Import OL kernel-6.12.0-124.20.1.el10_1

.gitignore

@@ -1,7 +1,7 @@
 fedoraimaca.x509
-kernel-abi-stablelists-6.12.0-124.16.1.el10_1.tar.xz
-kernel-kabi-dw-6.12.0-124.16.1.el10_1.tar.xz
-linux-6.12.0-124.16.1.el10_1.tar.xz
+kernel-abi-stablelists-6.12.0-124.20.1.el10_1.tar.xz
+kernel-kabi-dw-6.12.0-124.20.1.el10_1.tar.xz
+linux-6.12.0-124.20.1.el10_1.tar.xz
 nvidiagpuoot001.x509
 redhatsecureboot501.cer
 redhatsecureboot504.cer

Makefile.rhelver

@@ -12,7 +12,7 @@ RHEL_MINOR = 1
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 124.16.1
+RHEL_RELEASE = 124.20.1
 
 #
 # RHEL_REBASE_NUM

kernel-aarch64-64k-debug-rhel.config

@@ -8409,6 +8409,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y

kernel-aarch64-64k-rhel.config

@@ -8384,6 +8384,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y

kernel-aarch64-debug-rhel.config

@@ -8405,6 +8405,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y

kernel-aarch64-rhel.config

@@ -8380,6 +8380,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y

kernel-aarch64-rt-64k-debug-rhel.config

@@ -8464,6 +8464,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y

kernel-aarch64-rt-64k-rhel.config

@@ -8439,6 +8439,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y

kernel-aarch64-rt-debug-rhel.config

@@ -8460,6 +8460,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y

kernel-aarch64-rt-rhel.config

@@ -8435,6 +8435,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y

kernel-ppc64le-debug-rhel.config

@@ -7836,6 +7836,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y

kernel-ppc64le-rhel.config

@@ -7813,6 +7813,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y

kernel-s390x-debug-rhel.config

@@ -7818,6 +7818,9 @@ CONFIG_ZCRYPT_MULTIDEVNODES=y
 CONFIG_ZFCP=m
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+# CONFIG_ZL3073X_I2C is not set
+# CONFIG_ZL3073X is not set
+# CONFIG_ZL3073X_SPI is not set
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y

kernel-s390x-rhel.config

@@ -7795,6 +7795,9 @@ CONFIG_ZCRYPT_MULTIDEVNODES=y
 CONFIG_ZFCP=m
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+# CONFIG_ZL3073X_I2C is not set
+# CONFIG_ZL3073X is not set
+# CONFIG_ZL3073X_SPI is not set
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y

kernel-s390x-zfcpdump-rhel.config

@@ -7817,6 +7817,9 @@ CONFIG_ZCRYPT_MULTIDEVNODES=y
 CONFIG_ZFCP=y
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+# CONFIG_ZL3073X_I2C is not set
+# CONFIG_ZL3073X is not set
+# CONFIG_ZL3073X_SPI is not set
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y

kernel-x86_64-debug-rhel.config

@@ -2585,7 +2585,7 @@ CONFIG_I2C_MUX=m
 CONFIG_I2C_MUX_MLXCPLD=m
 # CONFIG_I2C_MUX_MULE is not set
 # CONFIG_I2C_MUX_PCA9541 is not set
-# CONFIG_I2C_MUX_PCA954x is not set
+CONFIG_I2C_MUX_PCA954x=m
 # CONFIG_I2C_MUX_REG is not set
 CONFIG_I2C_NFORCE2=m
 CONFIG_I2C_NFORCE2_S4985=m
@@ -8315,6 +8315,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y

kernel-x86_64-rhel.config

@@ -2569,7 +2569,7 @@ CONFIG_I2C_MUX=m
 CONFIG_I2C_MUX_MLXCPLD=m
 # CONFIG_I2C_MUX_MULE is not set
 # CONFIG_I2C_MUX_PCA9541 is not set
-# CONFIG_I2C_MUX_PCA954x is not set
+CONFIG_I2C_MUX_PCA954x=m
 # CONFIG_I2C_MUX_REG is not set
 CONFIG_I2C_NFORCE2=m
 CONFIG_I2C_NFORCE2_S4985=m
@@ -8291,6 +8291,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y

kernel-x86_64-rt-debug-rhel.config

@@ -2626,7 +2626,7 @@ CONFIG_I2C_MUX=m
 CONFIG_I2C_MUX_MLXCPLD=m
 # CONFIG_I2C_MUX_MULE is not set
 # CONFIG_I2C_MUX_PCA9541 is not set
-# CONFIG_I2C_MUX_PCA954x is not set
+CONFIG_I2C_MUX_PCA954x=m
 # CONFIG_I2C_MUX_REG is not set
 CONFIG_I2C_NFORCE2=m
 CONFIG_I2C_NFORCE2_S4985=m
@@ -8371,6 +8371,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y

