kernel-6.12.0-201.1.el10nv

* Mon Feb 16 2026 Jan Stancek <jstancek@redhat.com> [6.12.0-201.1.el10nv]
- redhat: update build targets for aie-nv (Jan Stancek)
- iommu/arm-smmu-v3: Perform per-domain invalidations using arm_smmu_invs (Nicolin Chen) [VOYAGER-1]
- iommu/arm-smmu-v3: Add arm_smmu_invs based arm_smmu_domain_inv_range() (Nicolin Chen) [VOYAGER-1]
- iommu/arm-smmu-v3: Populate smmu_domain->invs when attaching masters (Nicolin Chen) [VOYAGER-1]
- iommu/arm-smmu-v3: Pre-allocate a per-master invalidation array (Nicolin Chen) [VOYAGER-1]
- iommu/arm-smmu-v3: Introduce a per-domain arm_smmu_invs array (Jason Gunthorpe) [VOYAGER-1]
- iommu/arm-smmu-v3: Add an inline arm_smmu_domain_free() (Nicolin Chen) [VOYAGER-1]
- iommu/arm-smmu-v3: Explicitly set smmu_domain->stage for SVA (Nicolin Chen) [VOYAGER-1]
- iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update (Nicolin Chen) [VOYAGER-1]
- lib/sort.c: add _nonatomic() variants with cond_resched() (Kent Overstreet) [VOYAGER-1]
- lib/sort: clarify comparison function requirements in sort_r() (Kuan-Wei Chiu) [VOYAGER-1]
- sort.h: hoist cmp_int() into generic header file (Fedor Pchelkin) [VOYAGER-1]
- iommu/tegra241-cmdqv: Reset VCMDQ in tegra241_vcmdq_hw_init_user() (Nicolin Chen) [VOYAGER-44]
- mm: add stubs for PFNMAP memory failure registration functions (Aristeu Rozanski) [VOYAGER-9]
- vfio/nvgrace-gpu: register device memory for poison handling (Aristeu Rozanski) [VOYAGER-9]
- mm: fixup pfnmap memory failure handling to use pgoff (Aristeu Rozanski) [VOYAGER-9]
- mm: handle poisoning of pfn without struct pages (Aristeu Rozanski) [VOYAGER-9]
- mm: change ghes code to allow poison of non-struct pfn (Aristeu Rozanski) [VOYAGER-9]
- .gitlab-ci.yml: rename c10s_rhel10_compat_merge_request pipeline v2 (Jan Stancek)
- .gitlab-ci.yml: rename c10s_rhel10_compat_merge_request pipeline (Jan Stancek)
- .gitlab-ci.yml: customize pipeline (Jan Stancek)
- redhat: make genlog consider only VOYAGER project issues (Jan Stancek)
- redhat: build only for aarch64 64k and x86_64 variants (Jan Stancek)
- redhat: update self-test-data (Jan Stancek)
- redhat: set up initial Makefile.variables (Jan Stancek)
Resolves: VOYAGER-1, VOYAGER-44, VOYAGER-9

Signed-off-by: Jan Stancek <jstancek@redhat.com>

.gitignore

@@ -0,0 +1,2 @@
+*.xz
+*.bz2

Makefile.rhelver

@@ -0,0 +1,44 @@
+RHEL_MAJOR = 10
+RHEL_MINOR = 2
+
+#
+# RHEL_RELEASE
+# -------------
+#
+# Represents build number in 'release' part of RPM's name-version-release.
+#   name is <package_name>, e.g. kernel
+#   version is upstream kernel version this kernel is based on, e.g. 4.18.0
+#   release is <RHEL_RELEASE>.<dist_tag>[<buildid>], e.g. 100.el8
+#
+# Use this spot to avoid future merge conflicts.
+# Do not trim this comment.
+RHEL_RELEASE = 201
+
+#
+# RHEL_REBASE_NUM
+# ----------------
+#
+# Used in RPM version string for Gemini kernels, which dont use upstream
+# VERSION/PATCHLEVEL/SUBLEVEL. The number represents rebase number for
+# current MAJOR release.
+#
+# Use this spot to avoid future merge conflicts.
+# Do not trim this comment.
+RHEL_REBASE_NUM = 1
+
+#
+# Automotive
+# ----------
+#
+# Represents the major and minor release used by automotive.
+# Primarily this is used to to identify the build target when
+# building the automotive kernel package.
+AUTOMOTIVE_MAJOR = 2
+AUTOMOTIVE_MINOR = 0
+
+#
+# DERIVATIVE_BUILD
+# ---------------------------
+#
+# Set DERIVATIVE_STREAM to "yes" to enable derivative kernel versioning.
+DERIVATIVE_BUILD = 1

README.rst

@@ -0,0 +1,25 @@
+===================
+The Kernel dist-git
+===================
+
+The kernel is maintained in a `source tree`_ rather than directly in dist-git.
+The specfile is maintained as a `template`_ in the source tree along with a set
+of build scripts to generate configurations, (S)RPMs, and to populate the
+dist-git repository.
+
+The `documentation`_ for the source tree covers how to contribute and maintain
+the tree.
+
+If you're looking for the downstream patch set it's available in the source
+tree with "git log master..ark-patches" or
+`online`_.
+
+Each release in dist-git is tagged in the source repository so you can easily
+check out the source tree for a build. The tags are in the format
+name-version-release, but note release doesn't contain the dist tag since the
+source can be built in different build roots (Fedora, CentOS, etc.)
+
+.. _source tree: https://gitlab.com/cki-project/kernel-ark.git
+.. _template: https://gitlab.com/cki-project/kernel-ark/-/blob/os-build/redhat/kernel.spec.template
+.. _documentation: https://gitlab.com/cki-project/kernel-ark/-/wikis/home
+.. _online: https://gitlab.com/cki-project/kernel-ark/-/commits/ark-patches

check-kabi

@@ -0,0 +1,166 @@
+#!/usr/bin/python3
+#
+# check-kabi - Red Hat kABI reference checking tool
+#
+# We use this script to check against reference Module.kabi files.
+#
+# Author: Jon Masters <jcm@redhat.com>
+# Copyright (C) 2007-2009 Red Hat, Inc.
+#
+# This software may be freely redistributed under the terms of the GNU
+# General Public License (GPL).
+
+# Changelog:
+#
+# 2018/06/01 - Update for python3 by Petr Oros.
+# 2009/08/15 - Updated for use in RHEL6.
+# 2007/06/13 - Initial rewrite in python by Jon Masters.
+
+__author__ = "Jon Masters <jcm@redhat.com>"
+__version__ = "2.0"
+__date__ = "2009/08/15"
+__copyright__ = "Copyright (C) 2007-2009 Red Hat, Inc"
+__license__ = "GPL"
+
+import getopt
+import string
+import sys
+
+true = 1
+false = 0
+
+
+def load_symvers(symvers, filename):
+    """Load a Module.symvers file."""
+
+    symvers_file = open(filename, "r")
+
+    while true:
+        in_line = symvers_file.readline()
+        if in_line == "":
+            break
+        if in_line == "\n":
+            continue
+        checksum, symbol, directory, type, *ns = in_line.split()
+        ns = ns[0] if ns else None
+
+        symvers[symbol] = in_line[0:-1]
+
+
+def load_kabi(kabi, filename):
+    """Load a Module.kabi file."""
+
+    kabi_file = open(filename, "r")
+
+    while true:
+        in_line = kabi_file.readline()
+        if in_line == "":
+            break
+        if in_line == "\n":
+            continue
+        checksum, symbol, directory, type, *ns = in_line.split()
+        ns = ns[0] if ns else None
+
+        kabi[symbol] = in_line[0:-1]
+
+
+def check_kabi(symvers, kabi):
+    """Check Module.kabi and Module.symvers files."""
+
+    fail = 0
+    warn = 0
+    changed_symbols = []
+    moved_symbols = []
+    ns_symbols = []
+
+    for symbol in kabi:
+        abi_hash, abi_sym, abi_dir, abi_type, *abi_ns = kabi[symbol].split()
+        abi_ns = abi_ns[0] if abi_ns else None
+        if symbol in symvers:
+            sym_hash, sym_sym, sym_dir, sym_type, *sym_ns = symvers[symbol].split()
+            sym_ns = sym_ns[0] if sym_ns else None
+            if abi_hash != sym_hash:
+                fail = 1
+                changed_symbols.append(symbol)
+
+            if abi_dir != sym_dir:
+                warn = 1
+                moved_symbols.append(symbol)
+
+            if abi_ns != sym_ns:
+                warn = 1
+                ns_symbols.append(symbol)
+        else:
+            fail = 1
+            changed_symbols.append(symbol)
+
+    if fail:
+        print("*** ERROR - ABI BREAKAGE WAS DETECTED ***")
+        print("")
+        print("The following symbols have been changed (this will cause an ABI breakage):")
+        print("")
+        for symbol in changed_symbols:
+            print(symbol)
+        print("")
+
+    if warn:
+        print("*** WARNING - ABI SYMBOLS MOVED ***")
+        if moved_symbols:
+            print("")
+            print("The following symbols moved (typically caused by moving a symbol from being")
+            print("provided by the kernel vmlinux out to a loadable module):")
+            print("")
+            for symbol in moved_symbols:
+                print(symbol)
+            print("")
+        if ns_symbols:
+            print("")
+            print("The following symbols changed symbol namespaces:")
+            print("")
+            for symbol in ns_symbols:
+                print(symbol)
+            print("")
+
+    """Halt the build, if we got errors and/or warnings. In either case,
+       double-checkig is required to avoid introducing / concealing
+       KABI inconsistencies."""
+    if fail or warn:
+        sys.exit(1)
+    sys.exit(0)
+
+
+def usage():
+    print("""
+check-kabi: check Module.kabi and Module.symvers files.
+
+    check-kabi [ -k Module.kabi ] [ -s Module.symvers ]
+
+""")
+
+
+if __name__ == "__main__":
+
+    symvers_file = ""
+    kabi_file = ""
+
+    opts, args = getopt.getopt(sys.argv[1:], 'hk:s:')
+
+    for o, v in opts:
+        if o == "-s":
+            symvers_file = v
+        if o == "-h":
+            usage()
+            sys.exit(0)
+        if o == "-k":
+            kabi_file = v
+
+    if (symvers_file == "") or (kabi_file == ""):
+        usage()
+        sys.exit(1)
+
+    symvers = {}
+    kabi = {}
+
+    load_symvers(symvers, symvers_file)
+    load_kabi(kabi, kabi_file)
+    check_kabi(symvers, kabi)

