diff --git a/Makefile.rhelver b/Makefile.rhelver index d10b029e7..643218169 100644 --- a/Makefile.rhelver +++ b/Makefile.rhelver @@ -12,7 +12,7 @@ RHEL_MINOR = 0 # # Use this spot to avoid future merge conflicts. # Do not trim this comment. -RHEL_RELEASE = 4 +RHEL_RELEASE = 5 # # Early y+1 numbering diff --git a/kernel-aarch64-debug-rhel.config b/kernel-aarch64-debug-rhel.config index e06034914..e8faf7f04 100644 --- a/kernel-aarch64-debug-rhel.config +++ b/kernel-aarch64-debug-rhel.config @@ -472,9 +472,9 @@ CONFIG_BIG_KEYS=y CONFIG_BINFMT_ELF=y CONFIG_BINFMT_MISC=m CONFIG_BINFMT_SCRIPT=y -# CONFIG_BLK_CGROUP_FC_APPID is not set +CONFIG_BLK_CGROUP_FC_APPID=y # CONFIG_BLK_CGROUP_IOCOST is not set -# CONFIG_BLK_CGROUP_IOLATENCY is not set +CONFIG_BLK_CGROUP_IOLATENCY=y # CONFIG_BLK_CGROUP_IOPRIO is not set CONFIG_BLK_CGROUP=y # CONFIG_BLK_CMDLINE_PARSER is not set @@ -3805,7 +3805,7 @@ CONFIG_NFSD_SCSILAYOUT=y CONFIG_NFSD_V2_ACL=y CONFIG_NFSD_V3_ACL=y CONFIG_NFSD_V3=y -# CONFIG_NFSD_V4_2_INTER_SSC is not set +CONFIG_NFSD_V4_2_INTER_SSC=y CONFIG_NFSD_V4_SECURITY_LABEL=y CONFIG_NFSD_V4=y CONFIG_NFS_FSCACHE=y @@ -5904,7 +5904,7 @@ CONFIG_SQUASHFS=m CONFIG_SQUASHFS_XATTR=y CONFIG_SQUASHFS_XZ=y CONFIG_SQUASHFS_ZLIB=y -# CONFIG_SQUASHFS_ZSTD is not set +CONFIG_SQUASHFS_ZSTD=y # CONFIG_SRAM is not set # CONFIG_SRF04 is not set # CONFIG_SRF08 is not set @@ -5973,7 +5973,7 @@ CONFIG_SYSCTL=y # CONFIG_SYS_HYPERVISOR is not set # CONFIG_SYSTEM76_ACPI is not set CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" -# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set +CONFIG_SYSTEM_BLACKLIST_KEYRING=y # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set # CONFIG_SYSTEMPORT is not set # CONFIG_SYSTEM_REVOCATION_KEYS is not set diff --git a/kernel-aarch64-rhel.config b/kernel-aarch64-rhel.config index b27ac73d4..c56d5ed0d 100644 --- a/kernel-aarch64-rhel.config +++ b/kernel-aarch64-rhel.config @@ -472,9 +472,9 @@ CONFIG_BIG_KEYS=y CONFIG_BINFMT_ELF=y CONFIG_BINFMT_MISC=m CONFIG_BINFMT_SCRIPT=y -# CONFIG_BLK_CGROUP_FC_APPID is not set +CONFIG_BLK_CGROUP_FC_APPID=y # CONFIG_BLK_CGROUP_IOCOST is not set -# CONFIG_BLK_CGROUP_IOLATENCY is not set +CONFIG_BLK_CGROUP_IOLATENCY=y # CONFIG_BLK_CGROUP_IOPRIO is not set CONFIG_BLK_CGROUP=y # CONFIG_BLK_CMDLINE_PARSER is not set @@ -3785,7 +3785,7 @@ CONFIG_NFSD_SCSILAYOUT=y CONFIG_NFSD_V2_ACL=y CONFIG_NFSD_V3_ACL=y CONFIG_NFSD_V3=y -# CONFIG_NFSD_V4_2_INTER_SSC is not set +CONFIG_NFSD_V4_2_INTER_SSC=y CONFIG_NFSD_V4_SECURITY_LABEL=y CONFIG_NFSD_V4=y CONFIG_NFS_FSCACHE=y @@ -5881,7 +5881,7 @@ CONFIG_SQUASHFS=m CONFIG_SQUASHFS_XATTR=y CONFIG_SQUASHFS_XZ=y CONFIG_SQUASHFS_ZLIB=y -# CONFIG_SQUASHFS_ZSTD is not set +CONFIG_SQUASHFS_ZSTD=y # CONFIG_SRAM is not set # CONFIG_SRF04 is not set # CONFIG_SRF08 is not set @@ -5950,7 +5950,7 @@ CONFIG_SYSCTL=y # CONFIG_SYS_HYPERVISOR is not set # CONFIG_SYSTEM76_ACPI is not set CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" -# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set +CONFIG_SYSTEM_BLACKLIST_KEYRING=y # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set # CONFIG_SYSTEMPORT is not set # CONFIG_SYSTEM_REVOCATION_KEYS is not set diff --git