kernel-x86_64-rt-rhel.config

@@ -2610,7 +2610,7 @@ CONFIG_I2C_MUX=m
 CONFIG_I2C_MUX_MLXCPLD=m
 # CONFIG_I2C_MUX_MULE is not set
 # CONFIG_I2C_MUX_PCA9541 is not set
-# CONFIG_I2C_MUX_PCA954x is not set
+CONFIG_I2C_MUX_PCA954x=m
 # CONFIG_I2C_MUX_REG is not set
 CONFIG_I2C_NFORCE2=m
 CONFIG_I2C_NFORCE2_S4985=m
@@ -8347,6 +8347,9 @@ CONFIG_ZBUD=y
 # CONFIG_ZEROPLUS_FF is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
 CONFIG_ZISOFS=y
+CONFIG_ZL3073X_I2C=m
+CONFIG_ZL3073X=m
+CONFIG_ZL3073X_SPI=m
 CONFIG_ZLIB_DEFLATE=y
 CONFIG_ZLIB_DFLTCC=y
 CONFIG_ZLIB_INFLATE=y

kernel.changelog

@@ -1,3 +1,71 @@
+* Tue Dec 02 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.20.1.el10_1]
+- iommu/vt-d: Disallow dirty tracking if incoherent page walk (CKI Backport Bot) [RHEL-125482] {CVE-2025-40058}
+- net/mlx5: fs, fix UAF in flow counter release (Michal Schmidt) [RHEL-124432] {CVE-2025-39979}
+- dpll: zl3073x: Fix output pin registration (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Handle missing or corrupted flash configuration (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Refactor DPLL initialization (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: ZL3073X_I2C and ZL3073X_SPI should depend on NET (Ivan Vecera) [RHEL-114795]
+- dpll: Make ZL3073X invisible (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Fix build failure (Ivan Vecera) [RHEL-114795]
+- redhat/configs: enable CONFIG_ZL3073X* (Ivan Vecera) [RHEL-114795]
+- redhat/configs: enable CONFIG_I2C_MUX_PCA954x on x86 (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to get fractional frequency offset (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to adjust phase (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Implement phase offset monitor feature (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to get phase offset on connected input pin (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to get/set esync on pins (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to get/set frequency on pins (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Implement input pin state setting in automatic mode (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to get/set priority on input pins (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Implement input pin selection in manual mode (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Register DPLL devices and pins (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Read DPLL types and pin properties from system firmware (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Fetch invariants during probe (Ivan Vecera) [RHEL-114795]
+- dpll: Add basic Microchip ZL3073x support (Ivan Vecera) [RHEL-114795]
+- dt-bindings: dpll: Add support for Microchip Azurite chip family (Ivan Vecera) [RHEL-114795]
+- dt-bindings: dpll: Add DPLL device and pin (Ivan Vecera) [RHEL-114795]
+- idpf: set mac type when adding and removing MAC filters (CKI Backport Bot) [RHEL-123372]
+- crypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked() (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Fix SNP panic notifier unregistration (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Fix dereferencing uninitialized error pointer (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Fix __sev_snp_shutdown_locked (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Move SEV/SNP Platform initialization to KVM (Lenny Szubowicz) [RHEL-76557]
+- KVM: SVM: Add support to initialize SEV/SNP functionality in KVM (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Add new SEV/SNP platform shutdown API (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Register SNP panic notifier only if SNP is enabled (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Reset TMR size at SNP Shutdown (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Ensure implicit SEV/SNP init and shutdown in ioctls (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Move dev_info/err messages for SEV/SNP init and shutdown (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Abort doing SEV INIT if SNP INIT fails (Lenny Szubowicz) [RHEL-76557]
+- s390/pci: Do not try re-enabling load/store if device is disabled (CKI Backport Bot) [RHEL-114448]
+- s390/pci: Fix stale function handles in error handling (CKI Backport Bot) [RHEL-114448]
+Resolves: RHEL-114448, RHEL-114795, RHEL-123372, RHEL-124432, RHEL-125482, RHEL-76557
+
+* Sat Nov 29 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.19.1.el10_1]
+- Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: MGMT: Fix sparse errors (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: MGMT: Fix possible UAFs (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: hci_sync: fix set_local_name race condition (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: MGMT: set_mesh: update LE scan interval and window (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: MGMT: Protect mgmt_pending list with its own lock (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue (CKI Backport Bot) [RHEL-124134] {CVE-2025-39983}
+- can: j1939: add missing calls in NETDEV_UNREGISTER notification handler (CKI Backport Bot) [RHEL-124110] {CVE-2025-39925}
+- can: j1939: implement NETDEV_UNREGISTER notification handler (CKI Backport Bot) [RHEL-124110] {CVE-2025-39925}
+- Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync (CKI Backport Bot) [RHEL-123824] {CVE-2025-39982}
+Resolves: RHEL-122901, RHEL-123824, RHEL-124110, RHEL-124134
+
+* Thu Nov 27 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.18.1.el10_1]
+- ice: ice_adapter: release xa entry on adapter allocation failure (CKI Backport Bot) [RHEL-128472] {CVE-2025-40185}
+- cifs: Fix oops due to uninitialised variable (CKI Backport Bot) [RHEL-120562] {CVE-2025-38737}
+Resolves: RHEL-120562, RHEL-128472
+
+* Tue Nov 25 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.17.1.el10_1]
+- x86/hyperv: Fix kdump on Azure CVMs (Li Tian) [RHEL-129777]
+- tunnels: reset the GSO metadata before reusing the skb (Antoine Tenart) [RHEL-113919]
+- io_uring/waitid: always prune wait queue entry in io_waitid_wait() (CKI Backport Bot) [RHEL-124974] {CVE-2025-40047}
+Resolves: RHEL-113919, RHEL-124974, RHEL-129777
+
 * Sat Nov 22 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.16.1.el10_1]
 - bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} (Xin Long) [RHEL-125759]
 - mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory (CKI Backport Bot) [RHEL-119161] {CVE-2025-39883}

