Compare commits
39 Commits
Author | SHA1 | Date | |
---|---|---|---|
e790b2321e | |||
e667b2f4d8 | |||
e4139feded | |||
17fb2cfe97 | |||
da2efe22d6 | |||
9874b1ecd3 | |||
1da4d1ae39 | |||
bc7062e82e | |||
a8f8575300 | |||
a35919e2be | |||
f41dc39bea | |||
51a24e3c48 | |||
1fec3ae286 | |||
ab8c284acb | |||
d4136628be | |||
|
22b44d3394 | ||
07b53af9dc | |||
9ffc03d4cc | |||
|
bd7eca018c | ||
|
ecefa7c768 | ||
|
673058d7bb | ||
|
a713fd635c | ||
238501d3ca | |||
6dc3fdcd75 | |||
fffef0593f | |||
387100185b | |||
|
a11301c818 | ||
|
142729f8cd | ||
|
d71cb8120e | ||
|
b9216f5527 | ||
|
0b72df0ec0 | ||
dc2bf65b8f | |||
|
90134a736e | ||
|
5bd15e08f8 | ||
|
d01e4bcc17 | ||
|
76d004474a | ||
|
41f15049b2 | ||
|
c57660fffb | ||
273ff5a163 |
@ -0,0 +1,76 @@
|
|||||||
|
From 82d811ff566594de3676f35808e8a9e19c5c864c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sean Christopherson <seanjc@google.com>
|
||||||
|
Date: Wed, 23 Aug 2023 18:01:04 -0700
|
||||||
|
Subject: [PATCH] KVM: x86/mmu: Fix an sign-extension bug with mmu_seq that
|
||||||
|
hangs vCPUs
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Upstream commit ba6e3fe25543 ("KVM: x86/mmu: Grab mmu_invalidate_seq in
|
||||||
|
kvm_faultin_pfn()") unknowingly fixed the bug in v6.3 when refactoring
|
||||||
|
how KVM tracks the sequence counter snapshot.
|
||||||
|
|
||||||
|
Take the vCPU's mmu_seq snapshot as an "unsigned long" instead of an "int"
|
||||||
|
when checking to see if a page fault is stale, as the sequence count is
|
||||||
|
stored as an "unsigned long" everywhere else in KVM. This fixes a bug
|
||||||
|
where KVM will effectively hang vCPUs due to always thinking page faults
|
||||||
|
are stale, which results in KVM refusing to "fix" faults.
|
||||||
|
|
||||||
|
mmu_invalidate_seq (née mmu_notifier_seq) is a sequence counter used when
|
||||||
|
KVM is handling page faults to detect if userspace mappings relevant to
|
||||||
|
the guest were invalidated between snapshotting the counter and acquiring
|
||||||
|
mmu_lock, i.e. to ensure that the userspace mapping KVM is using to
|
||||||
|
resolve the page fault is fresh. If KVM sees that the counter has
|
||||||
|
changed, KVM simply resumes the guest without fixing the fault.
|
||||||
|
|
||||||
|
What _should_ happen is that the source of the mmu_notifier invalidations
|
||||||
|
eventually goes away, mmu_invalidate_seq becomes stable, and KVM can once
|
||||||
|
again fix guest page fault(s).
|
||||||
|
|
||||||
|
But for a long-lived VM and/or a VM that the host just doesn't particularly
|
||||||
|
like, it's possible for a VM to be on the receiving end of 2 billion (with
|
||||||
|
a B) mmu_notifier invalidations. When that happens, bit 31 will be set in
|
||||||
|
mmu_invalidate_seq. This causes the value to be turned into a 32-bit
|
||||||
|
negative value when implicitly cast to an "int" by is_page_fault_stale(),
|
||||||
|
and then sign-extended into a 64-bit unsigned when the signed "int" is
|
||||||
|
implicitly cast back to an "unsigned long" on the call to
|
||||||
|
mmu_invalidate_retry_hva().
|
||||||
|
|
||||||
|
As a result of the casting and sign-extension, given a sequence counter of
|
||||||
|
e.g. 0x8002dc25, mmu_invalidate_retry_hva() ends up doing
|
||||||
|
|
||||||
|
if (0x8002dc25 != 0xffffffff8002dc25)
|
||||||
|
|
||||||
|
and signals that the page fault is stale and needs to be retried even
|
||||||
|
though the sequence counter is stable, and KVM effectively hangs any vCPU
|
||||||
|
that takes a page fault (EPT violation or #NPF when TDP is enabled).