a/kernel-ppc64le-debug-rhel.config b/kernel-ppc64le-debug-rhel.config index cda427dac..69e49df16 100644 --- a/kernel-ppc64le-debug-rhel.config +++ b/kernel-ppc64le-debug-rhel.config @@ -354,9 +354,9 @@ CONFIG_BIG_KEYS=y CONFIG_BINFMT_ELF=y CONFIG_BINFMT_MISC=m CONFIG_BINFMT_SCRIPT=y -# CONFIG_BLK_CGROUP_FC_APPID is not set +CONFIG_BLK_CGROUP_FC_APPID=y # CONFIG_BLK_CGROUP_IOCOST is not set -# CONFIG_BLK_CGROUP_IOLATENCY is not set +CONFIG_BLK_CGROUP_IOLATENCY=y # CONFIG_BLK_CGROUP_IOPRIO is not set CONFIG_BLK_CGROUP=y # CONFIG_BLK_CMDLINE_PARSER is not set @@ -3614,7 +3614,7 @@ CONFIG_NFSD_PNFS=y CONFIG_NFSD_SCSILAYOUT=y CONFIG_NFSD_V3_ACL=y CONFIG_NFSD_V3=y -# CONFIG_NFSD_V4_2_INTER_SSC is not set +CONFIG_NFSD_V4_2_INTER_SSC=y CONFIG_NFSD_V4_SECURITY_LABEL=y CONFIG_NFSD_V4=y CONFIG_NFS_FSCACHE=y @@ -5678,7 +5678,7 @@ CONFIG_SQUASHFS=m CONFIG_SQUASHFS_XATTR=y CONFIG_SQUASHFS_XZ=y CONFIG_SQUASHFS_ZLIB=y -# CONFIG_SQUASHFS_ZSTD is not set +CONFIG_SQUASHFS_ZSTD=y # CONFIG_SRAM is not set # CONFIG_SRF04 is not set # CONFIG_SRF08 is not set @@ -5737,7 +5737,7 @@ CONFIG_SYSCTL=y # CONFIG_SYSFS_DEPRECATED is not set # CONFIG_SYSTEM76_ACPI is not set CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" -# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set +CONFIG_SYSTEM_BLACKLIST_KEYRING=y CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 CONFIG_SYSTEM_EXTRA_CERTIFICATE=y # CONFIG_SYSTEMPORT is not set diff --git a/kernel-ppc64le-rhel.config b/kernel-ppc64le-rhel.config index 9373a536c..eeada00c3 100644 --- a/kernel-ppc64le-rhel.config +++ b/kernel-ppc64le-rhel.config @@ -354,9 +354,9 @@ CONFIG_BIG_KEYS=y CONFIG_BINFMT_ELF=y CONFIG_BINFMT_MISC=m CONFIG_BINFMT_SCRIPT=y -# CONFIG_BLK_CGROUP_FC_APPID is not set +CONFIG_BLK_CGROUP_FC_APPID=y # CONFIG_BLK_CGROUP_IOCOST is not set -# CONFIG_BLK_CGROUP_IOLATENCY is not set +CONFIG_BLK_CGROUP_IOLATENCY=y # CONFIG_BLK_CGROUP_IOPRIO is not set CONFIG_BLK_CGROUP=y # CONFIG_BLK_CMDLINE_PARSER is not set @@ -3597,7 +3597,7 @@ CONFIG_NFSD_PNFS=y CONFIG_NFSD_SCSILAYOUT=y CONFIG_NFSD_V3_ACL=y CONFIG_NFSD_V3=y -# CONFIG_NFSD_V4_2_INTER_SSC is not set +CONFIG_NFSD_V4_2_INTER_SSC=y CONFIG_NFSD_V4_SECURITY_LABEL=y CONFIG_NFSD_V4=y CONFIG_NFS_FSCACHE=y @@ -5659,7 +5659,7 @@ CONFIG_SQUASHFS=m CONFIG_SQUASHFS_XATTR=y CONFIG_SQUASHFS_XZ=y CONFIG_SQUASHFS_ZLIB=y -# CONFIG_SQUASHFS_ZSTD is not set +CONFIG_SQUASHFS_ZSTD=y # CONFIG_SRAM is not set # CONFIG_SRF04 is not set # CONFIG_SRF08 is not set @@ -5718,7 +5718,7 @@ CONFIG_SYSCTL=y # CONFIG_SYSFS_DEPRECATED is not set # CONFIG_SYSTEM76_ACPI is not set CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" -# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set +CONFIG_SYSTEM_BLACKLIST_KEYRING=y CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 CONFIG_SYSTEM_EXTRA_CERTIFICATE=y # CONFIG_SYSTEMPORT is not set diff --git a/kernel-s390x-debug-fedora.config b/kernel-s390x-debug-fedora.config index 3ed048134..ced205d53 100644 --- a/kernel-s390x-debug-fedora.config +++ b/kernel-s390x-debug-fedora.config @@ -5441,6 +5441,7 @@ CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # CONFIG_SI1145 is not set # CONFIG_SI7005 is not set # CONFIG_SI7020 is not set +CONFIG_SIGNATURE=y