def_variants.yaml.rhel

@@ -0,0 +1,490 @@
+packages:
+  - name: modules-core
+    depends-on: []
+  - name: modules
+    depends-on:
+    - modules-core
+  - name: modules-internal
+    depends-on:
+    - modules-core
+    - modules
+  - name: modules-extra
+    depends-on:
+    - modules-core
+    - modules
+  - name: modules-partner
+    depends-on:
+    - modules-core
+    - modules
+
+rules:
+  - .*kunit.*: modules-internal
+    exact_pkg: True
+  - .*test[^/]*.ko: modules-internal
+
+  - arch/.*: modules-core
+  - block/t10-pi.ko: modules-core
+  - crypto/.*: modules-core
+
+  - drivers/accel/.*: modules-core
+  - drivers/accessibility/.*: modules-core
+  - drivers/acpi/video.*: modules
+  - drivers/acpi/.*: modules-core
+  - drivers/ata/.*: modules-core
+
+  - drivers/base/regmap/regmap-sdw.*: modules
+  - drivers/base/.*: modules-core
+  - drivers/block/floppy.*: modules-extra
+  - drivers/block/rnbd.*: modules
+  - drivers/block/.*: modules-core
+  - drivers/bus/.*: modules-core
+
+  - drivers/cdrom/.*: modules-core
+  - drivers/cdx/.*: modules-core
+  - drivers/char/mwave.*: modules
+  - drivers/char/.*: modules-core
+  - drivers/clk/.*: modules-core
+  - drivers/counter/.*: modules-core
+  - drivers/cpufreq/amd-pstate-ut.ko: modules-internal
+  - drivers/cpufreq/.*: modules-core
+  - drivers/crypto/caam/.*: modules
+  - drivers/crypto/cavium/.*: modules
+  - drivers/crypto/chelsio/.*: modules
+  - drivers/crypto/hisilicon/.*: modules
+  - drivers/crypto/marvell/.*: modules
+  - drivers/crypto/.*: modules-core
+  - drivers/cxl/.*: modules-core
+
+  - drivers/dax/.*: modules-core
+  - drivers/dca/.*: modules-core
+  - drivers/devfreq/.*: modules-core
+  - drivers/dma/.*: modules-core
+
+  - drivers/edac/.*: modules-core
+  - drivers/extcon/.*: modules-core
+
+  - drivers/firmware/cirrus/test/.*(test|kunit).*: modules-internal
+  - drivers/firmware/iscsi_ibft.*: modules
+  - drivers/firmware/.*: modules-core
+  - drivers/fsi/.*: modules-core
+
+  - drivers/gnss/.*: modules-core
+  - drivers/gpio/gpio-dln2.*: modules-extra
+  - drivers/gpio/gpio-ljca.*: modules
+  - drivers/gpio/.*: modules-core
+  - drivers/gpu/drm/display/drm_.*: modules-core
+  - drivers/gpu/drm/drm.*: modules-core
+  - drivers/gpu/drm/etnaviv/.*: modules-core
+  - drivers/gpu/drm/gud/.*: modules-core
+  - drivers/gpu/drm/hyperv/.*: modules-core
+  - drivers/gpu/drm/imagination/.*: modules-core
+  - drivers/gpu/drm/lima/.*: modules-core
+  - drivers/gpu/drm/mxsfb/.*: modules-core
+  - drivers/gpu/drm/panfrost/.*: modules-core
+  - drivers/gpu/drm/qxl/.*: modules-core
+  - drivers/gpu/drm/scheduler/.*: modules-core
+  - drivers/gpu/drm/solomon/.*: modules-core
+  - drivers/gpu/drm/tidss/.*: modules-core
+  - drivers/gpu/drm/tiny/.*: modules-core
+  - drivers/gpu/drm/ttm/.*: modules-core
+  - drivers/gpu/drm/udl/.*: modules-core
+  - drivers/gpu/drm/v3d/.*: modules-core
+  - drivers/gpu/drm/vgem/.*: modules-core
+  - drivers/gpu/drm/virtio/.*: modules-core
+  - drivers/gpu/drm/vkms/.*: modules-core
+  - drivers/gpu/drm/vmwgfx/.*: modules-core
+  - drivers/gpu/drm/xlnx/.*: modules-core
+  - drivers/gpu/host1x/.*: modules-core
+
+  - drivers/hid/hid-asus.*: modules
+  - drivers/hid/hid-nintendo.*: modules
+  - drivers/hid/hid-picolcd.*: modules
+  - drivers/hid/hid-playstation.*: modules
+  - drivers/hid/surface-hid.*: modules
+  - drivers/hid/hid-prodikeys.*: modules
+  - drivers/hid/.*: modules-core
+  - drivers/hte/.*: modules-core
+  - drivers/hv/mshv_root.*: modules-extra
+  - drivers/hv/.*: modules-core
+  - drivers/hwmon/asus_wmi_sensors.*: modules
+  - drivers/hwmon/dell-smm-hwmon.*: modules
+  - drivers/hwmon/hp-wmi-sensors.*: modules
+  - drivers/hwmon/intel-m10-bmc-hwmon.*: modules
+  - drivers/hwmon/nct6775.*: modules
+  - drivers/hwmon/ntc_thermistor.*: modules
+  - drivers/hwmon/.*: modules-core
+  - drivers/hwspinlock/.*: modules-core
+  - drivers/hwtracing/.*: modules-core
+
+  - drivers/i2c/busses/i2c-dln2.*: modules-extra
+  - drivers/i2c/busses/i2c-ljca.*: modules
+  - drivers/i2c/.*: modules-core
+  - drivers/i3c/.*: modules-core
+  - drivers/iio/adc/dln2-adc.*: modules-extra
+  - drivers/input/gameport/.*: modules
+  - drivers/input/joystick/.*: modules-extra
+  - drivers/input/tablet/.*: modules
+  - drivers/input/touchscreen/.*: modules
+  - drivers/input/.*: modules-core
+  - drivers/interconnect/.*: modules-core
+  - drivers/iommu/.*: modules-core
+  - drivers/irqchip/.*: modules-core
+
+  - drivers/mailbox/.*: modules-core
+  - drivers/md/.*: modules-core
+  - drivers/memory/dfl-emif.*: modules
+  - drivers/memory/.*: modules-core
+  - drivers/message/fusion/mptctl.*: modules-extra
+  - drivers/message/fusion/mptfc.*: modules-extra
+  - drivers/message/fusion/.*: modules
+  - drivers/message/.*: modules-core
+  - drivers/mfd/dln2.*: modules-extra
+  - drivers/misc/.*: modules-core
+  - drivers/mux/.*: modules-core
+
+  - drivers/net/amt.ko: modules-core
+  - drivers/net/bareudp.ko: modules-core
+  - drivers/net/bonding/.*: modules-core
+  - drivers/net/can/slcan/slcan.*: modules-extra
+  - drivers/net/can/usb/ems_usb.*: modules-extra
+  - drivers/net/can/vcan.*: modules-extra
+  - drivers/net/dummy.ko: modules-core
+  - drivers/net/eql.ko: modules-core
+
+  - drivers/net/ethernet/8390/.*: modules-core
+  - drivers/net/ethernet/adi/.*: modules-core
+  - drivers/net/ethernet/agere/.*: modules-core
+  - drivers/net/ethernet/altera/.*: modules-core
+  - drivers/net/ethernet/amazon/.*: modules-core
+  - drivers/net/ethernet/amd/.*: modules-core
+  - drivers/net/ethernet/apm/.*: modules-core
+  - drivers/net/ethernet/asix/.*: modules-core
+  - drivers/net/ethernet/brocade/.*: modules-core
+  - drivers/net/ethernet/cavium/.*: modules-core
+  - drivers/net/ethernet/dnet.ko: modules-core
+  - drivers/net/ethernet/engleder/.*: modules-core
+  - drivers/net/ethernet/ethoc.ko: modules-core
+  - drivers/net/ethernet/fealnx.ko: modules-core
+  - drivers/net/ethernet/freescale/.*: modules-core
+  - drivers/net/ethernet/fungible/.*: modules-core
+  - drivers/net/ethernet/google/.*: modules-core
+  - drivers/net/ethernet/hisilicon/.*: modules-core
+  - drivers/net/ethernet/huawei/.*: modules-core
+  - drivers/net/ethernet/ibm/.*: modules-core
+  - drivers/net/ethernet/intel/.*: modules-core
+  - drivers/net/ethernet/jme.ko: modules-core
+  - drivers/net/ethernet/litex/.*: modules-core
+  - drivers/net/ethernet/mellanox/.*: modules-core
+  - drivers/net/ethernet/microsoft/.*: modules-core
+  - drivers/net/ethernet/myricom/.*: modules-core
+  - drivers/net/ethernet/natsemi/.*: modules-core
+  - drivers/net/ethernet/netronome/.*: modules-core
+  - drivers/net/ethernet/pensando/.*: modules-core
+  - drivers/net/ethernet/rocker/rocker.*: modules-internal
+  - drivers/net/ethernet/qualcomm/.*: modules-core
+  - drivers/net/ethernet/realtek/.*: modules-core
+  - drivers/net/ethernet/renesas/.*: modules-core
+  - drivers/net/ethernet/socionext/.*: modules-core
+  - drivers/net/ethernet/vertexcom/.*: modules-core
+  - drivers/net/ethernet/wangxun/.*: modules-core
+  - drivers/net/ethernet/xilinx/.*: modules-core
+
+  - drivers/net/fjes/.*: modules-core
+  - drivers/net/geneve.ko: modules-core
+  - drivers/net/gtp.ko: modules-core
+  - drivers/net/hamradio/.*: modules-extra
+  - drivers/net/hyperv/.*: modules-core
+  - drivers/net/ifb.ko: modules-core
+  - drivers/net/ipa/.*: modules-core
+  - drivers/net/ipvlan/.*: modules-core
+  - drivers/net/macsec.ko: modules-core
+  - drivers/net/macvlan.ko: modules-core
+  - drivers/net/macvtap.ko: modules-core
+  - drivers/net/mctp/.*: modules-core
+  - drivers/net/mdio.*: modules-core
+  - drivers/net/mhi_net.ko: modules-core
+  - drivers/net/mii.ko: modules-core
+  - drivers/net/net_failover.ko: modules-core
+  - drivers/net/netdevsim/netdevsim.*: modules-internal
+  - drivers/net/netconsole.ko: modules-core
+  - drivers/net/nlmon.ko: modules-core
+  - drivers/net/pcs/.*: modules-core
+  - drivers/net/phy/.*: modules-core
+  - drivers/net/rionet.ko: modules-core
+  - drivers/net/slip/slip.*: modules-extra
+  - drivers/net/sungem_phy.ko: modules-core
+  - drivers/net/tap.ko: modules-core
+  - drivers/net/team/.*: modules-core
+  - drivers/net/thunderbolt/.*: modules-core
+  - drivers/net/tun.ko: modules-core
+  - drivers/net/veth.ko: modules-core
+  - drivers/net/virtio_net.ko: modules-core
+  - drivers/net/vmxnet3/.*: modules-core
+  - drivers/net/vrf.ko: modules-core
+  - drivers/net/vsockmon.ko: modules-core
+  - drivers/net/vxlan/.*: modules-core
+  - drivers/net/wan/hdlc.*: modules-core
+  - drivers/net/wireguard/.*: modules-core
+  - drivers/net/wireless/virtual/mac80211_hwsim.*: modules-internal
+  - drivers/net/wwan/wwan_hwsim.*: modules-internal
+  - drivers/net/wwan/.*: modules-core
+  - drivers/net/xen.*: modules-core
+
+  - drivers/nvdimm/.*: modules-core
+  - drivers/nvme/host/nvme-rdma.*: modules
+  - drivers/nvme/target/nvmet-rdma.*: modules
+  - drivers/nvme/.*: modules-core
+  - drivers/nvmem/nvmem_u-boot-env.*: modules
+  - drivers/nvmem/.*: modules-core
+