kernel.spec

@@ -98,7 +98,7 @@ Summary: The Linux kernel
 %if 0%{?fedora}
 %define secure_boot_arch x86_64
 %else
-%define secure_boot_arch x86_64 aarch64 s390x ppc64le
+%define secure_boot_arch x86_64 s390x ppc64le
 %endif
 
 # Signing for secure boot authentication
@@ -176,15 +176,15 @@ Summary: The Linux kernel
 %define specrpmversion 6.12.0
 %define specversion 6.12.0
 %define patchversion 6.12
-%define pkgrelease 124.16.1
+%define pkgrelease 124.20.1
 %define kversion 6
-%define tarfile_release 6.12.0-124.16.1.el10_1
+%define tarfile_release 6.12.0-124.20.1.el10_1
 # This is needed to do merge window version magic
 %define patchlevel 12
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 124.16.1%{?buildid}%{?dist}
+%define specrelease 124.20.1%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 6.12.0-124.16.1.el10_1
+%define kabiversion 6.12.0-124.20.1.el10_1
 
 # If this variable is set to 1, a bpf selftests build failure will cause a
 # fatal kernel package build error
@@ -717,6 +717,8 @@ Requires: ((%{name}-modules-extra-uname-r = %{KVERREL}) if %{name}-modules-extra
 Provides: installonlypkg(kernel)
 %endif
 
+Provides: oracle(kernel-sig-key) == 202502
+Conflicts: shim-x64 < 15.8-1.0.6
 
 #
 # List the packages used during the kernel build
@@ -881,8 +883,6 @@ BuildRequires: tpm2-tools
 %if 0%{?rhel}%{?centos} && !0%{?eln}
 %if 0%{?centos}
 BuildRequires: centos-sb-certs >= 9.0-23
-%else
-BuildRequires: redhat-sb-certs >= 9.4-0.1
 %endif
 %endif
 %endif
@@ -902,42 +902,11 @@ Source10: redhatsecurebootca5.cer
 Source13: redhatsecureboot501.cer
 
 %if %{signkernel}
-# Name of the packaged file containing signing key
-%ifarch ppc64le
-%define signing_key_filename kernel-signing-ppc.cer
-%endif
-%ifarch s390x
-%define signing_key_filename kernel-signing-s390.cer
-%endif
 
-# Fedora/ELN pesign macro expects to see these cert file names, see:
-# https://github.com/rhboot/pesign/blob/main/src/pesign-rpmbuild-helper.in#L216
-%if 0%{?fedora}%{?eln}
-%define pesign_name_0 redhatsecureboot501
-%define secureboot_ca_0 %{SOURCE10}
-%define secureboot_key_0 %{SOURCE13}
-%endif
-
-# RHEL/centos certs come from system-sb-certs
-%if 0%{?rhel} && !0%{?eln}
 %define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
 %define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer
 