|
||||||
|
|
||||||
|
Reported-by: Brian Rak <brak@vultr.com>
|
||||||
|
Reported-by: Amaan Cheval <amaan.cheval@gmail.com>
|
||||||
|
Reported-by: Eric Wheeler <kvm@lists.ewheeler.net>
|
||||||
|
Closes: https://lore.kernel.org/all/f023d927-52aa-7e08-2ee5-59a2fbc65953@gameservers.com
|
||||||
|
Fixes: a955cad84cda ("KVM: x86/mmu: Retry page fault if root is invalidated by memslot update")
|
||||||
|
Signed-off-by: Sean Christopherson <seanjc@google.com>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
---
|
||||||
|
arch/x86/kvm/mmu/mmu.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
|
||||||
|
index 230108a90cf3..beca03556379 100644
|
||||||
|
--- a/arch/x86/kvm/mmu/mmu.c
|
||||||
|
+++ b/arch/x86/kvm/mmu/mmu.c
|
||||||
|
@@ -4212,7 +4212,8 @@ static int kvm_faultin_pfn(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault)
|
||||||
|
* root was invalidated by a memslot update or a relevant mmu_notifier fired.
|
||||||
|
*/
|
||||||
|
static bool is_page_fault_stale(struct kvm_vcpu *vcpu,
|
||||||
|
- struct kvm_page_fault *fault, int mmu_seq)
|
||||||
|
+ struct kvm_page_fault *fault,
|
||||||
|
+ unsigned long mmu_seq)
|
||||||
|
{
|
||||||
|
struct kvm_mmu_page *sp = to_shadow_page(vcpu->arch.mmu->root.hpa);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
46
SOURCES/almalinux.pem
Normal file
46
SOURCES/almalinux.pem
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIID3zCCAsegAwIBAgIQY4iebPtuT3OKR2M/jWZWEzANBgkqhkiG9w0BAQsFADBg
|
||||||
|
MSUwIwYJKoZIhvcNAQkBFhZzZWN1cml0eUBhbG1hbGludXgub3JnMRIwEAYDVQQK
|
||||||
|
EwlBbG1hTGludXgxIzAhBgNVBAMTGkFsbWFMaW51eCBTZWN1cmUgQm9vdCBDQSAx
|
||||||
|
MB4XDTIxMDExNDIxMDcxOVoXDTM2MDExMTIxMDcxOVowaTElMCMGCSqGSIb3DQEJ
|
||||||
|
ARYWc2VjdXJpdHlAYWxtYWxpbnV4Lm9yZzESMBAGA1UEChMJQWxtYUxpbnV4MSww
|
||||||
|
KgYDVQQDEyNBbG1hTGludXggRHJpdmVyIHVwZGF0ZSBzaWduaW5nIGtleTCCASIw
|
||||||
|
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK7kGZShKo5uegg6T4U/wR9UeyCa
|
||||||
|
qTtx+OvzUMKT8l5+R5WfBgQU8sDrIqX3Vv3tD6UeOUyFIQ40iGESdDhWnAFynJX4
|
||||||
|
v0k81KxJ+rVFAt5EJBeGw7U2qdpn8hzJG2dVANZ1gXJWGhC95Muif5q8fL7BJdU4
|
||||||
|
RufixfKWq6WHAalwHaiTCbA+/Ft6TLyZcA62glKkmBn7uWn83tlMfVqC4EN2NfQb
|
||||||
|
//C2MFCbm43BoKmgrMV0J3Pu8un3QZ4ukDDhJJ9eHfSqscq9SHPjqd0RM6TRcFXW
|
||||||
|
BzmTpG7MOJRvk4ypQSHxxc4jK5MVOqzel+2UPB2ihkvvnK9hdsvvI/bal/sCAwEA
|
||||||
|
AaOBizCBiDAfBgNVHSMEGDAWgBSY0u339QWy5Y/vkiTSvJ6Ffy5GkzAVBglghkgB