+  - drivers/parport/parport_serial.*: modules
+  - drivers/parport/.*: modules-core
+  - drivers/pci/pcie/aer_inject.*: modules-extra
+  - drivers/pci/.*: modules-core
+  - drivers/perf/.*: modules-core
+  - drivers/phy/.*: modules-core
+  - drivers/pinctrl/.*: modules-core
+  - drivers/platform/x86/intel/intel_vsec.*: modules-core
+  - drivers/pmdomain/.*: modules-core
+  - drivers/powercap/intel_rapl_tpmi.*: modules
+  - drivers/powercap/.*: modules-core
+  - drivers/pps/.*: modules-core
+  - drivers/ptp/ptp_mock.*: modules-internal
+  - drivers/ptp/ptp_dfl_tod.*: modules
+  - drivers/ptp/.*: modules-core
+  - drivers/pwm/.*: modules-core
+
+  - drivers/rapidio/.*: modules-core
+  - drivers/regulator/arizona-micsupp.*: modules
+  - drivers/regulator/.*: modules-core
+  - drivers/remoteproc/.*: modules-core
+  - drivers/reset/.*: modules-core
+  - drivers/rpmsg/.*: modules-core
+  - drivers/rtc/.*: modules-core
+
+  - drivers/s390/net/ism.*: modules
+  - drivers/s390/.*: modules-core
+
+  - drivers/scsi/3w.*: modules-core
+  - drivers/scsi/BusLogic.ko: modules-core
+  - drivers/scsi/a100u2w.ko: modules-core
+  - drivers/scsi/advansys.ko: modules-core
+  - drivers/scsi/am53c974.ko: modules-core
+  - drivers/scsi/arcmsr.*: modules-core
+  - drivers/scsi/atp870u.ko: modules-core
+  - drivers/scsi/ch.ko: modules-core
+  - drivers/scsi/cxlflash/.*: modules-core
+  - drivers/scsi/dc395x.ko: modules-core
+  - drivers/scsi/device_handler/.*: modules-core
+  - drivers/scsi/dmx3191d.ko: modules-core
+  - drivers/scsi/elx/.*: modules-core
+  - drivers/scsi/esp_scsi.ko: modules-core
+  - drivers/scsi/fdomain.*: modules-core
+  - drivers/scsi/hpsa.ko: modules-core
+  - drivers/scsi/hptiop.ko: modules-core
+  - drivers/scsi/hv_storvsc.ko: modules-core
+  - drivers/scsi/ibmvscsi.*: modules-core
+  - drivers/scsi/initio.ko: modules-core
+  - drivers/scsi/ipr.ko: modules-core
+  - drivers/scsi/ips.ko: modules-core
+  - drivers/scsi/iscsi_tcp.ko: modules-core
+  - drivers/scsi/libfc/.*: modules-core
+  - drivers/scsi/libiscsi.*: modules-core
+  - drivers/scsi/mpi3mr/.*: modules-core
+  - drivers/scsi/mvumi.ko: modules-core
+  - drivers/scsi/myrb.ko: modules-core
+  - drivers/scsi/myrs.ko: modules-core
+  - drivers/scsi/raid_class.ko: modules-core
+  - drivers/scsi/scsi_debug.ko: modules-core
+  - drivers/scsi/scsi_transport_.*: modules-core
+  - drivers/scsi/sd_mod.ko: modules-core
+  - drivers/scsi/ses.ko: modules-core
+  - drivers/scsi/sg.ko: modules-core
+  - drivers/scsi/smartpqi/.*: modules-core
+  - drivers/scsi/snic/.*: modules-core
+  - drivers/scsi/sr_mod.ko: modules-core
+  - drivers/scsi/st.ko: modules-core
+  - drivers/scsi/stex.ko: modules-core
+  - drivers/scsi/virtio_scsi.ko: modules-core
+  - drivers/scsi/vmw_pvscsi.ko: modules-core
+  - drivers/scsi/wd719x.ko: modules-core
+  - drivers/scsi/xen-scsifront.ko: modules-core
+
+  - drivers/slimbus/.*: modules-core
+  - drivers/soc/.*: modules-core
+  - drivers/spi/spi-altera-dfl.*: modules
+  - drivers/spi/spi-dln2.*: modules-extra
+  - drivers/spi/spi-ljca.*: modules
+  - drivers/spi/.*: modules-core
+  - drivers/spmi/.*: modules-core
+
+  - drivers/target/iscsi/cxgbit/cxgbit.*: modules
+  - drivers/target/sbp/sbp_target.*: modules
+  - drivers/target/target_core_user.*: modules
+  - drivers/target/.*: modules-core
+  - drivers/tee/.*: modules-core
+  - drivers/thermal/intel/int340x_thermal/int3406_thermal.*: modules
+  - drivers/thermal/.*: modules-core
+  - drivers/thunderbolt/.*: modules-core
+
+  - drivers/ufs/.*: modules-core
+  - drivers/usb/atm/.*: modules
+  - drivers/usb/gadget/function/usb_f_midi2.*: modules
+  - drivers/usb/image/.*: modules
+  - drivers/usb/misc/trancevibrator.*: modules-extra
+  - drivers/usb/misc/usbio.ko: modules-core
+  - drivers/usb/misc/.*: modules
+  - drivers/usb/serial/.*: modules
+  - drivers/usb/typec/mux/nb7vpq904m.*: modules
+  - drivers/usb/usbip/.*: modules-internal
+  - drivers/usb/.*: modules-core
+
+  - drivers/vdpa/mlx5/mlx5_vdpa.*: modules
+  - drivers/vdpa/pds/pds_vdpa.*: modules
+  - drivers/vdpa/.*: modules-core
+  - drivers/vfio/pci/mlx5/mlx5-vfio-pci.*: modules
+  - drivers/vfio/pci/pds/pds-vfio-pc.*: modules
+  - drivers/vfio/.*: modules-core
+  - drivers/vhost/.*: modules-core
+  - drivers/video/backlight/apple_bl.*: modules
+  - drivers/video/.*: modules-core
+  - drivers/virt/.*: modules-core
+  - drivers/virtio/.*: modules-core
+
+  - drivers/watchdog/.*: modules-core
+
+  - drivers/xen/.*: modules-core
+
+  - drivers/w1/masters/ds2482.*: modules-extra
+  - drivers/w1/masters/ds2490.*: modules-extra
+  - drivers/w1/slaves/w1_ds2408.*: modules-extra
+  - drivers/w1/slaves/w1_ds2423.*: modules-extra
+  - drivers/w1/slaves/w1_ds2431.*: modules-extra
+  - drivers/w1/slaves/w1_ds2433.*: modules-extra
+  - drivers/w1/slaves/w1_ds2780.*: modules-extra
+  - drivers/w1/slaves/w1_ds2781.*: modules-extra
+  - drivers/w1/slaves/w1_ds28e04.*: modules-extra
+  - drivers/w1/slaves/w1_smem.*: modules-extra
+  - drivers/w1/slaves/w1_therm.*: modules-extra
+
+  - fs/9p/.*: modules-core
+  - fs/afs/.*: modules-partner
+  - fs/affs/affs.*: modules-extra
+  - fs/bcachefs/.*: modules-core
+  - fs/befs/befs.*: modules-extra
+  - fs/binfmt_misc.ko: modules-core
+  - fs/btrfs/.*: modules-internal
+  - fs/cachefiles/.*: modules-core
+  - fs/ceph/.*: modules-core
+  - fs/coda/coda.*: modules-extra
+  - fs/dlm/.*: modules-core
+  - fs/erofs/.*: modules-core
+  - fs/exfat/.*: modules-core
+  - fs/ext4/.*: modules-core
+  - fs/f2fs/.*: modules-core
+  - fs/fat/.*: modules-core
+  - fs/fuse/cuse.*: modules-extra
+  - fs/fuse/.*: modules-core
+  - fs/gfs2/.*: modules-core
+  - fs/isofs/.*: modules-core
+  - fs/jbd2/.*: modules-core
+  - fs/lockd/.*: modules-core
+  - fs/mbcache.ko: modules-core
+  - fs/netfs/.*: modules-core
+  - fs/nfs.*: modules-core
+  - fs/nilfs2/nilfs2.*: modules-extra
+  - fs/nls/.*: modules-core
+  - fs/ntfs3/.*: modules-core
+  - fs/ocfs2/.*: modules-extra
+  - fs/orangefs/.*: modules-core
+  - fs/overlayfs/.*: modules-core
+  - fs/pstore/.*: modules-core
+  - fs/sysv/.*: modules-extra
+  - fs/ubifs/.*: modules-extra
+  - fs/udf/.*: modules-core
+  - fs/ufs/.*: modules-extra
+  - fs/vboxsf/.*: modules-core
+  - fs/xfs/.*: modules-core
+  - fs/zonefs/.*: modules-core
+
+  - kernel/locking/locktorture.*: modules-internal
+  - kernel/rcu/rcuscale.*: modules-internal
+  - kernel/rcu/rcutorture.*: modules-internal
+  - kernel/rcu/refscale.*: modules-internal
+  - kernel/scftorture.*: modules-internal
+  - kernel/torture.*: modules-internal
+  - kernel/.*: modules-core
+
+  - lib/.*: modules-core
+
+  - mm/zsmalloc.ko: modules-core
+
+  - net/802/.*: modules-core
+  - net/8021q/.*: modules-core
+  - net/9p/9pnet_rdma.ko: modules
+  - net/9p/.*: modules-core
+  - net/appletalk/appletalk.*: modules-extra
+  - net/atm/br2684.*: modules-extra
+  - net/atm/clip.*: modules-extra
+  - net/atm/lec.*: modules-extra
+  - net/atm/pppoatm.*: modules-extra
+  - net/ax25/ax25.*: modules-extra
+  - net/batman-adv/batman-adv.*: modules-extra
+  - net/bridge/br_netfilter.*: modules-extra
+  - net/bridge/netfilter/ebt.*: modules-extra
+  - net/bridge/.*: modules-core
+  - net/ceph/.*: modules-core
+  - net/core/pktgen.*: modules-internal
+  - net/core/.*: modules-core
+  - net/dns_resolver/.*: modules-core
+  - net/hsr/.*: modules-core
+  - net/ife/.*: modules-core
+  - net/ipv4/netfilter/arp.*: modules-extra
+  - net/ipv4/netfilter/ip[_t].*: modules-extra
+  - net/ipv4/tcp_bic.*: modules-extra
+  - net/ipv4/tcp_highspeed.*: modules-extra
+  - net/ipv4/tcp_htcp.*: modules-extra
+  - net/ipv4/tcp_hybla.*: modules-extra
+  - net/ipv4/tcp_illinois.*: modules-extra
+  - net/ipv4/tcp_lp.*: modules-extra
+  - net/ipv4/tcp_scalable.*: modules-extra
+  - net/ipv4/tcp_vegas.*: modules-extra
+  - net/ipv4/tcp_veno.*: modules-extra
+  - net/ipv4/tcp_westwood.*: modules-extra
+  - net/ipv4/tcp_yeah.*: modules-extra
+  - net/ipv4/.*: modules-core
+  - net/ipv6/netfilter/ebt.*: modules-extra
+  - net/ipv6/netfilter/ip6[_t].*: modules-extra
+  - net/ipv6/.*: modules-core
+  - net/iucv/.*: modules-core
+  - net/kcm/.*: modules-core
+  - net/key/.*: modules-core
+  - net/l2tp/.*: modules-extra
+  - net/llc/.*: modules-core
+  - net/netfilter/ipset/.*: modules-extra
+  - net/netfilter/nft_compat.*: modules-extra
+  - net/netfilter/xt_.*: modules-extra
+  - net/netfilter/.*: modules-core
+  - net/netrom/netrom.*: modules-extra
+  - net/nsh/.*: modules-core
+  - net/openvswitch/.*: modules-core
+  - net/psample/.*: modules-core
+  - net/qrtr/.*: modules-core
+  - net/rds/rds.*: modules-extra
+  - net/rose/rose.*: modules-extra
+  - net/rxrpc/.*: modules-partner
+  - net/sched/.*: modules-core
+  - net/sctp/.*: modules-extra
+  - net/sunrpc/xprtrdma/rpcrdma.*: modules
+  - net/sunrpc/.*: modules-core
+  - net/tipc/.*: modules-extra
+  - net/tls/.*: modules-core
+  - net/vmw_vsock/.*: modules-core
+  - net/xdp/.*: modules-core
+  - net/xfrm/.*: modules-core
+
+  - samples/.*: modules-internal
+
+  - virt/.*: modules-core
+
+  - default: modules