-%if 0%{?centos}
-%define pesign_name_0 centossecureboot201
-%else
-%ifarch x86_64 aarch64
-%define pesign_name_0 redhatsecureboot801
-%endif
-%ifarch s390x
-%define pesign_name_0 redhatsecureboot302
-%endif
-%ifarch ppc64le
-%define pesign_name_0 redhatsecureboot701
-%endif
-%endif
-# rhel && !eln
-%endif
+%define pesign_name_0 OracleLinuxSecureBootKey3
 
 # signkernel
 %endif
@@ -1018,7 +987,10 @@ Source102: nvidiagpuoot001.x509
 Source103: rhelimaca1.x509
 Source104: rhelima.x509
 Source105: rhelima_centos.x509
-Source106: fedoraimaca.x509
+# Oracle Linux IMA CA certificate
+Source106: olimaca1.x509
+# Oracle Linux IMA signing certificate
+Source107: olima1.x509
 
 %if 0%{?fedora}%{?eln}
 %define ima_ca_cert %{SOURCE106}
@@ -1033,9 +1005,11 @@ Source106: fedoraimaca.x509
 %define ima_signing_cert %{SOURCE105}
 %else
 %define ima_signing_cert %{SOURCE104}
+%define ima_signing_cert_ol %{SOURCE107}
 %endif
 
 %define ima_cert_name ima.cer
+%define ima_cert_name_ol ima_ol.cer
 
 Source200: check-kabi
 
@@ -1106,6 +1080,10 @@ Source4000: README.rst
 Source4001: rpminspect.yaml
 Source4002: gating.yaml
 
+# Oracle Linux RHCK Module Signing Key
+Source5001: olkmod_signing_key.pem
+Source5002: olkmod_signing_key1.pem
+
 ## Patches needed for building this package
 
 %if !%{nopatches}
@@ -1953,6 +1931,8 @@ ApplyOptionalPatch()
 mv linux-%{tarfile_release} linux-%{KVERREL}
 
 cd linux-%{KVERREL}
+#removal of git history
+rm -rf .git
 cp -a %{SOURCE1} .
 
 %{log_msg "Start of patch applications"}
@@ -2079,6 +2059,13 @@ openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
 openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
 openssl x509 -inform der -in %{SOURCE102} -out nvidiagpuoot001.pem
 cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem >> ../certs/rhel.pem
+# Add Oracle Linux IMA CA certificate to the kernel trusted certificates list
+openssl x509 -inform der -in %{SOURCE106} -out olimaca1.pem
+cat olimaca1.pem >> ../certs/rhel.pem
+# Add olkmod_signing_key.pem to the kernel trusted certificates list
+cat %{SOURCE5001} >> ../certs/rhel.pem
+# Add olkmod_signing_key1.pem to the kernel trusted certificates list
+cat %{SOURCE5002} >> ../certs/rhel.pem
 # rhelkeys
 %endif
 %if %{signkernel}
@@ -2103,7 +2090,7 @@ done
 %if 0%{?rhel}
 %{log_msg "Adjust FIPS module name for RHEL"}
 for i in *.config; do
-  sed -i 's/CONFIG_CRYPTO_FIPS_NAME=.*/CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux %{rhel} - Kernel Cryptographic API"/' $i
+  sed -i 's/CONFIG_CRYPTO_FIPS_NAME=.*/CONFIG_CRYPTO_FIPS_NAME="Oracle Linux 10 Kernel Crypto API Cryptographic Module"/' $i
 done
 %endif
 
@@ -2756,6 +2743,22 @@ BuildKernel() {
         SBATsuffix="rhel"
 %endif
 %endif
+        SBAT=$(cat <<- EOF
+	linux,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com
+	linux,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com
+	linux.$SBATsuffix,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com
+	linux.ol,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com
+	kernel-uki-virt.$SBATsuffix,1,Red Hat,kernel-uki-virt,$KernelVer,mailto:secalert@redhat.com
+	kernel-uki-virt.ol,1,Oracle Linux,kernel-uki-virt,$KernelVer,mailto:secalert_us@oracle.com
+	EOF
+	)
+
+        ADDONS_SBAT=$(cat <<- EOF
+	sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+	kernel-uki-virt-addons.$SBATsuffix,1,Red Hat,kernel-uki-virt-addons,$KernelVer,mailto:secalert@redhat.com
+	EOF
+	)
+
 	KernelUnifiedImageDir="$RPM_BUILD_ROOT/lib/modules/$KernelVer"
     	KernelUnifiedImage="$KernelUnifiedImageDir/$InstallName-virt.efi"
 	KernelUnifiedInitrd="$KernelUnifiedImageDir/$InstallName-virt.img"
@@ -2782,6 +2785,7 @@ BuildKernel() {
   python3 %{SOURCE151} %{SOURCE152} $KernelAddonsDirOut virt %{primary_target} %{_target_cpu} @uki-addons.sbat
 