|
||||||
|
hvhCAQEBAf8EBQMDAPABMB8GA1UdJQQYMBYGCCsGAQUFBwMDBgorBgEEAZIIEAEC
|
||||||
|
MA4GA1UdDwEB/wQEAwIEsDAdBgNVHQ4EFgQUe4Y+AkDtIIq2uBuKbyhgwPTox9Yw
|
||||||
|
DQYJKoZIhvcNAQELBQADggEBAHoPojMTRdFO050Ihrmr8jkdOweiOSBtlAZkLGd2
|
||||||
|
lTybNp2Xi1lQ8SqsqU/NFs/KUPVFykmjmLeqNWC9QoKdrVGzoD9MOHprRxe6gC8k
|
||||||
|
sHzBCFqdx3B+qbeSxBUN2QLIydzM6C23qf1TjBCeEDtRrvcvupFTlOBxiOJrIwbp
|
||||||
|
dJD1JfjbgxfvLzg7PaJPi5Ev6B3gY4ybCnKQmor029Z3R4zw3miPpZVA04xt3Z9e
|
||||||
|
m45Jjv86u10wjLmGRgfMmYT43jiMbOwlG1N8OikvgIHwlZtWxUpL1t/mEYtMMkTv
|
||||||
|
R//lA5z5dqXiDCPdTwHhSjEfBFWGLl7ciYt6rYkpdlqnYdk=
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIID2DCCAsCgAwIBAgIQHDEXJMuZQ/m5MXRiSmLMljANBgkqhkiG9w0BAQsFADBg
|
||||||
|
MSUwIwYJKoZIhvcNAQkBFhZzZWN1cml0eUBhbG1hbGludXgub3JnMRIwEAYDVQQK
|
||||||
|
EwlBbG1hTGludXgxIzAhBgNVBAMTGkFsbWFMaW51eCBTZWN1cmUgQm9vdCBDQSAx
|
||||||
|
MB4XDTIxMDExNDIxMDgwMFoXDTM2MDExMTIxMDgwMFowYjElMCMGCSqGSIb3DQEJ
|
||||||
|
ARYWc2VjdXJpdHlAYWxtYWxpbnV4Lm9yZzESMBAGA1UEChMJQWxtYUxpbnV4MSUw
|
||||||
|
IwYDVQQDExxBbG1hTGludXgga3BhdGNoIHNpZ25pbmcga2V5MIIBIjANBgkqhkiG
|
||||||
|
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxncKQ7a49o5IUwqPB1axIzopNdGoSoERVuUd
|
||||||
|
hdHAZLB2MGIuU2fGCuZ4iD2Pwk+t2KsgR1y58pmHyRBCLi2tYfEdDB8LUzUY3P+8
|
||||||
|
Wxm2+zz8TPJUIcvPE4rHEb0vV4nTzwjpG4BTBwLkYRj+AxGbzWEy5Eetxzq5Ji+V
|
||||||
|
TMuTzRKshHEGNs3tFRPbSssc50NH+OuVKpzJAIqBmz7Gca9RqhK9ARK1p3aDEoR+
|
||||||
|
pYw4zRjIczc3s57WeuQxRMvFK5j48U0hpEUh+eQn1m40Bus3e7i4YTskwgKN5Vq3
|
||||||
|
lGlEdBoK4utuoHPj3JYh97hOii/kulOa9j5xeNe5z/6QByMxpwIDAQABo4GLMIGI
|
||||||
|
MB8GA1UdIwQYMBaAFJjS7ff1BbLlj++SJNK8noV/LkaTMBUGCWCGSAGG+EIBAQEB
|
||||||
|
/wQFAwMA8AEwHwYDVR0lBBgwFgYIKwYBBQUHAwMGCisGAQQBkggQAQIwDgYDVR0P
|
||||||
|
AQH/BAQDAgSwMB0GA1UdDgQWBBRpptnu0/Yg1cLhOh0hHEZRClrZ9TANBgkqhkiG
|
||||||
|
9w0BAQsFAAOCAQEAMDiuS0CD31MtO1Sn4HRYvai2LFdKpUKAEXVy9hsN+AfbcMcl
|
||||||
|
2sF/w49o43cMNIFoWKhMWZMOjCj/DGQY7ehNH3DRaTl7DNCu6y7mBNJPU+iPcE4r
|
||||||
|
92SBWIxUNi7YVbsc1evKBOnrtq6xd5BUJQx1cVGmSBI9dnd4tDBB2+KjpmdhzZK5
|
||||||
|
V1KQz1ilz5g2FNyEj6L7hnpkGUeMYnuM49YL7JP8QNtaKUBBA3BR4S7de+Tu070h
|
||||||
|
pEhvE539I6B+wmgV/bio20TUpQ5W2eH+5YUHVIZa5pZ30tVkm21iNB7eccbM4NYc
|
||||||
|
IRmwIsesuROtaM1e0lHoxKdW0N2xOSkhSY6oyQ==
|
||||||
|
-----END CERTIFICATE-----
|
BIN
SOURCES/almalinuxsecurebootca0.cer
Normal file
BIN
SOURCES/almalinuxsecurebootca0.cer
Normal file
Binary file not shown.