dracut-virt.conf

@@ -0,0 +1,58 @@
+# generic + compressed please
+hostonly="no"
+compress="xz"
+
+# VMs can't update microcode anyway
+early_microcode="no"
+
+# modules: basics
+dracutmodules+=" dracut-systemd i18n shutdown "
+
+# modules: storage support
+dracutmodules+=" dm lvm rootfs-block fs-lib "
+
+# modules: tpm and crypto
+dracutmodules+=" crypt crypt-loop tpm2-tss systemd-pcrphase "
+
+# dracut >= 102 separated systemd-cryptsetup into its own module
+CSMODULE=`dracut --list-modules --no-kernel | grep '^systemd-cryptsetup$'`
+dracutmodules+=" $CSMODULE "
+
+# modules: support root on virtiofs
+dracutmodules+=" virtiofs "
+
+# modules: use sysext images (see 'man systemd-sysext')
+dracutmodules+=" systemd-sysext "
+
+# modules: root disk integrity protection
+dracutmodules+=" systemd-veritysetup "
+
+# modules: root creation and encryption
+dracutmodules+=" systemd-repart "
+# FIXME: remove this once RHEL-103385 is merged
+install_items+=" /usr/sbin/mkfs.vfat /usr/sbin/mkfs.ext4 /usr/sbin/mkfs.xfs "
+
+# modules: FIPS
+dracutmodules+=" fips "
+# FIPS mode requires early crypto drivers test
+drivers+=" =crypto "
+
+# drivers: virtual buses, pci
+drivers+=" virtio-pci virtio-mmio "      # qemu-kvm
+drivers+=" hv-vmbus pci-hyperv "         # hyperv
+drivers+=" xen-pcifront "                # xen
+
+# drivers: storage
+drivers+=" ahci nvme sd_mod sr_mod "     # generic
+drivers+=" virtio-blk virtio-scsi "      # qemu-kvm
+drivers+=" hv-storvsc "                  # hyperv
+drivers+=" xen-blkfront "                # xen
+
+# root encryption
+drivers+=" dm_crypt "
+
+# root disk integrity protection
+drivers+=" dm_verity overlay "
+
+# filesystems
+filesystems+=" vfat ext4 xfs overlay "