 %if %{signkernel}
+%if ! %{?oraclelinux}
 	%{log_msg "Sign the EFI UKI kernel"}
 %if 0%{?fedora}%{?eln}
         %pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
@@ -2813,6 +2817,7 @@ BuildKernel() {
       cp -a $UKI_secureboot_cert $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/secureboot-uki-%{_arch}.cer
 
 # signkernel
+%endif
 %endif
 
     # hmac sign the UKI for FIPS
@@ -2979,7 +2984,7 @@ BuildKernel() {
     # prune junk from kernel-debuginfo
     find $RPM_BUILD_ROOT/usr/src/kernels -name "*.mod.c" -delete
 
-    # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
+    # UEFI Secure Boot CA cert, which can be used to authenticate the kernel
     %{log_msg "Install certs"}
     mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
 %if %{signkernel}
@@ -2994,6 +2999,8 @@ BuildKernel() {
 %if 0%{?rhel}
     # Red Hat IMA code-signing cert, which is used to authenticate package files
     install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name}
+    # Oracle Linux IMA signing cert
+    install -m 0644 %{ima_signing_cert_ol} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name_ol}
 %endif
 
 %if %{signmodules}
@@ -4349,6 +4356,83 @@ fi\
 #
 #
 %changelog
+* Mon Dec 08 2025 Akshata Konala <akshata.konala@oracle.com> [6.12.0-124.20.1.el10_1.OL10]
+- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985782]
+- Disable UKI signing [Orabug: 36571828]
+- Update Oracle Linux certificates (Kevin Lyons)
+- Disable signing for aarch64 (Ilya Okomin)
+- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
+- Update x509.genkey [Orabug: 24817676]
+- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5.el9
+- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
+- Add Oracle Linux IMA certificates
+- Update module name for cryptographic module [Orabug: 37400433]
+- Clean git history at setup stage
+
+* Tue Dec 02 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.20.1.el10_1]
+- iommu/vt-d: Disallow dirty tracking if incoherent page walk (CKI Backport Bot) [RHEL-125482] {CVE-2025-40058}
+- net/mlx5: fs, fix UAF in flow counter release (Michal Schmidt) [RHEL-124432] {CVE-2025-39979}
+- dpll: zl3073x: Fix output pin registration (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Handle missing or corrupted flash configuration (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Refactor DPLL initialization (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: ZL3073X_I2C and ZL3073X_SPI should depend on NET (Ivan Vecera) [RHEL-114795]
+- dpll: Make ZL3073X invisible (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Fix build failure (Ivan Vecera) [RHEL-114795]
+- redhat/configs: enable CONFIG_ZL3073X* (Ivan Vecera) [RHEL-114795]
+- redhat/configs: enable CONFIG_I2C_MUX_PCA954x on x86 (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to get fractional frequency offset (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to adjust phase (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Implement phase offset monitor feature (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to get phase offset on connected input pin (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to get/set esync on pins (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to get/set frequency on pins (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Implement input pin state setting in automatic mode (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Add support to get/set priority on input pins (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Implement input pin selection in manual mode (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Register DPLL devices and pins (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Read DPLL types and pin properties from system firmware (Ivan Vecera) [RHEL-114795]
+- dpll: zl3073x: Fetch invariants during probe (Ivan Vecera) [RHEL-114795]
+- dpll: Add basic Microchip ZL3073x support (Ivan Vecera) [RHEL-114795]
+- dt-bindings: dpll: Add support for Microchip Azurite chip family (Ivan Vecera) [RHEL-114795]
+- dt-bindings: dpll: Add DPLL device and pin (Ivan Vecera) [RHEL-114795]
+- idpf: set mac type when adding and removing MAC filters (CKI Backport Bot) [RHEL-123372]
+- crypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked() (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Fix SNP panic notifier unregistration (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Fix dereferencing uninitialized error pointer (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Fix __sev_snp_shutdown_locked (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Move SEV/SNP Platform initialization to KVM (Lenny Szubowicz) [RHEL-76557]
+- KVM: SVM: Add support to initialize SEV/SNP functionality in KVM (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Add new SEV/SNP platform shutdown API (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Register SNP panic notifier only if SNP is enabled (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Reset TMR size at SNP Shutdown (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Ensure implicit SEV/SNP init and shutdown in ioctls (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Move dev_info/err messages for SEV/SNP init and shutdown (Lenny Szubowicz) [RHEL-76557]
+- crypto: ccp - Abort doing SEV INIT if SNP INIT fails (Lenny Szubowicz) [RHEL-76557]
+- s390/pci: Do not try re-enabling load/store if device is disabled (CKI Backport Bot) [RHEL-114448]
+- s390/pci: Fix stale function handles in error handling (CKI Backport Bot) [RHEL-114448]
+
+* Sat Nov 29 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.19.1.el10_1]
+- Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: MGMT: Fix sparse errors (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: MGMT: Fix possible UAFs (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: hci_sync: fix set_local_name race condition (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: MGMT: set_mesh: update LE scan interval and window (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: MGMT: Protect mgmt_pending list with its own lock (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
+- Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue (CKI Backport Bot) [RHEL-124134] {CVE-2025-39983}
+- can: j1939: add missing calls in NETDEV_UNREGISTER notification handler (CKI Backport Bot) [RHEL-124110] {CVE-2025-39925}
+- can: j1939: implement NETDEV_UNREGISTER notification handler (CKI Backport Bot) [RHEL-124110] {CVE-2025-39925}
+- Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync (CKI Backport Bot) [RHEL-123824] {CVE-2025-39982}
+
+* Thu Nov 27 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.18.1.el10_1]
+- ice: ice_adapter: release xa entry on adapter allocation failure (CKI Backport Bot) [RHEL-128472] {CVE-2025-40185}
+- cifs: Fix oops due to uninitialised variable (CKI Backport Bot) [RHEL-120562] {CVE-2025-38737}
+
+* Tue Nov 25 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.17.1.el10_1]
+- x86/hyperv: Fix kdump on Azure CVMs (Li Tian) [RHEL-129777]
+- tunnels: reset the GSO metadata before reusing the skb (Antoine Tenart) [RHEL-113919]
+- io_uring/waitid: always prune wait queue entry in io_waitid_wait() (CKI Backport Bot) [RHEL-124974] {CVE-2025-40047}
+
 * Sat Nov 22 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.16.1.el10_1]
 - bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} (Xin Long) [RHEL-125759]
 - mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory (CKI Backport Bot) [RHEL-119161] {CVE-2025-39883}

