/vmscape: Enable the mitigation (Waiman Long) [RHEL-114276] {CVE-2025-40300}
+- x86/vmscape: Add conditional IBPB mitigation (Waiman Long) [RHEL-114276] {CVE-2025-40300}
+- x86/vmscape: Enumerate VMSCAPE bug (Waiman Long) [RHEL-114276] {CVE-2025-40300}
+- Documentation/hw-vuln: Add VMSCAPE documentation (Waiman Long) [RHEL-114276] {CVE-2025-40300}
+- RDMA/mana_ib: Fix DSCP value in modify QP (Maxim Levitsky) [RHEL-114931]
+- net: mana: Handle Reset Request from MANA NIC (Maxim Levitsky) [RHEL-114931]
+- net: mana: Set tx_packets to post gso processing packet count (Maxim Levitsky) [RHEL-114931]
+- net: mana: Handle unsupported HWC commands (Maxim Levitsky) [RHEL-114931]
+- net: mana: Add handler for hardware servicing events (Maxim Levitsky) [RHEL-114931]
+- net: mana: Expose additional hardware counters for drop and TC via ethtool. (Maxim Levitsky) [RHEL-114931]
+- mm: swap: fix potential buffer overflow in setup_clusters() (CKI Backport Bot) [RHEL-114862] {CVE-2025-39727}
+- ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control (CKI Backport Bot) [RHEL-114852] {CVE-2025-39751}
+- ALSA: usb-audio: Validate UAC3 power domain descriptors, too (Jaroslav Kysela) [RHEL-114693] {CVE-2025-38729}
+- ALSA: usb-audio: Fix size validation in convert_chmap_v3() (Jaroslav Kysela) [RHEL-114693]
+- ALSA: usb-audio: Validate UAC3 cluster segment descriptors (CKI Backport Bot) [RHEL-114693] {CVE-2025-39757}
+- ibmvnic: Use ndo_get_stats64 to fix inaccurate SAR reporting (Mamatha Inamdar) [RHEL-114439]
+- ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof (Mamatha Inamdar) [RHEL-114439]
+- ibmvnic: Add stat for tx direct vs tx batched (Mamatha Inamdar) [RHEL-114439]
+- vsock/virtio: Validate length in packet header before skb_put() (CKI Backport Bot) [RHEL-114301] {CVE-2025-39718}
+- NFS: Fix a race when updating an existing write (CKI Backport Bot) [RHEL-113861] {CVE-2025-39697}
 
 * Fri Oct 17 2025 Jan Stancek <jstancek@redhat.com> [6.12.0-124.8.1.el10_1]
 - redhat: revert to using redhatsecureboot504 for RHEL UKI (Vitaly Kuznetsov) [RHEL-122226]

rpminspect.yaml

@@ -21,10 +21,22 @@ emptyrpm:
         - kernel-debug
         - kernel-debug-devel-matched
         - kernel-devel-matched
-        - kernel-lpae
         - kernel-zfcpdump
         - kernel-zfcpdump-devel-matched
         - kernel-zfcpdump-modules
+        - kernel-zfcpdump-modules-partner
+        - kernel-rt
+        - kernel-rt-debug
+        - kernel-rt-debug-devel-matched
+        - kernel-rt-devel-matched
+        - kernel-64k
+        - kernel-64k-debug
+        - kernel-64k-debug-devel-matched
+        - kernel-64k-devel-matched
+        - kernel-rt-64k
+        - kernel-rt-64k-debug
+        - kernel-rt-64k-debug-devel-matched
+        - kernel-rt-64k-devel-matched
 
 patches:
     ignore_list:

sources

@@ -1,7 +1,7 @@
 SHA512 (fedoraimaca.x509) = e04809394f4472c17e86d7024dee34f03fb68e82a85502fd5b00535202c72e57626a8376b2cf991b7e1e46404aa5ab8d189ebf320e0dd37d49e7efbc925c7a2e
-SHA512 (kernel-abi-stablelists-6.12.0-124.8.1.el10_1.tar.xz) = 717a8f2c2d49b2163ca532695ac1bd7e0074c57d30ee741a69be502ea32f7e4d55cf3af8f24aad2732c500e6eadbff96906be55425308fe46e551cf41d1797d8
-SHA512 (kernel-kabi-dw-6.12.0-124.8.1.el10_1.tar.xz) = 96086d373482c838be4c05e23c827484707d49255c1115d62d269fbb308f5408db5b5571a3e48edd006b42862c85765650dd108c7cb52a18a698dcc539adba64
-SHA512 (linux-6.12.0-124.8.1.el10_1.tar.xz) = db7725e7fa32155e9fe277e4f7cf187f5a4b6c011957d90f79eb3529eb747589b9b8c5d04aba10120a6f182e7e042fc9be1cff08ee59a3422899c0ecb76d7146
+SHA512 (kernel-abi-stablelists-6.12.0-124.13.1.el10_1.tar.xz) = b2c34f15b031eed04293dcd89835e0746f2bbeeceda04b586208400a7bab7d064d4e20926b6942d2a69a6bb632f96a2a21a2cd4b8748aa7a960df463cdf5b5c4
+SHA512 (kernel-kabi-dw-6.12.0-124.13.1.el10_1.tar.xz) = b38176c673e473a06debdef9941242f2017d0503a08e74d7d8608f0dab5b6fe6b577d4009db5d6b5e8425e4aa55c961b01eb8fb72409729c8a578b7381e15b92
+SHA512 (linux-6.12.0-124.13.1.el10_1.tar.xz) = 47bc53b098c71cc54de781f01213c1c3b35c331f4b3da678ff7377938a761ea124eb980748f16df83b10bc083307ca405ac27d48924da269b1090a80b56d8958
 SHA512 (nvidiagpuoot001.x509) = b42f836e1cfa07890cb6ca13de9c3950e306c9ec7686c4c09f050bb68869f5d82962b2cd5f3aa0eb7a0f3a3ae54e9c480eafbac5df53aa92c295ff511a8c59fe
 SHA512 (redhatsecureboot501.cer) = eb2c2d342680d4c3453d3e4f30abdd1f6b0e98292e1be0410d0163afd01552a863b70ffaabeecd6e3981cd4d167198091a837c7d70f96a3a06de2d28b3355308
 SHA512 (redhatsecureboot504.cer) = d6e9b54c378769bb934ead996c1003b495bde48a17d02c8880124f36a529ef799f1e3a97202f9536c71c0d2cefe20a3532053ab73ce798ba550934eedce23ff9