flavors

@@ -0,0 +1 @@
+rhel

gating.yaml

@@ -0,0 +1,26 @@
+--- !Policy
+product_versions:
+  - rhel-10
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.kernel-64k-aarch64.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.kernel-64k-debug-aarch64.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.kernel-aarch64.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.kernel-debug-aarch64.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.kernel-debug-ppc64le.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.kernel-debug-s390x.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.kernel-debug-x86_64.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.kernel-ppc64le.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.kernel-rt-64k-aarch64.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.kernel-rt-64k-debug-aarch64.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.kernel-rt-aarch64.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.kernel-rt-debug-aarch64.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.kernel-rt-debug-x86_64.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.kernel-rt-x86_64.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.kernel-s390x.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.kernel-x86_64.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: s1-aws-ci_x86_64.brew-build.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: s1-aws-ci_aarch64.brew-build.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: s1-azure-ci_x86_64.brew-build.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: s1-azure-ci_aarch64.brew-build.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: s1-gcp-ci.brew-build.tier1.functional}

generate_all_configs.sh

@@ -0,0 +1,38 @@
+#!/bin/sh
+
+# Adjusts the configuration options to build the variants correctly
+
+test -n "$RHTEST" && exit 0
+
+DEBUGBUILDSENABLED=$1
+if [ -z "$DEBUGBUILDSENABLED" ]; then
+	exit 1
+fi
+
+if [ -z "$FLAVOR" ]; then
+	FLAVOR=rhel
+fi
+
+if [ "$FLAVOR" = "fedora" ]; then
+	SECONDARY=rhel
+else
+	SECONDARY=fedora
+fi
+
+# The +1 is to remove the - at the end of the SPECPACKAGE_NAME string
+specpackage_name_len=$((${#SPECPACKAGE_NAME} + 1))
+for i in "${SPECPACKAGE_NAME}"*-"$FLAVOR".config; do
+	# shellcheck disable=SC3057
+	NEW=${SPECPACKAGE_NAME}-"$SPECRPMVERSION"-$(echo "${i:$specpackage_name_len}" | sed s/-"$FLAVOR"//)
+	mv "$i" "$NEW"
+done
+
+rm -f kernel-*-"$SECONDARY".config
+
+if [ "$DEBUGBUILDSENABLED" -eq 0 ]; then
+	for i in "${SPECPACKAGE_NAME}"-*debug*.config; do
+		base=$(echo "$i" | sed -r s/-?debug//g)
+		NEW=${SPECPACKAGE_NAME}-$(echo "$base" | cut -d - -f2-)
+		mv "$i" "$NEW"
+	done
+fi

kernel-local

@@ -0,0 +1,2 @@
+# This file is intentionally left empty in the stock kernel. Its a nicety
+# added for those wanting to do custom rebuilds with altered config opts.

kernel.sbat.template

@@ -0,0 +1,2 @@
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+kernel.@SBAT_SUFFIX,1,Red Hat,kernel-core,@KVER,mailto:secalert@redhat.com

kvm_stat.logrotate

@@ -0,0 +1,11 @@
+/var/log/kvm_stat.csv {
+	size 10M
+	missingok
+	compress
+	maxage 30
+	rotate 5
+	nodateext
+	postrotate
+		/usr/bin/systemctl try-restart kvm_stat.service
+	endscript
+}

merge.py

@@ -0,0 +1,88 @@
+#!/usr/bin/python3
+# SPDX-License-Identifier: GPL-2.0
+# Author: Clark Williams <williams@redhat.com>
+# Copyright (C) 2022 Red Hat, Inc.
+#
+# merge.py - a direct replacement for merge.pl in the redhat/configs directory
+#
+# invocation:   python merge.py overrides baseconfig [arch]
+#
+# This script merges two kernel configuration files, an override file and a
+# base config file and writes the results to stdout.
+#
+# The script reads the overrides into a dictionary, then reads the baseconfig
+# file, looking for overrides and replacing any found, then printing the result
+# to stdout. Finally any remaining (new) configs in the override are appended to the
+# end of the output
+
+import sys
+import re
+import os.path
+
+def usage(msg):
+    '''print a usage message and exit'''
+    sys.stderr.write(msg + "\n")
+    sys.stderr.write("usage: merge.py overrides baseconfig [arch]\n")
+    sys.exit(1)
+
+isset = re.compile(r'^(CONFIG_\w+)=')
+notset = re.compile(r'^#\s+(CONFIG_\w+)\s+is not set')
+
+# search an input line for a config (set or notset) pattern
+# if we get a match return the config that is being changed
+def find_config(line):
+    '''find a configuration line in the input and return the config name'''
+    m = isset.match(line)
+    if (m is not None):
+        return m.group(1)
+
+    m = notset.match(line)
+    if (m is not None):
+        return m.group(1)
+
+    return None
+
+#########################################################
+
+if len(sys.argv) < 3:
+    usage("must have two input files")
+
+override_file = sys.argv[1]
+baseconfig_file = sys.argv[2]
+
+if not os.path.exists(override_file):
+    usage(f"overrides config file {override_file:s} does not exist!")
+
+if not os.path.exists(baseconfig_file):
+    usage(f"base configs file {baseconfig_file:s} does not exist")
+
+if len(sys.argv) == 4:
+    print(f"# {sys.argv[3]:s}")
+
+# read each line of the override file and store any configuration values
+# in the overrides dictionary, keyed by the configuration name.
+overrides = {}
+with open(override_file, "rt", encoding="utf-8") as f:
+    for line in [l.strip() for l in f.readlines()]:
+        c = find_config(line)
+        if c and c not in overrides:
+            overrides[c] = line
+
+# now read and print the base config, checking each line
+# that defines a config value and printing the override if
+# it exists
+with open(baseconfig_file, "rt", encoding="utf-8") as f:
+    for line in [ l.strip() for l in f.readlines() ]:
+        c = find_config(line)
+        if c and c in overrides:
+            print(overrides[c])
+            del overrides[c]
+        else:
+            print(line)
+
+# print out the remaining configs (new values)
+# from the overrides file
+for v in overrides.values():
+    print (v)
+
+sys.exit(0)

mod-denylist.sh

@@ -0,0 +1,67 @@
+#! /bin/bash
+# shellcheck disable=SC2164
+
+rpm_buildroot="$1"
+module_dir="$2"
+module_list="$3"
+
+blacklist_conf_files="$(mktemp)"
+
+blacklist()
+{
+	mkdir -p "$rpm_buildroot/etc/modprobe.d/"
+	cat > "$rpm_buildroot/etc/modprobe.d/$1-blacklist.conf" <<-__EOF__
+	# This kernel module can be automatically loaded by non-root users. To
+	# enhance system security, the module is blacklisted by default to ensure
+	# system administrators make the module available for use as needed.
+	# See https://access.redhat.com/articles/3760101 for more details.
+	#
+	# Remove the blacklist by adding a comment # at the start of the line.
+	blacklist $1
+__EOF__
+	echo "%config(noreplace) /etc/modprobe.d/$1-blacklist.conf" >> "$blacklist_conf_files"
+}
+
+check_blacklist()
+{
+	mod="$rpm_buildroot/$1"
+	[ ! "$mod" ] && return 0
+	if modinfo "$mod" | grep -q '^alias:\s\+net-'; then
+		mod="${1##*/}"
+		mod="${mod%.ko*}"
+		echo "$mod has an alias that allows auto-loading. Blacklisting."
+		blacklist "$mod"
+	fi
+}
+
+foreachp()
+{
+	P=$(nproc)
+	bgcount=0
+	while read -r mod; do
+		$1 "$mod" &
+
+		bgcount=$((bgcount + 1))
+		if [ $bgcount -eq "$P" ]; then
+			wait -n
+			bgcount=$((bgcount - 1))
+		fi
+	done
+
+	wait
+}
+
+# Many BIOS-es export a PNP-id which causes the floppy driver to autoload
+# even though most modern systems don't have a 3.5" floppy driver anymore
+# this replaces the old die_floppy_die.patch which removed the PNP-id from
+# the module
+
+floppylist=("$rpm_buildroot"/"$module_dir"/kernel/drivers/block/floppy.ko*)
+if [[ -n ${floppylist[0]} && -f ${floppylist[0]} ]]; then
+     blacklist "floppy"
+fi
+
+foreachp check_blacklist < "$module_list"
+
+cat "$blacklist_conf_files" >> "$module_list"
+rm -f "$blacklist_conf_files"

mod-sign.sh

@@ -0,0 +1,37 @@
+#! /bin/bash
+
+# The modules_sign target checks for corresponding .o files for every .ko that
+# is signed. This doesn't work for package builds which re-use the same build
+# directory for every variant, and the .config may change between variants.
+# So instead of using this script to just sign lib/modules/$KernelVer/extra,
+# sign all .ko in the buildroot.
+
+# This essentially duplicates the 'modules_sign' Kbuild target and runs the
+# same commands for those modules.
+
+MODSECKEY=$1
+MODPUBKEY=$2
+moddir=$3
+
+modules=$(find "$moddir" -type f -name '*.ko')
+
+NPROC=$(nproc)
+[ -z "$NPROC" ] && NPROC=1
+
+# NB: this loop runs 2000+ iterations. Try to be fast.
+echo "$modules" | xargs -r -n16 -P "$NPROC" sh -c "
+for mod; do
+    ./scripts/sign-file sha256 $MODSECKEY $MODPUBKEY \$mod
+    rm -f \$mod.sig \$mod.dig
+done
+" DUMMYARG0   # xargs appends ARG1 ARG2..., which go into $mod in for loop.
+
+RANDOMMOD=$(echo "$modules" | sort -R | head -n 1)
+if [ "~Module signature appended~" != "$(tail -c 28 "$RANDOMMOD")" ]; then
+    echo "*****************************"
+    echo "*** Modules are unsigned! ***"
+    echo "*****************************"
+    exit 1
+fi
+
+exit 0