olkmod_signing_key.pem

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEETCCAvmgAwIBAgIJANw8y5k9b7SaMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEXMBUGA1UEBwwOUmVkd29vZCBT
+aG9yZXMxGzAZBgNVBAoMEk9yYWNsZSBDb3Jwb3JhdGlvbjEVMBMGA1UECwwMT3Jh
+Y2xlIExpbnV4MS0wKwYDVQQDDCRPcmFjbGUgTGludXggUkhDSyBNb2R1bGUgU2ln
+bmluZyBLZXkwHhcNMTYwNTA5MjMzNjA4WhcNMjYwNTA3MjMzNjA4WjCBnjELMAkG
+A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFzAVBgNVBAcMDlJlZHdvb2Qg
+U2hvcmVzMRswGQYDVQQKDBJPcmFjbGUgQ29ycG9yYXRpb24xFTATBgNVBAsMDE9y
+YWNsZSBMaW51eDEtMCsGA1UEAwwkT3JhY2xlIExpbnV4IFJIQ0sgTW9kdWxlIFNp
+Z25pbmcgS2V5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl6bUDNNZ
+jIqgsqgspwBIQ18keDxQeGnWgubZZhHrQU3GpeSRPM4lNTHc+UjMjNXrv/CENZdv
+4cETRsxT1VFhGG3CvkbQdzc8v4JOQvWSSJqmViPa1eC+yGaMRnGcFXzKsHiTLA4y
+WMjpJnVowFkwTzscRBlN0AysUg/hT/74DE0oqVnlCJNynqccNWpx8MtNRD55ay9A
+73yJinYES14rXcU3QbJoO0ZxtRz83ZACDUGX0GORT3+NbB0RK0sttogzA3eLvxKw
+umWsWZAHmTuHdWgUjSqqZr34VNLPVcsTHAW8X4bq6rRVcB2lMJ3kJfDP8BJyTn99
+37UmA+/ld47cnwIDAQABo1AwTjAdBgNVHQ4EFgQU3ZlbFVwZs6fD73cHuWniX5Y5
+Zm4wHwYDVR0jBBgwFoAU3ZlbFVwZs6fD73cHuWniX5Y5Zm4wDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEAF7nfhWfsk4uEDquLj7nJE0wPlVvllVDugzOk
+R15pnQ7P+HTyz3sLaLJE4N5oWt6pFzDGDYEtPeoMCn1l447tX179Nf5SMZba9ut8
+3Vxbe7jAn9sQO7ArQR1swf1r101Me4+1oHq7rxPRizOOXrKeEvf5NSAUbSzzXfz6
+TEp21KTIQO7MjqpsKshRQbpPeiReaYy3A6gJftun5xekP04QTLZVBR4dL7tvZf0S
+y9SjVg158lONXHfjBekyYTzSFBn/7v+AS8S+cAGRfYteE0Syxl7zJt3GUoEWau/e
+kXHT+hd/hkdSQKZZWZo1380M1pVZZAvntLRBU6IN9SswafhiVg==
+-----END CERTIFICATE-----