CONFIG_SIGNED_PE_FILE_VERIFICATION=y # CONFIG_SIMPLE_PM_BUS is not set # CONFIG_SIOX is not set @@ -6239,6 +6240,7 @@ CONFIG_SYSCTL=y # CONFIG_SYSTEM76_ACPI is not set CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" CONFIG_SYSTEM_BLACKLIST_KEYRING=y +CONFIG_SYSTEM_DATA_VERIFICATION=y CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 CONFIG_SYSTEM_EXTRA_CERTIFICATE=y # CONFIG_SYSTEMPORT is not set diff --git a/kernel-s390x-debug-rhel.config b/kernel-s390x-debug-rhel.config index 8dafc671c..5d96f4f19 100644 --- a/kernel-s390x-debug-rhel.config +++ b/kernel-s390x-debug-rhel.config @@ -354,9 +354,9 @@ CONFIG_BIG_KEYS=y CONFIG_BINFMT_ELF=y CONFIG_BINFMT_MISC=m CONFIG_BINFMT_SCRIPT=y -# CONFIG_BLK_CGROUP_FC_APPID is not set +CONFIG_BLK_CGROUP_FC_APPID=y # CONFIG_BLK_CGROUP_IOCOST is not set -# CONFIG_BLK_CGROUP_IOLATENCY is not set +CONFIG_BLK_CGROUP_IOLATENCY=y # CONFIG_BLK_CGROUP_IOPRIO is not set CONFIG_BLK_CGROUP=y # CONFIG_BLK_CMDLINE_PARSER is not set @@ -3594,7 +3594,7 @@ CONFIG_NFSD_PNFS=y CONFIG_NFSD_SCSILAYOUT=y CONFIG_NFSD_V3_ACL=y CONFIG_NFSD_V3=y -# CONFIG_NFSD_V4_2_INTER_SSC is not set +CONFIG_NFSD_V4_2_INTER_SSC=y CONFIG_NFSD_V4_SECURITY_LABEL=y CONFIG_NFSD_V4=y CONFIG_NFS_FSCACHE=y @@ -4930,6 +4930,7 @@ CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # CONFIG_SI1145 is not set # CONFIG_SI7005 is not set # CONFIG_SI7020 is not set +CONFIG_SIGNATURE=y # CONFIG_SIGNED_PE_FILE_VERIFICATION is not set # CONFIG_SIMPLE_PM_BUS is not set # CONFIG_SIOX is not set @@ -5624,7 +5625,7 @@ CONFIG_SQUASHFS=m CONFIG_SQUASHFS_XATTR=y CONFIG_SQUASHFS_XZ=y CONFIG_SQUASHFS_ZLIB=y -# CONFIG_SQUASHFS_ZSTD is not set +CONFIG_SQUASHFS_ZSTD=y # CONFIG_SRAM is not set # CONFIG_SRF04 is not set # CONFIG_SRF08 is not set @@ -5683,7 +5684,8 @@ CONFIG_SYSCTL=y # CONFIG_SYSFS_DEPRECATED is not set # CONFIG_SYSTEM76_ACPI is not set CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" -# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set +CONFIG_SYSTEM_BLACKLIST_KEYRING=y +CONFIG_SYSTEM_DATA_VERIFICATION=y # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set # CONFIG_SYSTEMPORT is not set # CONFIG_SYSTEM_REVOCATION_KEYS is not set diff --git a/kernel-s390x-fedora.config b/kernel-s390x-fedora.config index a421b0de0..0ed03eae7 100644 --- a/kernel-s390x-fedora.config +++ b/kernel-s390x-fedora.config @@ -5418,6 +5418,7 @@ CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # CONFIG_SI1145 is not set # CONFIG_SI7005 is not set # CONFIG_SI7020 is not set +CONFIG_SIGNATURE=y CONFIG_SIGNED_PE_FILE_VERIFICATION=y # CONFIG_SIMPLE_PM_BUS is not set # CONFIG_SIOX is not set @@ -6214,6 +6215,7 @@ CONFIG_SYSCTL=y # CONFIG_SYSTEM76_ACPI is not set CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" CONFIG_SYSTEM_BLACKLIST_KEYRING=y +CONFIG_SYSTEM_DATA_VERIFICATION=y CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 CONFIG_SYSTEM_EXTRA_CERTIFICATE=y # CONFIG_SYSTEMPORT is not set diff --git a/kernel-s390x-rhel.config b/kernel-s390x-rhel.config index bcd81f508..2b452f251 100644 --- a/kernel-s390x-rhel.config +++ b/kernel-s390x-rhel.config @@ -354,9 +354,9 @@ CONFIG_BIG_KEYS=y CONFIG_BINFMT_ELF=y CONFIG_BINFMT_MISC=m CONFIG_BINFMT_SCRIPT=y -# CONFIG_BLK_CGROUP_FC_APPID is not set +CONFIG_BLK_CGROUP_FC_APPID=y # CONFIG_BLK_CGROUP_IOCOST is not set -# CONFIG_BLK_CGROUP_IOLATENCY is not set +CONFIG_BLK_CGROUP_IOLATENCY=y # CONFIG_BLK_CGROUP_IOPRIO is not set CONFIG_BLK_CGROUP=y # CONFIG_BLK_CMDLINE_PARSER is not set @@ -3577,7 +3577,7 @@ CONFIG_NFSD_PNFS=y CONFIG_NFSD_SCSILAYOUT=y CONFIG_NFSD_V3_ACL=y CONFIG_NFSD_V3=y -# CONFIG_NFSD_V4_2_INTER_SSC is not set +CONFIG_NFSD_V4_2_INTER_SSC=y CONFIG_NFSD_V4_SECURITY_LABEL=y CONFIG_NFSD_V4=y CONFIG_NFS_FSCACHE=y @@ -4913,6 +4913,7 @@ CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # CONFIG_SI1145 is not set # CONFIG_SI7005 is not set # CONFIG_SI7020 is not set +CONFIG_SIGNATURE=y # CONFIG_SIGNED_PE_FILE_VERIFICATION is not set # CONFIG_SIMPLE_PM_BUS is not set # CONFIG_SIOX is not set @@ -5605,7 +5606,7 @@ CONFIG_SQUASHFS=m CONFIG_SQUASHFS_XATTR=y CONFIG_SQUASHFS_XZ=y CONFIG_SQUASHFS_ZLIB=y -# CONFIG_SQUASHFS_ZSTD is not set +CONFIG_SQUASHFS_ZSTD=y # CONFIG_SRAM is not set # CONFIG_SRF04 is not set # CONFIG_SRF08 is not set @@ -5664,7 +5665,8 @@ CONFIG_SYSCTL=y # CONFIG_SYSFS_DEPRECATED is not set # CONFIG_SYSTEM76_ACPI is not set CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" -# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set +CONFIG_SYSTEM_BLACKLIST_KEYRING=y +CONFIG_SYSTEM_DATA_VERIFICATION=y # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set # CONFIG_SYSTEMPORT is not set # CONFIG_SYSTEM_REVOCATION_KEYS is not set diff --git a/kernel-s390x-zfcpdump-rhel.config b/kernel-s390x-zfcpdump-rhel.config index 966946b34..9d4f2a605 100644 --- a/kernel-s390x-zfcpdump-rhel.config +++ b/kernel-s390x-zfcpdump-rhel.config @@ -358,9 +358,9 @@ CONFIG_BIG_KEYS=y CONFIG_BINFMT_ELF=y # CONFIG_BINFMT_MISC is not set CONFIG_BINFMT_SCRIPT=y -# CONFIG_BLK_CGROUP_FC_APPID is not set +CONFIG_BLK_CGROUP_FC_APPID=y # CONFIG_BLK_CGROUP_IOCOST is not set -# CONFIG_BLK_CGROUP_IOLATENCY is not set +CONFIG_BLK_CGROUP_IOLATENCY=y # CONFIG_BLK_CGROUP_IOPRIO is not set CONFIG_BLK_CGROUP=y # CONFIG_BLK_CMDLINE_PARSER is not set @@ -2204,10 +2204,10 @@ CONFIG_INPUT_UINPUT=m CONFIG_INPUT=y CONFIG_INPUT_YEALINK=m # CONFIG_INT3406_THERMAL is not set -CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y +# CONFIG_INTEGRITY_ASYMMETRIC_KEYS is not set CONFIG_INTEGRITY_AUDIT=y -CONFIG_INTEGRITY_PLATFORM_KEYRING=y -CONFIG_INTEGRITY_SIGNATURE=y +# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set +# CONFIG_INTEGRITY_SIGNATURE is not set CONFIG_INTEGRITY_TRUSTED_KEYRING=y CONFIG_INTEGRITY=y # CONFIG_INTEL_ATOMISP2_PM is not set @@ -2520,7 +2520,7 @@ CONFIG_KERNEL_HEADER_TEST=y # CONFIG_KERNEL_ZSTD is not set CONFIG_KEXEC_FILE=y # CONFIG_KEXEC_SIG_FORCE is not set -CONFIG_KEXEC_SIG=y +# CONFIG_KEXEC_SIG is not set CONFIG_KEXEC=y # CONFIG_KEYBOARD_ADC is not set # CONFIG_KEYBOARD_ADP5588 is not set @@ -2700,7 +2700,7 @@ CONFIG_LIVEPATCH=y CONFIG_LLC=m # CONFIG_LMK04832 is not set # CONFIG_LMP91000 is not set -CONFIG_LOAD_IPL_KEYS=y +# CONFIG_LOAD_IPL_KEYS is not set CONFIG_LOCALVERSION="" CONFIG_LOCALVERSION_AUTO=y CONFIG_LOCKDEP_BITS=16 @@ -3599,7 +3599,7 @@ CONFIG_NFSD_PNFS=y CONFIG_NFSD_SCSILAYOUT=y CONFIG_NFSD_V3_ACL=y CONFIG_NFSD_V3=y -# CONFIG_NFSD_V4_2_INTER_SSC