partial-clang-debug-snip.config

@@ -0,0 +1,4 @@
+# clang
+# CONFIG_DRM_WERROR is not set
+CONFIG_KASAN_STACK=y
+# CONFIG_KMSAN is not set

partial-clang-snip.config

@@ -0,0 +1,4 @@
+# clang
+# CONFIG_DRM_WERROR is not set
+# CONFIG_KASAN_STACK is not set
+# CONFIG_KMSAN is not set

partial-clang_lto-aarch64-debug-snip.config

@@ -0,0 +1,4 @@
+# clang_lto
+# CONFIG_DRM_WERROR is not set
+CONFIG_KASAN_STACK=y
+# CONFIG_KMSAN is not set

partial-clang_lto-aarch64-snip.config

@@ -0,0 +1,6 @@
+# clang_lto
+# CONFIG_DRM_WERROR is not set
+# CONFIG_KASAN_STACK is not set
+# CONFIG_KMSAN is not set
+CONFIG_LTO_CLANG_THIN=y
+# CONFIG_LTO_NONE is not set

partial-clang_lto-x86_64-debug-snip.config

@@ -0,0 +1,4 @@
+# clang_lto
+# CONFIG_DRM_WERROR is not set
+CONFIG_KASAN_STACK=y
+# CONFIG_KMSAN is not set

partial-clang_lto-x86_64-snip.config

@@ -0,0 +1,6 @@
+# clang_lto
+# CONFIG_DRM_WERROR is not set
+# CONFIG_KASAN_STACK is not set
+# CONFIG_KMSAN is not set
+CONFIG_LTO_CLANG_THIN=y
+# CONFIG_LTO_NONE is not set

partial-kgcov-debug-snip.config

@@ -0,0 +1,6 @@
+# kgcov
+CONFIG_GCOV_KERNEL=y
+CONFIG_GCOV_PROFILE_ALL=y
+# CONFIG_GCOV_PROFILE_FTRACE is not set
+CONFIG_GCOV_PROFILE_RDS=y
+CONFIG_GCOV_PROFILE_URING=y

partial-kgcov-snip.config

@@ -0,0 +1,6 @@
+# kgcov
+CONFIG_GCOV_KERNEL=y
+CONFIG_GCOV_PROFILE_ALL=y
+# CONFIG_GCOV_PROFILE_FTRACE is not set
+CONFIG_GCOV_PROFILE_RDS=y
+CONFIG_GCOV_PROFILE_URING=y