olkmod_signing_key1.pem

@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGBjCCA+6gAwIBAgIUf99zHRXkhhuQepjkXdIfz1kNGiwwDQYJKoZIhvcNAQEL
+BQAwgZ4xKTAnBgNVBAMMIE9yYWNsZSBMaW51eCBEcml2ZXIgU2lnbmluZyBDQSAx
+MQswCQYDVQQGEwJ1czEVMBMGA1UEBwwMUmVkd29vZCBDaXR5MRswGQYDVQQKDBJP
+cmFjbGUgQ29ycG9yYXRpb24xGzAZBgNVBAsMEk9yYWNsZSBDb3Jwb3JhdGlvbjET
+MBEGA1UECAwKQ2FsaWZvcm5pYTAeFw0yNTA1MDIwOTIzNDFaFw0zNjA0MTIyMTEw
+MjlaMGcxLDAqBgNVBAMMI09yYWNsZSBMaW51eCBEcml2ZXIgU2lnbmluZyAoa2V5
+IDEpMQswCQYDVQQGEwJ1czEVMBMGA1UEBwwMUmVkd29vZCBDaXR5MRMwEQYDVQQI
+DApDYWxpZm9ybmlhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5dMQ
+z4EwgCYLrxJCYTn0H5yncdJREDgAgkne3nQAmtJjfcoKNqRxieK5j1KjloF3Qvjt
+c5gITvjpne1UrHTodPF9qpJrFieDPb9+CMUGg/R/gk20PofKa5+DhTMyeIEpBOa7
+P6/OdCGiwaGI85Js6JMnNX2YKerehKB44zVfiNmddn7T/3y2QFFNj3VH62tC4XNt
+wZLCHnnO0JzOcZht5KA1JsITSLkT6/o//SZLpaNSAQkkanymdvszV5b0PDu4A0Fi
+5Ch41Akset2kAlpRoRBaVVdNhqKDyzsGRFyzHD57EyyY4M6H3yh2T6SPPOTUOKgn
+tcBfnFuijl2K/d87cnky1v1XzrvZqLzRz11ksLmZrUHZZ3PWfq2EndG8OiO4PdcF
+sF4nd20yuUywW4nj5iZT5h6f8P06C62ILe+dJWNzpGm6JgyYvTnHoUXjoQR+TLs/
+WY1l1N2uf3lc5rkof4g+Ckh/6uI1k5XfyHIzw8Z9wEOliUvHXq/8TVZ653IMmfC8
+gIrIMNOXONMdG7ReTnsr9z7ckv/dYKbW1gWtyY8o92N3dLuYb8MpfvCHkVF5ItUR
+52ay2wOQ1tDlfLUiU21yiglyW4rKanH6mrLd4mM8cphnPvRpZ9SM0qykwHrNqKOA
+m9p0AwIf1zmUL6boX/Xd+6zM2HAXOPMS1EGjA6MCAwEAAaNyMHAwDAYDVR0TAQH/
+BAIwADALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYE
+FDUwOWM0ZjZkYmZjMGUyODhjOGM4MB8GA1UdIwQYMBaAFGM2NDkzM2I4OWUzNTYw
+ZmVhNWQzMA0GCSqGSIb3DQEBCwUAA4ICAQAmZbUs5P2HGRHt4W/QhGyfxxa/Go8K
+6a1VZlh71OURsbQ42ZDCfrYgw8LtDPqx7ySlUlkjDcc7ZvRh6RzLyn+ARIohhKNH
+PpEzIpOGm5P4zqY9R36STRSgCDl9iCNlk8pGKzqEIT+aCaZUWF+7NcFgePFDuN9W
+FX5tXhxEqqn8rmvGMQ3ZtodxIJb6ksKz6j/JWnuvcD4EgI1ykyc8MAtIm2/qVmPQ
+IofwXo6yL6ygT5K7cMsrte4EbzrHvuhuz89RHDmwmgB6XmZCWBOGYrO7lza2Yx0C
+/m4LcUHPW6XgrtkvIcLST90Ng9fp8EQl7Rp3med0K83kdwKUt7Ju9aPze049tuTQ
+QoHsIHDgsExK4wXUayHNgNNr8lMFm42gTB2DqP9F/Ihq7YhIdfXbOsVdS38Il9+Y
+8RWI87H+0mAxsv2RnaNkEbmd+2vY9j1ebHyblN59mxDEY+h3W7v402ay01Ia2Lnw
+szOAPq6AKZdfi0nan6zunurwEGKGeF4+Gr42RlA0Pcu1ZltBQVuMhvkO1wKZ5vO6
+MNR7swI0fH6VsyUms8wQbR85MCJg0MhpzRKw0g0Ka+c4nF1c4EmU4GaIbCNfzJy+
+68wdJDHhX+sbD7+AJBQ9i6TmtbPIGKNDHh9cMIXs+jMRtia/ZCYEsOOO5B+xrawF
+JuZ4rgQv9ghmhQ==
+-----END CERTIFICATE-----