is not set +CONFIG_NFSD_V4_2_INTER_SSC=y CONFIG_NFSD_V4_SECURITY_LABEL=y CONFIG_NFSD_V4=y CONFIG_NFS_FSCACHE=y @@ -4941,6 +4941,7 @@ CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # CONFIG_SI1145 is not set # CONFIG_SI7005 is not set # CONFIG_SI7020 is not set +# CONFIG_SIGNATURE is not set # CONFIG_SIGNED_PE_FILE_VERIFICATION is not set # CONFIG_SIMPLE_PM_BUS is not set # CONFIG_SIOX is not set @@ -5634,7 +5635,7 @@ CONFIG_SQUASHFS_LZO=y CONFIG_SQUASHFS_XATTR=y CONFIG_SQUASHFS_XZ=y CONFIG_SQUASHFS_ZLIB=y -# CONFIG_SQUASHFS_ZSTD is not set +CONFIG_SQUASHFS_ZSTD=y # CONFIG_SRAM is not set # CONFIG_SRF04 is not set # CONFIG_SRF08 is not set @@ -5698,6 +5699,7 @@ CONFIG_SYSFS=y # CONFIG_SYSTEM76_ACPI is not set CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" # CONFIG_SYSTEM_BLACKLIST_KEYRING is not set +# CONFIG_SYSTEM_DATA_VERIFICATION is not set # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set # CONFIG_SYSTEMPORT is not set # CONFIG_SYSTEM_REVOCATION_KEYS is not set diff --git a/kernel-x86_64-debug-rhel.config b/kernel-x86_64-debug-rhel.config index daa3a2255..1fd03ba70 100644 --- a/kernel-x86_64-debug-rhel.config +++ b/kernel-x86_64-debug-rhel.config @@ -382,9 +382,9 @@ CONFIG_BIG_KEYS=y CONFIG_BINFMT_ELF=y CONFIG_BINFMT_MISC=m CONFIG_BINFMT_SCRIPT=y -# CONFIG_BLK_CGROUP_FC_APPID is not set +CONFIG_BLK_CGROUP_FC_APPID=y # CONFIG_BLK_CGROUP_IOCOST is not set -# CONFIG_BLK_CGROUP_IOLATENCY is not set +CONFIG_BLK_CGROUP_IOLATENCY=y # CONFIG_BLK_CGROUP_IOPRIO is not set CONFIG_BLK_CGROUP=y # CONFIG_BLK_CMDLINE_PARSER is not set @@ -3809,7 +3809,7 @@ CONFIG_NFSD_PNFS=y CONFIG_NFSD_SCSILAYOUT=y CONFIG_NFSD_V3_ACL=y CONFIG_NFSD_V3=y -# CONFIG_NFSD_V4_2_INTER_SSC is not set +CONFIG_NFSD_V4_2_INTER_SSC=y CONFIG_NFSD_V4_SECURITY_LABEL=y CONFIG_NFSD_V4=y CONFIG_NFS_FSCACHE=y @@ -5868,7 +5868,7 @@ CONFIG_SQUASHFS=m CONFIG_SQUASHFS_XATTR=y CONFIG_SQUASHFS_XZ=y CONFIG_SQUASHFS_ZLIB=y -# CONFIG_SQUASHFS_ZSTD is not set +CONFIG_SQUASHFS_ZSTD=y # CONFIG_SRAM is not set # CONFIG_SRF04 is not set # CONFIG_SRF08 is not set @@ -5939,7 +5939,7 @@ CONFIG_SYSCTL=y # CONFIG_SYSFS_DEPRECATED is not set # CONFIG_SYSTEM76_ACPI is not set CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" -# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set +CONFIG_SYSTEM_BLACKLIST_KEYRING=y # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set # CONFIG_SYSTEMPORT is not set # CONFIG_SYSTEM_REVOCATION_KEYS is not set diff --git a/kernel-x86_64-rhel.config b/kernel-x86_64-rhel.config index cefe578b2..753b9be55 100644 --- a/kernel-x86_64-rhel.config +++ b/kernel-x86_64-rhel.config @@ -382,9 +382,9 @@ CONFIG_BIG_KEYS=y CONFIG_BINFMT_ELF=y CONFIG_BINFMT_MISC=m CONFIG_BINFMT_SCRIPT=y -# CONFIG_BLK_CGROUP_FC_APPID is not set +CONFIG_BLK_CGROUP_FC_APPID=y # CONFIG_BLK_CGROUP_IOCOST is not set -# CONFIG_BLK_CGROUP_IOLATENCY is not set +CONFIG_BLK_CGROUP_IOLATENCY=y # CONFIG_BLK_CGROUP_IOPRIO is not set CONFIG_BLK_CGROUP=y # CONFIG_BLK_CMDLINE_PARSER is not set @@ -3790,7 +3790,7 @@ CONFIG_NFSD_PNFS=y CONFIG_NFSD_SCSILAYOUT=y CONFIG_NFSD_V3_ACL=y CONFIG_NFSD_V3=y -# CONFIG_NFSD_V4_2_INTER_SSC is not set +CONFIG_NFSD_V4_2_INTER_SSC=y CONFIG_NFSD_V4_SECURITY_LABEL=y CONFIG_NFSD_V4=y CONFIG_NFS_FSCACHE=y @@ -5846,7 +5846,7 @@ CONFIG_SQUASHFS=m CONFIG_SQUASHFS_XATTR=y CONFIG_SQUASHFS_XZ=y CONFIG_SQUASHFS_ZLIB=y -# CONFIG_SQUASHFS_ZSTD is not set +CONFIG_SQUASHFS_ZSTD=y # CONFIG_SRAM is not set # CONFIG_SRF04 is not set # CONFIG_SRF08 is not set @@ -5917,7 +5917,7 @@ CONFIG_SYSCTL=y # CONFIG_SYSFS_DEPRECATED is not set # CONFIG_SYSTEM76_ACPI is not set CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" -# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set +CONFIG_SYSTEM_BLACKLIST_KEYRING=y # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set # CONFIG_SYSTEMPORT is not set # CONFIG_SYSTEM_REVOCATION_KEYS is not set diff --git a/kernel.spec b/kernel.spec index e34b91541..9d5a2ec35 100755 --- a/kernel.spec +++ b/kernel.spec @@ -80,7 +80,7 @@ Summary: The Linux kernel # the --with-release option overrides this setting.) %define debugbuildsenabled 1 -%global distro_build 4 +%global distro_build 5 %if 0%{?fedora} %define secure_boot_arch x86_64 @@ -124,14 +124,13 @@ Summary: The Linux kernel %define kversion 5.14 %define rpmversion 5.14.0 -%define patchversion 5.14 -%define pkgrelease 4.el9 +%define pkgrelease 5.el9 # This is needed to do merge window version magic %define patchlevel 14 # allow pkg_release to have configurable %%{?dist} tag -%define specrelease 4%{?buildid}%{?dist} +%define specrelease 5%{?buildid}%{?dist} %define pkg_release %{specrelease} @@ -672,7 +671,7 @@ BuildRequires: lld # exact git commit you can run # # xzcat -qq ${TARBALL} | git get-tar-commit-id -Source0: linux-5.14.0-4.el9.tar.xz +Source0: linux-5.14.0-5.el9.tar.xz Source1: Makefile.rhelver @@ -691,43 +690,37 @@ Source9: x509.genkey.fedora %if %{?released_kernel} Source10: redhatsecurebootca5.cer -Source11: redhatsecurebootca1.cer -Source12: redhatsecureboot501.cer -Source13: redhatsecureboot301.cer -Source14: secureboot_s390.cer -Source15: secureboot_ppc.cer +Source11: redhatsecurebootca3.cer +Source12: redhatsecurebootca6.cer +Source13: redhatsecureboot501.cer +Source14: redhatsecureboot302.cer +Source15: redhatsecureboot601.cer -%define secureboot_ca_1 %{SOURCE10} -%define secureboot_ca_0 %{SOURCE11} %ifarch x86_64 aarch64 -%define secureboot_key_1 %{SOURCE12} -%define pesign_name_1 redhatsecureboot501 +%define secureboot_ca_0 %{SOURCE10} %define secureboot_key_0 %{SOURCE13} -%define pesign_name_0 redhatsecureboot301 +%define pesign_name_0 redhatsecureboot501 %endif %ifarch s390x +%define secureboot_ca_0 %{SOURCE11} %define secureboot_key_0 %{SOURCE14} %define pesign_name_0 redhatsecureboot302 %endif %ifarch ppc64le +%define secureboot_ca_0 %{SOURCE12} %define secureboot_key_0 %{SOURCE15} -%define pesign_name_0 redhatsecureboot303 +%define pesign_name_0 redhatsecureboot601 %endif # released_kernel %else Source10: redhatsecurebootca4.cer -Source11: redhatsecurebootca2.cer -Source12: redhatsecureboot401.cer -Source13: redhatsecureboot003.cer +Source11: redhatsecureboot401.cer -%define secureboot_ca_1 %{SOURCE10} -%define secureboot_ca_0 %{SOURCE11} -%define secureboot_key_1 %{SOURCE12} -%define pesign_name_1 redhatsecureboot401 -%define secureboot_key_0 %{SOURCE13} -%define pesign_name_0 redhatsecureboot003 +%define secureboot_ca_0 %{SOURCE10} +%define secureboot_key_0 %{SOURCE11} +%define pesign_name_0 redhatsecureboot401 # released_kernel %endif @@ -827,7 +820,7 @@ Source4002: gating.yaml %if !%{nopatches} -Patch1: patch-%{patchversion}-redhat.patch +Patch1: patch-%{rpmversion}-redhat.patch %endif # empty final patch to facilitate testing of kernel patches @@ -1357,15 +1350,15 @@ ApplyOptionalPatch() fi } -%setup -q -n kernel-5.14.0-4.el9 -c -mv linux-5.14.0-4.el9 linux-%{KVERREL} +%setup -q -n kernel-5.14.0-5.el9 -c +mv linux-5.14.0-5.el9 linux-%{KVERREL} cd linux-%{KVERREL} cp -a %{SOURCE1} . %if !%{nopatches} -ApplyOptionalPatch patch-%{patchversion}-redhat.patch +ApplyOptionalPatch patch-%{rpmversion}-redhat.patch %endif ApplyOptionalPatch linux-kernel-test.patch @@ -1630,10 +1623,15 @@ BuildKernel() { fi %ifarch x86_64 aarch64 - %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} - %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1} - rm vmlinuz.tmp + if [ -x /usr/bin/rpm-sign ]; then + %define _rhel 9 + %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} + %undefine _rhel + else + %pesign -s -i $SignImage -o vmlinuz.signed + fi %endif + %ifarch s390x ppc64le if [ -x /usr/bin/rpm-sign ]; then rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed @@ -2097,13 +2095,7 @@ BuildKernel() { # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer - %ifarch x86_64 aarch64 - install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer - install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer - ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer - %else - install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer - %endif + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer %ifarch s390x ppc64le if [ $DoModules -eq 1 ]; then if [ -x /usr/bin/rpm-sign ]; then @@ -2957,6 +2949,34 @@ fi # # %changelog +* Thu Sep 30 2021 Herton R. Krzesinski [5.14.0-5.el9] +- redhat/configs: enable CONFIG_SQUASHFS_ZSTD which is already enabled in Fedora 34 (Tao Liu) [1998953] +- fs: dlm: fix return -EINTR on recovery stopped (Alexander Aring) [2004213] +- redhat: replace redhatsecureboot303 signing key with redhatsecureboot601 (Jan Stancek) [2002499] +- redhat: define _rhel variable because pesign macro now needs it (Jan Stancek) [2002499] +- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Jan Stancek) [1994849] +- redhat: correct file name of redhatsecurebootca1 (Jan Stancek) [2002499] +- redhat: align file names with names of signing keys for ppc and s390 (Jan Stancek) [2002499] +- redhat: restore sublevel in changelog (Jan Stancek) +- fs: dlm: avoid comms shutdown delay in release_lockspace (Alexander Aring) [1994749] +- redhat/configs: Enable CONFIG_BLK_CGROUP_IOLATENCY & CONFIG_BLK_CGROUP_FC_APPID (Waiman Long) [1996675] +- redhat/configs: remove conflicting SYSTEM_BLACKLIST_KEYRING (Bruno Meneguele) [2002350] +- Enable "inter server to server" NFSv4.2 COPY (Steve Dickson) [1487367] + +* Wed Sep 29 2021 Jan Stancek [5.14.0-1.5.1.el9] +- fs: dlm: fix return -EINTR on recovery stopped (Alexander Aring) [2004213] +- redhat/configs: Update configs for secure IPL (Claudio Imbrenda) [1976884] +- redhat: replace redhatsecureboot303 signing key with redhatsecureboot601 (Jan Stancek) [2002499] +- redhat: define _rhel variable because pesign macro now needs it (Jan Stancek) [2002499] +- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Jan Stancek) [1994849] +- redhat: correct file name of redhatsecurebootca1 (Jan Stancek) [2002499] +- redhat: align file names with names of signing keys for ppc and s390 (Jan Stancek) [2002499] + +* Mon Sep 27 2021 Jan Stancek [5.14.0-1.4.1.el9] +- redhat: restore sublevel in changelog (Jan Stancek) +- fs: dlm: avoid comms shutdown delay in release_lockspace (Alexander Aring) [1994749] +- redhat/configs: Enable CONFIG_BLK_CGROUP_IOLATENCY & CONFIG_BLK_CGROUP_FC_APPID (Waiman Long) [1996675] + * Wed Sep 22 2021 Herton R. Krzesinski [5.14-4.el9] - Drivers: hv: vmbus: Fix kernel crash upon unbinding a device from uio_hv_generic driver (Vitaly Kuznetsov) [1999535] - ipc: replace costly bailout check in sysvipc_find_ipc() (Rafael Aquini) [1987130 2003270] {CVE-2021-3669} @@ -2978,6 +2998,10 @@ fi - iscsi_ibft: fix crash due to KASLR physical memory remapping (Maurizio Lombardi) [1963801] - redhat: fix chronological order in the changelog file (Herton R. Krzesinski) +* Wed Sep 22 2021 Jan Stancek [5.14.0-1.3.1.el9] +- redhat/configs: remove conflicting SYSTEM_BLACKLIST_KEYRING (Bruno Meneguele) [2002350] +- Enable "inter server to server" NFSv4.2 COPY (Steve Dickson) [1487367] + * Fri Sep 17 2021 Jan Stancek [5.14-1.2.1.el9] - redhat/configs: Disable CONFIG_DRM_VMWGFX on aarch64 (Michel Dänzer) [1996993] - redhat: set USE_DIST_IN_SOURCE=1 for 9.0-beta (Jan Stancek) diff --git a/patch-5.14-redhat.patch b/patch-5.14.0-redhat.patch similarity index 100% rename from patch-5.14-redhat.patch rename to patch-5.14.0-redhat.patch diff --git a/redhatsecureboot003.cer b/redhatsecureboot003.cer deleted file mode 100644 index 439b75bf3..000000000 Binary files a/redhatsecureboot003.cer and /dev/null differ diff --git a/redhatsecurebootca2.cer b/redhatsecurebootca2.cer deleted file mode 100644 index 43502d6bc..000000000 Binary files a/redhatsecurebootca2.cer and /dev/null differ diff --git a/sources b/sources index 464797274..8c97d774f 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (linux-5.14.0-4.el9.tar.xz) = 2bf87587f2b34b45810a302612aaef4cafabadf7ccfa7f72e6138478fad2ad592dd8e9b05aaddd243e69ffe1ca00647457e8821961ec6b3fc6d4ace4a6a8b9fe -SHA512 (kernel-abi-stablelists-5.14.0-4.tar.bz2) = 47b22d9da477485be1720e5f99c87591c9090995dbece8ceac662977e5369c098ae85097b8123649447dc85a0ed45d411f2f0f9b7c768792aa7efbcbf4fbb853 -SHA512 (kernel-kabi-dw-5.14.0-4.tar.bz2) = d0bbe8ad38fb6253c42a9ad575ba82894d903edfe3ddce1a941e99936ad7dd19e964270d27a499c0ba5fe07aedf334b30577ffd3a193c828cdf7b5c34eec684f +SHA512 (linux-5.14.0-5.el9.tar.xz) = b46c10da644b7ba178bd3a9170b269b54f07a02714b8122fbc64062c4f8bc4357babb6ba332acf636628d90e45e06ead5ede93bf0b65622c6b37e78c4a3cccba +SHA512 (kernel-abi-stablelists-5.14.0-5.tar.bz2) = fa79fb864468573e328de8051be6b2f4311183e7c297f6b4470f7842f9cc12dcd77711016dc946e9bf3675ce98a1adaaa169491782faee90e672466220862e53 +SHA512 (kernel-kabi-dw-5.14.0-5.tar.bz2) = dcdc38306e55d242b798924dd00460fc80483e2fd64861236f801671ba8281e7cabf7bdf7a8ae4272aa7ac37c391859f2145fb62265f5476a80a15be03df01e3