process_configs.sh

@@ -0,0 +1,424 @@
+#!/bin/bash
+#
+# This script takes the merged config files and processes them through oldconfig
+# and listnewconfig
+#
+# Globally disable suggestion of appending '|| exit' or '|| return' to cd/pushd/popd commands
+# shellcheck disable=SC2164
+
+test -n "$RHTEST" && exit 0
+
+usage()
+{
+	# alphabetical order please
+	echo "process_configs.sh [ options ] package_name kernel_version"
+	echo "     -a: report all errors, equivalent to [-c -n -w -i]"
+	echo "     -c: error on mismatched config options"
+	echo "     -i: continue on error"
+	echo "     -n: error on unset config options"
+	echo "     -t: test run, do not overwrite original config"
+	echo "     -w: error on misconfigured config options"
+	echo "     -z: commit new configs to pending directory"
+	echo ""
+	echo "     A special CONFIG file tag, process_configs_known_broken can be added as a"
+	echo "     comment to any CONFIG file.  This tag indicates that there is no way to "
+	echo "     fix a CONFIG's entry.  This tag should only be used in extreme cases"
+	echo "     and is not to be used as a workaround to solve CONFIG problems."
+	exit 1
+}
+
+die()
+{
+	echo "$1"
+	exit 1
+}
+
+get_cross_compile()
+{
+	arch=$1
+	if [[ "$CC_IS_CLANG" -eq 1 ]]; then
+		echo "$arch"
+	else
+		echo "scripts/dummy-tools/"
+	fi
+}
+
+# stupid function to find top of tree to do kernel make configs
+switch_to_toplevel()
+{
+	path="$(pwd)"
+	while test -n "$path"
+	do
+		test -e "$path"/MAINTAINERS && \
+			test -d "$path"/drivers && \
+			break
+
+		path=$(dirname "$path")
+	done
+
+	test -n "$path"  || die "Can't find toplevel"
+	echo "$path"
+}
+
+checkoptions()
+{
+	count=$3
+	variant=$4
+
+	/usr/bin/awk '
+
+		/is not set/ {
+			split ($0, a, "#");
+			split(a[2], b);
+			if (NR==FNR) {
+				configs[b[1]]="is not set";
+			} else {
+				if (configs[b[1]] != "" && configs[b[1]] != "is not set")
+					 print "Found # "b[1] " is not set, after generation, had " b[1] " " configs[b[1]] " in Source tree";
+			}
+		}
+
+		/=/     {
+			split ($0, a, "=");
+			if (NR==FNR) {
+				configs[a[1]]=a[2];
+			} else {
+				if (configs[a[1]] != "" && configs[a[1]] != a[2])
+					 print "Found "a[1]"="a[2]" after generation, had " a[1]"="configs[a[1]]" in Source tree";
+			}
+		}
+	' "$1" "$2" > .mismatches"${count}"
+
+	checkoptions_error=false
+	if test -s .mismatches"${count}"
+	then
+		while read -r LINE
+		do
+			if find "${REDHAT}"/configs -name "$(echo "$LINE" | awk -F "=" ' { print $1 } ' | awk ' { print $2 }')" -print0 | xargs -0 grep ^ | grep -q "process_configs_known_broken"; then
+				# This is a known broken config.
+				# See script help warning.
+				checkoptions_error=false
+			else
+				checkoptions_error=true
+				break
+			fi
+		done < .mismatches"${count}"
+
+		! $checkoptions_error && return
+
+		sed -i "1s/^/Error: Mismatches found in configuration files for ${arch} ${variant}\n/" .mismatches"${count}"
+	else
+		rm -f .mismatches"${count}"
+	fi
+}
+
+parsenewconfigs()
+{
+	tmpdir=$(mktemp -d)
+
+	# This awk script reads the output of make listnewconfig
+	# and puts it into CONFIG_FOO files. Using the output of
+	# listnewconfig is much easier to ensure we get the default
+	# output.
+        /usr/bin/awk -v BASE="$tmpdir" '
+                /is not set/ {
+                        split ($0, a, "#");
+                        split(a[2], b);
+                        OUT_FILE=BASE"/"b[1];
+                        print $0 >> OUT_FILE;
+                }
+
+                /=/     {
+                        split ($0, a, "=");
+                        OUT_FILE=BASE"/"a[1];
+                        if (a[2] == "n")
+                                print "# " a[1] " is not set" >> OUT_FILE;
+                        else
+                                print $0 >> OUT_FILE;
+                }
+
+        ' .newoptions
+
+	# This awk script parses the output of helpnewconfig.
+	# Each option is separated between ----- markers
+	# The goal is to put all the help text as a comment in
+	# each CONFIG_FOO file. Because of how awk works
+	# there's a lot of moving files around and catting to
+	# get what we need.
+        /usr/bin/awk -v BASE="$tmpdir" '
+                BEGIN { inpatch=0;
+			outfile="none";
+                        symbol="none";
+                        commit=""; }
+                /^Symbol: .*$/ {
+                        split($0, a, " ");
+                        symbol="CONFIG_"a[2];
+                        outfile=BASE "/fake_"symbol
+                }
+                /-----/ {
+			if (inpatch == 0) {
+				inpatch = 1;
+			}
+                        else {
+                                if (symbol != "none") {
+                                    print "# Commit: "commit >> outfile
+                                    system("cat " outfile " " BASE "/" symbol " > " BASE "/tmpf");
+                                    system("mv " BASE "/tmpf " BASE "/" symbol);
+                                    symbol="none"
+                                    commit=""
+				}
+                                outfile="none"
+				inpatch = 0;
+                        }
+                }
+                !/-----/ {
+                        if (inpatch == 1 && outfile != "none") {
+                                print "# "$0 >> outfile;
+                        }
+                }
+                /^Defined at .*$/ {
+                        split($0, x, " ");
+                        filenum=x[3];
+                        split(filenum, x, ":");
+                        file=x[1]
+                        line=x[2]
+                        cmd="git blame -L " line "," line " " file " | cut -d \" \" -f1 | xargs git log --pretty=format:\"%C(auto)%h %C(cyan)('%s')\" -1"
+                        cmd | getline commit
+                }
+
+
+        ' .helpnewconfig
+
+	pushd "$tmpdir" &> /dev/null
+	rm fake_*
+	popd &> /dev/null
+	for f in "$tmpdir"/*; do
+		[[ -e "$f" ]] || break
+		cp "$f" "$SCRIPT_DIR/pending$FLAVOR/generic/"
+	done
+
+	rm -rf "$tmpdir"
+}
+
+function commit_new_configs()
+{
+	# assume we are in $source_tree/configs, need to get to top level
+	pushd "$(switch_to_toplevel)" &>/dev/null
+
+	for cfg in "$SCRIPT_DIR/${SPECPACKAGE_NAME}${KVERREL}"*.config
+	do
+		arch=$(head -1 "$cfg" | cut -b 3-)
+		cfgtmp="${cfg}.tmp"
+		cfgorig="${cfg}.orig"
+		cat "$cfg" > "$cfgorig"
+
+		if [ "$arch" = "EMPTY" ]
+		then
+			# This arch is intentionally left blank
+			continue
+		fi
+		echo -n "Checking for new configs in $cfg ... "
+
+		# shellcheck disable=SC2086
+		make ${MAKEOPTS} ARCH="$arch" CROSS_COMPILE="$(get_cross_compile "$arch")" KCONFIG_CONFIG="$cfgorig" listnewconfig >& .listnewconfig
+		grep -E 'CONFIG_' .listnewconfig > .newoptions
+		if test -s .newoptions
+		then
+		# shellcheck disable=SC2086
+			make ${MAKEOPTS} ARCH="$arch" CROSS_COMPILE="$(get_cross_compile "$arch")" KCONFIG_CONFIG="$cfgorig" helpnewconfig >& .helpnewconfig
+			parsenewconfigs
+		fi
+		rm .newoptions
+		echo "done"
+	done
+
+	git add "$SCRIPT_DIR/pending$FLAVOR"
+	git commit -m "[redhat] AUTOMATIC: New configs"
+}
+
+function process_config()
+{
+	local cfg
+	local arch
+	local cfgtmp
+	local cfgorig
+	local count
+	local variant
+
+	cfg=$1
+	count=$2
+
+	arch=$(head -1 "$cfg" | cut -b 3-)
+
+	if [ "$arch" = "EMPTY" ]
+	then
+		# This arch is intentionally left blank
+		return
+	fi
+
+	variant=$(basename "$cfg" | cut -d"-" -f3- | cut -d"." -f1)
+
+	cfgtmp="${cfg}.tmp"
+	cfgorig="${cfg}.orig"
+	cat "$cfg" > "$cfgorig"
+
+	echo "Processing $cfg ... "
+
+	# shellcheck disable=SC2086
+	make ${MAKEOPTS} ARCH="$arch" CROSS_COMPILE="$(get_cross_compile "$arch")" KCONFIG_CONFIG="$cfgorig" listnewconfig >& .listnewconfig"${count}"
+	grep -E 'CONFIG_' .listnewconfig"${count}" > .newoptions"${count}"
+	if test -n "$NEWOPTIONS" && test -s .newoptions"${count}"
+	then
+		echo "Found unset config items in ${arch} ${variant}, please set them to an appropriate value" >> .errors"${count}"
+		cat .newoptions"${count}" >> .errors"${count}"
+		rm .newoptions"${count}"
+		RETURNCODE=1
+	fi
+	rm -f .newoptions"${count}"
+
+	grep -E 'config.*warning' .listnewconfig"${count}" > .warnings"${count}"
+	if test -n "$CHECKWARNINGS" && test -s .warnings"${count}"
+	then
+		echo "Found misconfigured config items in ${arch} ${variant}, please set them to an appropriate value" >> .errors"${count}"
+		cat .warnings"${count}" >> .errors"${count}"
+	fi
+	rm .warnings"${count}"
+
+	rm .listnewconfig"${count}"
+
+	# shellcheck disable=SC2086
+	make ${MAKEOPTS} ARCH="$arch" CROSS_COMPILE="$(get_cross_compile "$arch")" KCONFIG_CONFIG="$cfgorig" olddefconfig > /dev/null || exit 1
+	echo "# $arch" > "$cfgtmp"
+	cat "$cfgorig" >> "$cfgtmp"
+	if test -n "$CHECKOPTIONS"
+	then
+		checkoptions "$cfg" "$cfgtmp" "$count" "$variant"
+	fi
+	# if test run, don't overwrite original
+	if test -n "$TESTRUN"
+	then
+		rm -f "$cfgtmp"
+	else
+		mv "$cfgtmp" "$cfg"
+	fi
+	rm -f "$cfgorig"
+	echo "Processing $cfg complete"
+}
+
+function process_configs()
+{
+	# assume we are in $source_tree/configs, need to get to top level
+	pushd "$(switch_to_toplevel)" &>/dev/null
+
+	# The next line is throwaway code for transition to parallel
+	# processing.  Leaving this line in place is harmless, but it can be
+	# removed the next time anyone updates this function.
+	[ -f .mismatches ] && rm -f .mismatches
+
+	count=0
+	for cfg in "$SCRIPT_DIR/${SPECPACKAGE_NAME}${KVERREL}"*.config
+	do
+		if [ "$count" -eq 0 ]; then
+			# do the first one by itself so that tools are built
+			process_config "$cfg" "$count"
+		fi
+		process_config "$cfg" "$count" &
+		# shellcheck disable=SC2004
+		waitpids[${count}]=$!
+		((count++))
+		while [ "$(jobs | grep -c Running)" -ge "$RHJOBS" ]; do :; done
+	done
+	# shellcheck disable=SC2048
+	for pid in ${waitpids[*]}; do
+		wait "${pid}"
+	done
+
+	rm "$SCRIPT_DIR"/*.config*.old
+
+	if ls .errors* 1> /dev/null 2>&1; then
+		RETURNCODE=1
+		cat .errors*
+		rm .errors* -f
+	fi
+	if ls .mismatches* 1> /dev/null 2>&1; then
+		RETURNCODE=1
+		cat .mismatches*
+		rm .mismatches* -f
+	fi
+
+	popd > /dev/null
+
+	[ $RETURNCODE -eq 0 ] && echo "Processed config files are in $SCRIPT_DIR"
+}
+
+CHECKOPTIONS=""
+NEWOPTIONS=""
+TESTRUN=""
+CHECKWARNINGS=""
+MAKEOPTS=""
+CC_IS_CLANG=0
+
+RETURNCODE=0
+
+while [[ $# -gt 0 ]]
+do
+	key="$1"
+	case $key in
+		-a)
+			CHECKOPTIONS="x"
+			NEWOPTIONS="x"
+			CHECKWARNINGS="x"
+			;;
+		-c)
+			CHECKOPTIONS="x"
+			;;
+		-h)
+			usage
+			;;
+		-n)
+			NEWOPTIONS="x"
+			;;
+		-t)
+			TESTRUN="x"
+			;;
+		-w)
+			CHECKWARNINGS="x"
+			;;
+		-z)
+			COMMITNEWCONFIGS="x"
+			;;
+		-m)
+			shift
+			if [ "$1" = "CC=clang" ] || [ "$1" = "LLVM=1" ]; then
+				CC_IS_CLANG=1
+			fi
+			MAKEOPTS="$MAKEOPTS $1"
+			;;
+		*)
+			break;;
+	esac
+	shift
+done
+
+KVERREL="$(test -n "$1" && echo "-$1" || echo "")"
+FLAVOR="$(test -n "$2" && echo "-$2" || echo "-rhel")"
+# shellcheck disable=SC2015
+SCRIPT=$(readlink -f "$0")
+SCRIPT_DIR=$(dirname "$SCRIPT")
+
+# Config options for RHEL should target the pending-rhel directory, not pending-common.
+if [ "$FLAVOR" = "-rhel" ]
+then
+	FLAVOR="-rhel"
+fi
+
+# to handle this script being a symlink
+cd "$SCRIPT_DIR"
+
+if test -n "$COMMITNEWCONFIGS"; then
+	commit_new_configs
+else
+	process_configs
+fi
+
+exit $RETURNCODE

rpminspect.yaml

@@ -0,0 +1,75 @@
+# additional rpminspect configuration for this branch
+
+---
+inspections:
+    abidiff: off
+    kmidiff: off
+    upstream: off
+    subpackages: off
+    license: off
+    debuginfo: off
+    removedfiles: off
+    disttag: off
+    patches: off
+
+badfuncs:
+    ignore:
+        - /usr/libexec/ksamples/*
+        - /usr/libexec/kselftests/*
+
+emptyrpm:
+    expected_empty:
+        - kernel
+        - kernel-debug
+        - kernel-debug-devel-matched
+        - kernel-devel-matched
+        - kernel-modules-extra-matched
+        - kernel-zfcpdump
+        - kernel-zfcpdump-devel-matched
+        - kernel-zfcpdump-modules
+        - kernel-zfcpdump-modules-extra
+        - kernel-zfcpdump-modules-internal
+        - kernel-zfcpdump-modules-partner
+        - kernel-rt
+        - kernel-rt-debug
+        - kernel-rt-debug-devel-matched
+        - kernel-rt-devel-matched
+        - kernel-64k
+        - kernel-64k-debug
+        - kernel-64k-debug-devel-matched
+        - kernel-64k-devel-matched
+        - kernel-rt-64k
+        - kernel-rt-64k-debug
+        - kernel-rt-64k-debug-devel-matched
+        - kernel-rt-64k-devel-matched
+        - kernel-tools-libs                 # empty on s390x
+
+patches:
+    ignore_list:
+        - linux-kernel-test.patch
+        - patch-6.12-redhat.patch
+        - patch-%{patchversion}-redhat.patch
+
+runpath:
+    ignore:
+        - /usr/libexec/kselftests/bpf/urandom_read
+        - /usr/libexec/kselftests/bpf/no_alu32/urandom_read
+        - /usr/libexec/kselftests/bpf/cpuv4/urandom_read
+
+debuginfo:
+    ignore:
+        - /usr/libexec/kselftests/bpf/*
+        - /usr/lib/debug/usr/libexec/perf-core/tests/shell/coresight/*
+
+elf:
+    ignore:
+        - /usr/libexec/kselftests/*
+        - /usr/libexec/perf-core/tests/shell/coresight/*
+        - /usr/lib/debug/usr/libexec/perf-core/tests/shell/coresight/*
+
+annocheck:
+    ignore:
+        - /usr/libexec/kselftests/*
+        - /lib/modules/*/vmlinuz
+        - /lib/modules/*/vdso/*
+        - /usr/libexec/ksamples/*