sources

@@ -1,7 +1,7 @@
 SHA512 (fedoraimaca.x509) = e04809394f4472c17e86d7024dee34f03fb68e82a85502fd5b00535202c72e57626a8376b2cf991b7e1e46404aa5ab8d189ebf320e0dd37d49e7efbc925c7a2e
-SHA512 (kernel-abi-stablelists-6.12.0-124.16.1.el10_1.tar.xz) = 54e465b309293c077574d471cd8d90f940acb310259487fa5eb5fd17805db402d38b5bf807d5a63b663c4db7425aec1009cc322c1114ef8f75073305b31b529a
-SHA512 (kernel-kabi-dw-6.12.0-124.16.1.el10_1.tar.xz) = 3a0f5bdc5d4da217879ad9130dfe2820a120d3e6c80581e50db08f5213a5de6ee475be126bdac827d76afafcb8ff4d0648539d0a5bfba5a098dbeb8825bf265f
-SHA512 (linux-6.12.0-124.16.1.el10_1.tar.xz) = c960227a79319864f9934f28072dcfee635b50e7e0a85c634e117ff5772d99fc44a0f4a872bf97d0f37c6b60fb2ca71ad662e12c60b93bf6c0b9142f29d9a8e6
+SHA512 (kernel-abi-stablelists-6.12.0-124.20.1.el10_1.tar.xz) = d72912e431e842bf3a63a3211ff91ec5e33cc986f82a5e81866cd25cd16f45d60fa62202831d96cb0bbd8aaa054364a585b0e34dbbbe1cd72c38833529039e60 
+SHA512 (kernel-kabi-dw-6.12.0-124.20.1.el10_1.tar.xz) = d4fad9591096d5c38bca0a0a2aa559130ef085ea09160f6979014e9316ae1ef29f9fbe0de90ce65c0281bf8d938c6e32ec580022a517467f71ec591a27f2a903 
+SHA512 (linux-6.12.0-124.20.1.el10_1.tar.xz) = 09031bc085358168fd20e5385033ede032ef6fa116243f081bbce27475659acf8a5e5b6c30901aedd09e7b31bf646eeb3844658ab221bf5c82875a547856af20 
 SHA512 (nvidiagpuoot001.x509) = b42f836e1cfa07890cb6ca13de9c3950e306c9ec7686c4c09f050bb68869f5d82962b2cd5f3aa0eb7a0f3a3ae54e9c480eafbac5df53aa92c295ff511a8c59fe
 SHA512 (redhatsecureboot501.cer) = eb2c2d342680d4c3453d3e4f30abdd1f6b0e98292e1be0410d0163afd01552a863b70ffaabeecd6e3981cd4d167198091a837c7d70f96a3a06de2d28b3355308
 SHA512 (redhatsecureboot504.cer) = d6e9b54c378769bb934ead996c1003b495bde48a17d02c8880124f36a529ef799f1e3a97202f9536c71c0d2cefe20a3532053ab73ce798ba550934eedce23ff9

x509.genkey.rhel

@@ -5,9 +5,9 @@ prompt = no
 x509_extensions = myexts
 
 [ req_distinguished_name ]
-O = Red Hat
-CN = Red Hat Enterprise Linux kernel signing key
-emailAddress = secalert@redhat.com
+O = Oracle America, Inc.,c=US
+CN = Oracle CA Server
+emailAddress = support@oracle.com
 
 [ myexts ]
 basicConstraints=critical,CA:FALSE