11
SOURCES/debrand-rh-i686-cpu.patch
Normal file
11
SOURCES/debrand-rh-i686-cpu.patch
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
--- a/arch/x86/boot/main.c 2019-03-13 04:04:53.000000000 -0700
|
||||||
|
+++ b/arch/x86/boot/main.c 2019-05-25 14:31:21.043272496 -0700
|
||||||
|
@@ -147,7 +147,7 @@ void main(void)
|
||||||
|
|
||||||
|
/* Make sure we have all the proper CPU support */
|
||||||
|
if (validate_cpu()) {
|
||||||
|
- puts("This processor is not supported in this version of RHEL.\n");
|
||||||
|
+ puts("This processor is not supported in this version of AlmaLinux.\n");
|
||||||
|
die();
|
||||||
|
}
|
||||||
|
|
81
SOURCES/debrand-rh_taint.patch
Normal file
81
SOURCES/debrand-rh_taint.patch
Normal file
@ -0,0 +1,81 @@
|
|||||||
|
--- a/kernel/rh_taint.c 2020-10-16 10:41:51.000000000 -0500
|
||||||
|
+++ b/kernel/rh_taint.c 2020-11-19 10:50:24.853039167 -0600
|
||||||
|
@@ -2,12 +2,12 @@
|
||||||
|
#include <linux/module.h>
|
||||||
|
|
||||||
|
/*
|
||||||
|
- * The following functions are used by Red Hat to indicate to users that
|
||||||
|
- * hardware and drivers are unsupported, or have limited support in RHEL major
|
||||||
|
+ * The following functions are used by AlmaLinux to indicate to users that
|
||||||
|
+ * hardware and drivers are unsupported, or have limited support in AlmaLinux major
|
||||||
|
* and minor releases. These functions output loud warning messages to the end
|
||||||
|
* user and should be USED WITH CAUTION.
|
||||||
|
*
|
||||||
|
- * Any use of these functions _MUST_ be documented in the RHEL Release Notes,
|
||||||
|
+ * Any use of these functions _MUST_ be documented in the AlmaLinux Release Notes,
|
||||||
|
* and have approval of management.
|
||||||
|
*/
|
||||||
|
|
||||||
|
@@ -16,15 +16,15 @@
|
||||||
|
* @msg: Hardware name, class, or type
|
||||||
|
*
|
||||||
|
* Called to mark a device, class of devices, or types of devices as not having
|
||||||
|
- * support in any RHEL minor release. This does not TAINT the kernel. Red Hat
|
||||||
|
- * will not fix bugs against this hardware in this minor release. Red Hat may
|
||||||
|
+ * support in any AlmaLinux minor release. This does not TAINT the kernel. AlmaLinux
|
||||||
|
+ * will not fix bugs against this hardware in this minor release. AlmaLinux may
|
||||||
|
* declare support in a future major or minor update release. This cannot be
|
||||||
|
* used to mark drivers unsupported.
|
||||||
|
*/
|
||||||
|
void mark_hardware_unsupported(const char *msg)
|
||||||
|
{
|
||||||
|
/* Print one single message */
|
||||||
|
- pr_crit("Warning: %s - this hardware has not undergone testing by Red Hat and might not be certified. Please consult https://catalog.redhat.com for certified hardware.\n", msg);
|
||||||
|
+ pr_crit("Warning: %s - this hardware has not undergone testing by AlmaLinux and might not be certified.\n", msg);
|
||||||
|
}
|
||||||
|
EXPORT_SYMBOL(mark_hardware_unsupported);
|
||||||
|
|
||||||
|
@@ -35,12 +35,12 @@ EXPORT_SYMBOL(mark_hardware_unsupported)
|
||||||
|
* Called to minimize the support status of a previously supported device in
|
||||||
|
* a minor release. This does not TAINT the kernel. Marking hardware
|
||||||
|
* deprecated is usually done in conjunction with the hardware vendor. Future
|
||||||
|
- * RHEL major releases may not include this driver. Driver updates and fixes
|
||||||
|
+ * AlmaLinux major releases may not include this driver. Driver updates and fixes
|
||||||
|
* for this device will be limited to critical issues in future minor releases.
|
||||||
|
*/
|
||||||
|
void mark_hardware_deprecated(const char *msg)
|
||||||
|
{
|
||||||
|
- pr_crit("Warning: %s - this hardware is not recommended for new deployments. It continues to be supported in this RHEL release, but it is likely to be removed in the next major release. Driver updates and fixes for this device will be limited to critical issues. Please contact Red Hat Support or your device's hardware vendor for additional information.\n", msg);
|
||||||
|
+ pr_crit("Warning: %s - this hardware is not recommended for new deployments. It continues to be supported in this AlmaLinux release, but it is likely to be removed in the next major release. Driver updates and fixes for this device will be limited to critical issues. Please contact AlmaLinux Support or your device's hardware vendor for additional information.\n", msg);
|
||||||
|
}
|
||||||
|
EXPORT_SYMBOL(mark_hardware_deprecated);
|
||||||
|
|
||||||
|
@@ -50,9 +50,9 @@ EXPORT_SYMBOL(mark_hardware_deprecated);
|
||||||
|
*
|
||||||
|
* Called to minimize the support status of a new driver. This does TAINT the
|
||||||
|
* kernel. Calling this function indicates that the driver or subsystem has
|
||||||
|
- * had limited testing and is not marked for full support within this RHEL
|
||||||
|
- * minor release. The next RHEL minor release may contain full support for
|
||||||
|
- * this driver. Red Hat does not guarantee that bugs reported against this
|
||||||
|
+ * had limited testing and is not marked for full support within this AlmaLinux
|
||||||
|
+ * minor release. The next AlmaLinux minor release may contain full support for
|
||||||
|
+ * this driver. AlmaLinux does not guarantee that bugs reported against this
|
||||||
|
* driver or subsystem will be resolved.
|
||||||
|
*/
|
||||||
|
void mark_tech_preview(const char *msg, struct module *mod)
|
||||||
|
@@ -81,13 +81,13 @@ EXPORT_SYMBOL(mark_tech_preview);
|
||||||
|
* mark_driver_unsupported - drivers that we know we don't want to support
|
||||||
|
* @name: the name of the driver
|
||||||
|
*
|
||||||
|
- * In some cases Red Hat has chosen to build a driver for internal QE
|
||||||
|
+ * In some cases AlmaLinux has chosen to build a driver for internal QE
|
||||||
|
* use. Use this function to mark those drivers as unsupported for
|
||||||
|
* customers.
|
||||||
|
*/
|
||||||
|
void mark_driver_unsupported(const char *name)
|
||||||
|
{
|
||||||
|
- pr_crit("Warning: %s - This driver has not undergone sufficient testing by Red Hat for this release and therefore cannot be used in production systems.\n",
|
||||||
|
+ pr_crit("Warning: %s - This driver has not undergone sufficient testing by AlmaLinux for this release and therefore cannot be used in production systems.\n",
|
||||||
|
name ? name : "kernel");
|
||||||
|
}
|
||||||
|
EXPORT_SYMBOL(mark_driver_unsupported);
|
11
SOURCES/debrand-single-cpu.patch
Normal file
11
SOURCES/debrand-single-cpu.patch
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
--- a/arch/x86/kernel/setup.c 2019-03-13 04:04:53.000000000 -0700
|
||||||
|
+++ b/arch/x86/kernel/setup.c 2019-05-27 08:35:54.580595314 -0700
|
||||||
|
@@ -900,7 +900,7 @@ static void rh_check_supported(void)
|
||||||
|
if (((boot_cpu_data.x86_max_cores * smp_num_siblings) == 1) &&
|
||||||
|
!guest && is_kdump_kernel()) {
|
||||||
|
pr_crit("Detected single cpu native boot.\n");
|
||||||
|
- pr_crit("Important: In Red Hat Enterprise Linux 8, single threaded, single CPU 64-bit physical systems are unsupported by Red Hat. Please contact your Red Hat support representative for a list of certified and supported systems.");
|
||||||
|
+ pr_crit("Important: In AlmaLinux 8, single threaded, single CPU 64-bit physical systems are unsupported. Please see https://www.almalinux.org for more information");
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
@ -5,9 +5,9 @@ prompt = no
|
|||||||
x509_extensions = myexts
|
x509_extensions = myexts
|
||||||
|
|
||||||
[ req_distinguished_name ]
|
[ req_distinguished_name ]
|
||||||
O = Red Hat
|
O = AlmaLinux
|
||||||
CN = Red Hat Enterprise Linux kernel signing key
|
CN = AlmaLinux kernel signing key
|
||||||
emailAddress = secalert@redhat.com
|
emailAddress = security@almalinux.org
|
||||||
|
|
||||||
[ myexts ]
|
[ myexts ]
|
||||||
basicConstraints=critical,CA:FALSE
|
basicConstraints=critical,CA:FALSE
|
||||||
|
@ -218,14 +218,14 @@
|
|||||||
%define with_bpftool 1
|
%define with_bpftool 1
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%ifnarch noarch
|
%ifnarch x86_64
|
||||||
%define with_kernel_abi_stablelists 0
|
%define with_kernel_abi_stablelists 0
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# Overrides for generic default options
|
# Overrides for generic default options
|
||||||
|
|
||||||
# only package docs noarch
|
# only package docs noarch
|
||||||
%ifnarch noarch
|
%ifnarch x86_64
|
||||||
%define with_doc 0
|
%define with_doc 0
|
||||||
%define doc_build_fail true
|
%define doc_build_fail true
|
||||||
%endif
|
%endif
|
||||||
@ -347,7 +347,6 @@ Requires: rt-setup
|
|||||||
%endif
|
%endif
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# List the packages used during the kernel build
|
# List the packages used during the kernel build
|
||||||
#
|
#
|
||||||
@ -447,37 +446,15 @@ Source9: x509.genkey
|
|||||||
%define signing_key_filename kernel-signing-s390.cer
|
%define signing_key_filename kernel-signing-s390.cer
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
Source10: redhatsecurebootca3.cer
|
Source10: almalinuxsecurebootca0.cer
|
||||||
Source11: centossecurebootca2.cer
|
Source11: almalinuxsecurebootca0.cer
|
||||||
Source12: centossecureboot201.cer
|
|
||||||
Source13: redhatsecureboot501.cer
|
|
||||||
Source14: redhatsecureboot302.cer
|
|
||||||
Source15: redhatsecureboot303.cer
|
|
||||||
Source16: redhatsecurebootca7.cer
|
|
||||||
%if 0%{?centos}
|
|
||||||
%define secureboot_ca_0 %{SOURCE11}
|
|
||||||
%define secureboot_key_0 %{SOURCE12}
|
|
||||||
%define pesign_name_0 centossecureboot201
|
|
||||||
%else
|
|
||||||
|
|
||||||
%ifarch x86_64 aarch64
|
|
||||||
%define secureboot_ca_0 %{SOURCE10}
|
%define secureboot_ca_0 %{SOURCE10}
|
||||||
%define secureboot_key_0 %{SOURCE13}
|
%define secureboot_ca_1 %{SOURCE11}
|
||||||
%define pesign_name_0 redhatsecureboot501
|
%define secureboot_ca_2 %{SOURCE11}
|
||||||
%endif
|
|
||||||
|
|
||||||
%ifarch s390x
|
%define secureboot_key_0 %{SOURCE10}
|
||||||
%define secureboot_ca_0 %{SOURCE10}
|
%define pesign_name_0 almalinuxsecurebootca0
|
||||||
%define secureboot_key_0 %{SOURCE14}
|
|
||||||
%define pesign_name_0 redhatsecureboot302
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%ifarch ppc64le
|
|
||||||
%define secureboot_ca_0 %{SOURCE16}
|
|
||||||
%define secureboot_key_0 %{SOURCE15}
|
|
||||||
%define pesign_name_0 redhatsecureboot701
|
|
||||||
%endif
|
|
||||||
%endif
|
|
||||||
|
|
||||||
Source17: mod-blacklist.sh
|
Source17: mod-blacklist.sh
|
||||||
Source18: mod-sign.sh
|
Source18: mod-sign.sh
|
||||||
@ -506,8 +483,8 @@ Source43: generate_bls_conf.sh
|
|||||||
|
|
||||||
Source44: mod-internal.list
|
Source44: mod-internal.list
|
||||||
|
|
||||||
Source100: rheldup3.x509
|
# Source100: rheldup3.x509
|
||||||
Source101: rhelkpatch1.x509
|
# Source101: rhelkpatch1.x509
|
||||||
|
|
||||||
%if %{with_kabichk}
|
%if %{with_kabichk}
|
||||||
Source200: check-kabi
|
Source200: check-kabi
|
||||||
@ -540,18 +517,25 @@ Source4000: gating.yaml
|
|||||||
# rpminspect config
|
# rpminspect config
|
||||||
Source4001: rpminspect.yaml
|
Source4001: rpminspect.yaml
|
||||||
|
|
||||||
|
Source9000: almalinux.pem
|
||||||
|
|
||||||
## Patches needed for building this package
|
## Patches needed for building this package
|
||||||
|
|
||||||
# empty final patch to facilitate testing of kernel patches
|
# empty final patch to facilitate testing of kernel patches
|
||||||
Patch999999: linux-kernel-test.patch
|
Patch999999: linux-kernel-test.patch
|
||||||
|
|
||||||
|
Patch1000: debrand-single-cpu.patch
|
||||||
|
Patch1002: debrand-rh-i686-cpu.patch
|
||||||
|
|
||||||
|
Patch1100: 1100-KVM-x86-mmu-Fix-an-sign-extension-bug-with-mmu_seq-t.patch
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root
|
BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root
|
||||||
|
|
||||||
%description
|
%description
|
||||||
This is the package which provides the Linux %{name} for Red Hat Enterprise
|
This is the package which provides the Linux %{name} for AlmaLinux.
|
||||||
Linux. It is based on upstream Linux at version %{version} and maintains kABI
|
It is based on upstream Linux at version %{version} and maintains kABI
|
||||||
compatibility of a set of approved symbols, however it is heavily modified with
|
compatibility of a set of approved symbols, however it is heavily modified with
|
||||||
backports and fixes pulled from newer upstream Linux %{name} releases. This means
|
backports and fixes pulled from newer upstream Linux %{name} releases. This means
|
||||||
this is not a %{version} kernel anymore: it includes several components which come
|
this is not a %{version} kernel anymore: it includes several components which come
|
||||||
@ -559,7 +543,7 @@ from newer upstream linux versions, while maintaining a well tested and stable
|
|||||||
core. Some of the components/backports that may be pulled in are: changes like
|
core. Some of the components/backports that may be pulled in are: changes like
|
||||||
updates to the core kernel (eg.: scheduler, cgroups, memory management, security
|
updates to the core kernel (eg.: scheduler, cgroups, memory management, security
|
||||||
fixes and features), updates to block layer, supported filesystems, major driver
|
fixes and features), updates to block layer, supported filesystems, major driver
|
||||||
updates for supported hardware in Red Hat Enterprise Linux, enhancements for
|
updates for supported hardware in AlmaLinux, enhancements for
|
||||||
enterprise customers, etc.
|
enterprise customers, etc.
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -598,6 +582,7 @@ AutoProv: yes\
|
|||||||
%package doc
|
%package doc
|
||||||
Summary: Various documentation bits found in the kernel source
|
Summary: Various documentation bits found in the kernel source
|
||||||
Group: Documentation
|
Group: Documentation
|
||||||
|
BuildArch: noarch
|
||||||
%description doc
|
%description doc
|
||||||
This package contains documentation files from the kernel
|
This package contains documentation files from the kernel
|
||||||
source. Various bits of information about the Linux kernel and the
|
source. Various bits of information about the Linux kernel and the
|
||||||
@ -807,14 +792,15 @@ kernel-gcov includes the gcov graph and source files for gcov coverage collectio
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%package -n %{name}-abi-stablelists
|
%package -n %{name}-abi-stablelists
|
||||||
Summary: The Red Hat Enterprise Linux kernel ABI symbol stablelists
|
Summary: The AlmaLinux kernel ABI symbol stablelists
|
||||||
Group: System Environment/Kernel
|
Group: System Environment/Kernel
|
||||||
AutoReqProv: no
|
AutoReqProv: no
|
||||||
|
BuildArch: noarch
|
||||||
Obsoletes: %{name}-abi-whitelists < %{specversion}-%{pkg_release}
|
Obsoletes: %{name}-abi-whitelists < %{specversion}-%{pkg_release}
|
||||||
Provides: %{name}-abi-whitelists
|
Provides: %{name}-abi-whitelists
|
||||||
%description -n %{name}-abi-stablelists
|
%description -n %{name}-abi-stablelists
|
||||||
The kABI package contains information pertaining to the Red Hat Enterprise
|
The kABI package contains information pertaining to the AlmaLinux
|
||||||
Linux kernel ABI, including lists of kernel symbols that are needed by
|
kernel ABI, including lists of kernel symbols that are needed by
|
||||||
external Linux kernel modules, and a yum plugin to aid enforcement.
|
external Linux kernel modules, and a yum plugin to aid enforcement.
|
||||||
|
|
||||||
%if %{with_kabidw_base}
|
%if %{with_kabidw_base}
|
||||||
@ -823,8 +809,8 @@ Summary: The baseline dataset for kABI verification using DWARF data
|
|||||||
Group: System Environment/Kernel
|
Group: System Environment/Kernel
|
||||||
AutoReqProv: no
|
AutoReqProv: no
|
||||||
%description kernel-kabidw-base-internal
|
%description kernel-kabidw-base-internal
|
||||||
The package contains data describing the current ABI of the Red Hat Enterprise
|
The package contains data describing the current ABI of the AlmaLinux
|
||||||
Linux kernel, suitable for the kabi-dw tool.
|
kernel, suitable for the kabi-dw tool.
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -898,7 +884,7 @@ Requires: %{name}%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\
|
|||||||
AutoReq: no\
|
AutoReq: no\
|
||||||
AutoProv: yes\
|
AutoProv: yes\
|
||||||
%description %{?1:%{1}-}modules-internal\
|
%description %{?1:%{1}-}modules-internal\
|
||||||
This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat internal usage.\
|
This package provides kernel modules for the %{?2:%{2} }kernel package for AlmaLinux internal usage.\
|
||||||
%{nil}
|
%{nil}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -989,6 +975,11 @@ Summary: %{variant_summary}\
|
|||||||
Group: System Environment/Kernel\
|
Group: System Environment/Kernel\
|
||||||
Provides: %{name}-%{?1:%{1}-}core-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\
|
Provides: %{name}-%{?1:%{1}-}core-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\
|
||||||
Provides: installonlypkg(kernel)\
|
Provides: installonlypkg(kernel)\
|
||||||
|
%if "%{?1}" == ""\
|
||||||
|
Provides: almalinux(kernel-sig-key) = 202303\
|
||||||
|
Conflicts: shim-ia32 <= 15.6-1.el8.alma\
|
||||||
|
Conflicts: shim-x64 <= 15.6-1.el8.alma\
|
||||||
|
%endif\
|
||||||
%{expand:%%kernel_reqprovconf}\
|
%{expand:%%kernel_reqprovconf}\
|
||||||
%if %{?1:1} %{!?1:0} \
|
%if %{?1:1} %{!?1:0} \
|
||||||
%{expand:%%kernel_meta_package %{?1:%{1}}}\
|
%{expand:%%kernel_meta_package %{?1:%{1}}}\
|
||||||
@ -1096,10 +1087,15 @@ ApplyOptionalPatch()
|
|||||||
}
|
}
|
||||||
|
|
||||||
%setup -q -n %{name}-%{specversion}-%{pkgrelease} -c
|
%setup -q -n %{name}-%{specversion}-%{pkgrelease} -c
|
||||||
|
cp -v %{SOURCE9000} linux-%{specversion}-%{pkgrelease}/certs/rhel.pem
|
||||||
mv linux-%{specversion}-%{pkgrelease} linux-%{KVERREL}
|
mv linux-%{specversion}-%{pkgrelease} linux-%{KVERREL}
|
||||||
|
|
||||||
cd linux-%{KVERREL}
|
cd linux-%{KVERREL}
|
||||||
|
|
||||||
|
ApplyOptionalPatch debrand-single-cpu.patch
|
||||||
|
ApplyOptionalPatch debrand-rh-i686-cpu.patch
|
||||||
|
# Already applied in the source tarball
|
||||||
|
# ApplyOptionalPatch 1100-KVM-x86-mmu-Fix-an-sign-extension-bug-with-mmu_seq-t.patch
|
||||||
ApplyOptionalPatch linux-kernel-test.patch
|
ApplyOptionalPatch linux-kernel-test.patch
|
||||||
|
|
||||||
# END OF PATCH APPLICATIONS
|
# END OF PATCH APPLICATIONS
|
||||||
@ -1170,9 +1166,9 @@ done
|
|||||||
# Add DUP and kpatch certificates to system trusted keys for RHEL
|
# Add DUP and kpatch certificates to system trusted keys for RHEL
|
||||||
%if 0%{?rhel}
|
%if 0%{?rhel}
|
||||||
%if %{signkernel}%{signmodules}
|
%if %{signkernel}%{signmodules}
|
||||||
openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
|
# openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
|
||||||
openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
|
# openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
|
||||||
cat rheldup3.pem rhelkpatch1.pem > ../certs/rhel.pem
|
# cat rheldup3.pem rhelkpatch1.pem > ../certs/rhel.pem
|
||||||
%ifarch ppc64le
|
%ifarch ppc64le
|
||||||
openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
|
openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
|
||||||
cat secureboot.pem >> ../certs/rhel.pem
|
cat secureboot.pem >> ../certs/rhel.pem
|
||||||
|
Loading…
Reference in New Issue
Block a user