sources

@@ -0,0 +1,3 @@
+SHA512 (linux-6.12.0-201.1.el10nv.tar.xz) = 2be550872463f914d8ba4b77c922853def4789cf0921a1530238da33509cc66dfba72047d50d898c9948b75b49b480fbd9c732064fc0b1e06ebbfbdab11fa70e
+SHA512 (kernel-abi-stablelists-6.12.0-201.1.el10nv.tar.xz) = f098301b7be10ea7b806e6773f752170cef18ac83bec4c69b1d8060b8f162b5ed5c03e5b0c3b55838be676f3b40d3f5ba90b6e6ff6677fa1f0795572c991a841
+SHA512 (kernel-kabi-dw-6.12.0-201.1.el10nv.tar.xz) = 192d6bec19b289b210dfc6b95c8f4f2be58703b748954b914e56b0b1c88327c77dd29239a9e0761f0eb138304ac5b134ec4a878b2e2f9272017fc223abe4563e

uki-addons.sbat.template

@@ -0,0 +1,2 @@
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+kernel-uki-virt-addons.@SBAT_SUFFIX,1,Red Hat,kernel-uki-virt-addons,@KVER,mailto:secalert@redhat.com

uki.sbat.template

@@ -0,0 +1,2 @@
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+kernel-uki-virt.@SBAT_SUFFIX,1,Red Hat,kernel-uki-virt,@KVER,mailto:secalert@redhat.com

uki_addons.json

@@ -0,0 +1,48 @@
+{
+    "common": {
+        "crashkernel-1536M.addon": [
+            "crashkernel=1536M\n"
+        ],
+        "crashkernel-192M.addon": [
+            "crashkernel=192M\n"
+        ],
+        "crashkernel-1G.addon": [
+            "crashkernel=1G\n"
+        ],
+        "crashkernel-256M.addon": [
+            "crashkernel=256M\n"
+        ],
+        "crashkernel-2G.addon": [
+            "crashkernel=2G\n"
+        ],
+        "crashkernel-512M.addon": [
+            "crashkernel=512M\n"
+        ],
+        "crashkernel-default.addon": [
+            "crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M\n"
+        ],
+        "debug.addon": [
+            "debug"
+        ],
+        "systemd-volatile-overlay.addon": [
+            "systemd.volatile=overlay"
+        ]
+    },
+    "virt": {
+        "common": {
+            "fips-disable.addon": [
+                "fips=0\n"
+            ],
+            "fips-enable.addon": [
+                "fips=1\n"
+            ]
+        },
+        "rhel": {
+            "aarch64": {
+                "crashkernel-default.addon": [
+                    "crashkernel=1G-4G:256M,4G-64G:320M,64G-:576M\n"
+                ]
+            }
+        }
+    }
+}

uki_create_addons.py

@@ -0,0 +1,136 @@
+#!/usr/bin/env python3
+#
+# This script inspects a given json proving a list of addons, and
+# creates an addon for each key/value pair matching the given uki, distro and
+# arch provided in input.
+#
+# Usage: python uki_create_addons.py input_json out_dir uki distro arch [sbat]
+#
+# This tool requires the systemd-ukify and systemd-boot packages.
+#
+# Addon file
+#-----------
+# Each addon terminates with .addon
+# Each addon contains only two types of lines:
+# Lines beginning with '#' are description and thus ignored
+# All other lines are command line to be added.
+# The name of the end resulting addon is taken from the json hierarchy.
+# For example, and addon in json['virt']['rhel']['x86_64']['hello.addon'] will
+# result in an UKI addon file generated in out_dir called
+# hello-virt.rhel.x86_64.addon.efi
+#
+# The common key, present in any sub-dict in the provided json (except the leaf dict)
+# is used as place for default addons when the same addon is not defined deep
+# in the hierarchy. For example, if we define test.addon (text: 'test1\n') in
+# json['common']['test.addon'] = ['test1\n'] and another test.addon (text: test2) in
+# json['virt']['common']['test.addon'] = ['test2'], any other uki except virt
+# will have a test.addon.efi with text "test1", and virt will have a
+# test.addon.efi with "test2"
+
+import os
+import sys
+import json
+import collections
+import subprocess
+
+
+UKIFY_PATH = '/usr/lib/systemd/ukify'
+
+def usage(err):
+    print(f'Usage: {os.path.basename(__file__)} input_json output_dir uki distro arch [sbat]')
+    print(f'Error:{err}')
+    sys.exit(1)
+
+def check_clean_arguments(input_json, out_dir):
+    # Remove end '/'
+    if out_dir[-1:] == '/':
+        out_dir = out_dir[:-1]
+    if not os.path.isfile(input_json):
+        usage(f'input_json {input_json} is not a file, or does not exist!')
+    if not os.path.isdir(out_dir):
+        usage(f'out_dir_dir {out_dir} is not a dir, or does not exist!')
+    return out_dir
+
+UKICmdlineAddon = collections.namedtuple('UKICmdlineAddon', ['name', 'cmdline'])
+uki_addons_list = []
+uki_addons = {}
+
+def parse_lines(lines):
+    cmdline = ''
+    for l in lines:
+        l = l.lstrip()
+        if not l:
+            continue
+        if l[0] == '#':
+            continue
+        cmdline += l.rstrip() + ' '
+    if cmdline == '':
+        return ''
+    return cmdline
+
+def parse_all_addons(in_obj):
+    for el in in_obj.keys():
+        # addon found: copy it in our global dict uki_addons
+        if el.endswith('.addon'):
+            uki_addons[el] = in_obj[el]
+
+def recursively_find_addons(in_obj, folder_list):
+    # end of recursion, leaf directory. Search all addons here
+    if len(folder_list) == 0:
+        parse_all_addons(in_obj)
+        return
+
+    # first, check for common folder
+    if 'common' in in_obj:
+        parse_all_addons(in_obj['common'])
+
+    # second, check if there is a match with the searched folder
+    if folder_list[0] in in_obj:
+        folder_next = in_obj[folder_list[0]]
+        folder_list = folder_list[1:]
+        recursively_find_addons(folder_next, folder_list)
+
+def parse_in_json(in_json, uki_name, distro, arch):
+    with open(in_json, 'r') as f:
+        in_obj = json.load(f)
+    recursively_find_addons(in_obj, [uki_name, distro, arch])
+
+    for addon_name, cmdline in uki_addons.items():
+        addon_name = addon_name.replace(".addon","")
+        addon_full_name = f'{addon_name}-{uki_name}.{distro}.{arch}.addon.efi'
+        cmdline = parse_lines(cmdline).rstrip()
+        if cmdline:
+            uki_addons_list.append(UKICmdlineAddon(addon_full_name, cmdline))
+
+def create_addons(out_dir, sbat):
+    for uki_addon in uki_addons_list:
+        out_path = os.path.join(out_dir, uki_addon.name)
+        cmd = [
+            f'{UKIFY_PATH}', 'build',
+            '--cmdline', uki_addon.cmdline,
+            '--output', out_path]
+        if sbat:
+            cmd.extend(['--sbat', sbat.rstrip()])
+
+        subprocess.check_call(cmd, text=True)
+
+if __name__ == "__main__":
+    argc = len(sys.argv) - 1
+    if argc < 5 or argc > 6:
+        usage('too few or too many parameters!')
+
+    input_json = sys.argv[1]
+    out_dir = sys.argv[2]
+    uki_name = sys.argv[3]
+    distro = sys.argv[4]
+    arch = sys.argv[5]
+
+    custom_sbat = None
+    if argc == 6:
+        custom_sbat = sys.argv[6]
+
+    out_dir = check_clean_arguments(input_json, out_dir)
+    parse_in_json(input_json, uki_name, distro, arch)
+    create_addons(out_dir, custom_sbat)
+
+

x509.genkey.centos

@@ -0,0 +1,16 @@
+[ req ]
+default_bits = 3072
+distinguished_name = req_distinguished_name
+prompt = no
+x509_extensions = myexts
+
+[ req_distinguished_name ]
+O = The CentOS Project
+CN = CentOS Stream kernel signing key
+emailAddress = security@centos.org
+
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid

x509.genkey.rhel

@@ -0,0 +1,16 @@
+[ req ]
+default_bits = 3072
+distinguished_name = req_distinguished_name
+prompt = no
+x509_extensions = myexts
+
+[ req_distinguished_name ]
+O = Red Hat
+CN = Red Hat Enterprise Linux kernel signing key
+emailAddress = secalert@redhat.com
+
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid