import OL libvirt-11.5.0-4.5.0.1.el10_1

libvirt-esx-Allow-disk-images-in-subdirectories.patch

@@ -0,0 +1,66 @@
+From 9feb04c572299cd2c31898c8b7deec0c660bcbbc Mon Sep 17 00:00:00 2001
+Message-ID: <9feb04c572299cd2c31898c8b7deec0c660bcbbc.1768319110.git.jdenemar@redhat.com>
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Wed, 19 Nov 2025 14:28:11 +0100
+Subject: [PATCH] esx: Allow disk images in subdirectories
+
+The esxParseVMXFileName() function parses path to a disk image
+trying to replace some "known" patterns (e.g. datastore paths).
+A simple filename is treated as a path relative to .vmx file. But
+disk images (and thus filenames) can be in a subdirectory,
+relative to the .vmx file. For instance:
+
+  subfolder/disk.vmdk
+
+Adapt our parser to this fact.
+
+Resolves: https://issues.redhat.com/browse/RHEL-122751
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit 07d3cc9d578781ca7335480b371e27f84c6c8db7)
+Resolves: https://issues.redhat.com/browse/RHEL-140865
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/esx/esx_driver.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/esx/esx_driver.c b/src/esx/esx_driver.c
+index 512ca6c028..875cd076df 100644
+--- a/src/esx/esx_driver.c
++++ b/src/esx/esx_driver.c
+@@ -79,9 +79,11 @@ esxFreePrivate(esxPrivate **priv)
+  * Parse a file name from a .vmx file and convert it to datastore path format
+  * if possible. A .vmx file can contain file names in various formats:
+  *
+- * - A single name referencing a file in the same directory as the .vmx file:
++ * - A single name referencing a file in the same directory as the .vmx file,
++ *   or in a subdirectory:
+  *
+  *     test1.vmdk
++ *     subdir/test2.vmdk
+  *
+  * - An absolute file name referencing a file in a datastore that is mounted at
+  *   /vmfs/volumes/<datastore>:
+@@ -113,8 +115,9 @@ esxFreePrivate(esxPrivate **priv)
+  *
+  * Firstly this functions checks if the given file name contains a separator.
+  * If it doesn't then the referenced file is in the same directory as the .vmx
+- * file. The datastore name and directory of the .vmx file are passed to this
+- * function via the opaque parameter by the caller of virVMXParseConfig.
++ * file, or in a subdirectory. The datastore name and directory of the .vmx
++ * file are passed to this function via the opaque parameter by the caller of
++ * virVMXParseConfig.
+  *
+  * Otherwise query for all known datastores and their mount directories. Then
+  * try to find a datastore with a mount directory that is a prefix to the given
+@@ -145,7 +148,7 @@ esxParseVMXFileName(const char *fileName,
+ 
+     *out = NULL;
+ 
+-    if (!strchr(fileName, '/') && !strchr(fileName, '\\')) {
++    if (*fileName != '/' && !strchr(fileName, '\\')) {
+         /* Plain file name, use same directory as for the .vmx file */
+         *out = g_strdup_printf("%s/%s", data->datastorePathWithoutFileName,
+                                fileName);
+-- 
+2.52.0

libvirt-esx-URI-encode-inventory-objects-twice.patch

@@ -0,0 +1,60 @@
+From abe5489da9a426f9d50dca1c9a99e6a8ed0ec5a2 Mon Sep 17 00:00:00 2001
+Message-ID: <abe5489da9a426f9d50dca1c9a99e6a8ed0ec5a2.1768319110.git.jdenemar@redhat.com>
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Tue, 6 Jan 2026 17:18:03 +0100
+Subject: [PATCH] esx: URI encode inventory objects twice
+
+While discouraged by a KB article to use special characters in
+inventory object names [1], ESX won't stop you. And thus users
+can end up with a datastore named "datastore2+", for instance.
+The datastore name (and datacenter path) are important when
+fetching/uploading a .vmx file (used in APIs like
+virDomainGetXMLDesc() or virDomainDefineXML()). And while we do
+URI encode both (dcPath and dsName), encoding them once is not
+enough. Cole Robinson discovered [2] that they need to be
+URI-encoded twice. Use newly introduced
+esxUtil_EscapeInventoryObject() helper to encode them twice.
+
+1: https://knowledge.broadcom.com/external/article/386368/vcenter-inventory-object-name-with-speci.html
+2: https://issues.redhat.com/browse/RHEL-133729#comment-28604072
+Resolves: https://issues.redhat.com/browse/RHEL-134127
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
+(cherry picked from commit 6c9d2591c668732eb05cf17d27c9102ef3d40b39)
+Resolves: https://issues.redhat.com/browse/RHEL-140465
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/esx/esx_driver.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/esx/esx_driver.c b/src/esx/esx_driver.c
+index 875cd076df..8614ba3f32 100644
+--- a/src/esx/esx_driver.c
++++ b/src/esx/esx_driver.c
+@@ -2574,9 +2574,9 @@ esxDomainGetXMLDesc(virDomainPtr domain, unsigned int flags)
+                       domain->conn->uri->server, domain->conn->uri->port);
+     virBufferURIEncodeString(&buffer, directoryAndFileName);
+     virBufferAddLit(&buffer, "?dcPath=");
+-    virBufferURIEncodeString(&buffer, priv->primary->datacenterPath);
++    esxUtil_EscapeInventoryObject(&buffer, priv->primary->datacenterPath);
+     virBufferAddLit(&buffer, "&dsName=");
+-    virBufferURIEncodeString(&buffer, datastoreName);
++    esxUtil_EscapeInventoryObject(&buffer, datastoreName);
+ 
+     url = virBufferContentAndReset(&buffer);
+ 
+@@ -3009,9 +3009,9 @@ esxDomainDefineXMLFlags(virConnectPtr conn, const char *xml, unsigned int flags)
+ 
+     virBufferURIEncodeString(&buffer, escapedName);
+     virBufferAddLit(&buffer, ".vmx?dcPath=");
+-    virBufferURIEncodeString(&buffer, priv->primary->datacenterPath);
++    esxUtil_EscapeInventoryObject(&buffer, priv->primary->datacenterPath);
+     virBufferAddLit(&buffer, "&dsName=");
+-    virBufferURIEncodeString(&buffer, datastoreName);
++    esxUtil_EscapeInventoryObject(&buffer, datastoreName);
+ 
+     url = virBufferContentAndReset(&buffer);
+ 
+-- 
+2.52.0

libvirt-esx_util-Introduce-esxUtil_EscapeInventoryObject.patch

@@ -0,0 +1,76 @@
+From b6acf18d7eb7391a59a57930a6d96d693de9ae7f Mon Sep 17 00:00:00 2001
+Message-ID: <b6acf18d7eb7391a59a57930a6d96d693de9ae7f.1768319110.git.jdenemar@redhat.com>
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Wed, 7 Jan 2026 10:34:25 +0100
+Subject: [PATCH] esx_util: Introduce esxUtil_EscapeInventoryObject()
+
+The aim of this helper function is to URI-encode given string
+twice. There's a bug (fixed in next commit) in which we're unable
+to fetch .vmx file for a domain if corresponding datastore
+contains some special characters (like +). Cole Robinson
+discovered that encoding datastore twice enables libvirt to work
+around the issue [2]. Well, this function does exactly that.
+It was tested with the following inputs and all worked
+flawlessly: "datastore", "datastore2", "datastore2+",
+"datastore3+-@", "data store2+".
+
+1: https://issues.redhat.com/browse/RHEL-134127
+2: https://issues.redhat.com/browse/RHEL-133729#comment-28604072
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
+(cherry picked from commit ffe74c7c551bd641cbcaa2512ed0ad4a25d3980b)
+Resolves: https://issues.redhat.com/browse/RHEL-140465
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/esx/esx_util.c | 18 ++++++++++++++++++
+ src/esx/esx_util.h |  3 +++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/src/esx/esx_util.c b/src/esx/esx_util.c
+index 7ee0e5f7c0..9b714d90ba 100644
+--- a/src/esx/esx_util.c
++++ b/src/esx/esx_util.c
+@@ -448,3 +448,21 @@ esxUtil_EscapeForXml(const char *string)
+ 
+     return virBufferContentAndReset(&buffer);
+ }
++
++
++/* esxUtil_EscapeInventoryObject:
++ * @buf: the buffer to append to
++ * @string: the string argument which will be URI-encoded
++ *
++ * URI-encode given @string TWICE and append the result to the @buf. This is
++ * to be used with inventory objects (like 'dcPath' and 'dsName') to work
++ * around a VMware bug in which once round of URI-encoding is not enough.
++ */
++void
++esxUtil_EscapeInventoryObject(virBuffer *buf, const char *string)
++{
++    g_autoptr(GString) escaped = g_string_new(NULL);
++
++    g_string_append_uri_escaped(escaped, string, NULL, false);
++    virBufferURIEncodeString(buf, escaped->str);
++}
+diff --git a/src/esx/esx_util.h b/src/esx/esx_util.h
+index 58bc44e744..29f01e0c15 100644
+--- a/src/esx/esx_util.h
++++ b/src/esx/esx_util.h
+@@ -22,6 +22,7 @@
+ #pragma once
+ 
+ #include "internal.h"
++#include "virbuffer.h"
+ #include "viruri.h"
+ 
+ #define ESX_VI_CHECK_ARG_LIST(val) \
+@@ -67,3 +68,5 @@ void esxUtil_ReplaceSpecialWindowsPathChars(char *string);
+ char *esxUtil_EscapeDatastoreItem(const char *string);
+ 
+ char *esxUtil_EscapeForXml(const char *string);
++
++void esxUtil_EscapeInventoryObject(virBuffer *buf, const char *string);
+-- 
+2.52.0

libvirt-qemu-correctly-detect-working-TDX-support.patch

@@ -0,0 +1,150 @@
+From 5cc8c50986179fc50f9f4686ad4ff5359383083c Mon Sep 17 00:00:00 2001
+Message-ID: <5cc8c50986179fc50f9f4686ad4ff5359383083c.1766070041.git.jdenemar@redhat.com>
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Thu, 20 Nov 2025 06:24:31 -0500
+Subject: [PATCH] qemu: correctly detect working TDX support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Querying existence of the 'tdx-guest' type merely tells us whether
+QEMU has been compiled with TDX support, not whether it is usable
+on the host. Thus QEMU was incorrectly reporting
+
+    <tdx supported='yes'/>
+    ...
+    <launchSecurity supported='yes'>
+      <enum name='sectype'>
+        <value>tdx</value>
+      </enum>
+    </launchSecurity>
+
+on every platform with new enough QEMU.
+
+Unfortunately an earlier patch for a 'query-tdx-capabilities' QMP
+command in QEMU was dropped, so there is no way to ask QEMU whether
+it can launch a TDX guest. Libvirt must directly query the KVM
+device and ask for supported VM types.
+
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 62d14ba496634d5a98f7becc3875b9311cb38931)
+https://issues.redhat.com/browse/RHEL-129673
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ src/qemu/qemu_capabilities.c | 51 ++++++++++++++++++++++++++++++++++++
+ src/qemu/qemu_capabilities.h |  3 +++
+ tests/domaincapsmock.c       |  6 +++++
+ 3 files changed, 60 insertions(+)
+
+diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
+index 1b9dcb51b8..9365891ddf 100644
+--- a/src/qemu/qemu_capabilities.c
++++ b/src/qemu/qemu_capabilities.c
+@@ -54,11 +54,17 @@
+ # include <sys/types.h>
+ # include <sys/sysctl.h>
+ #endif
++#ifdef WITH_LINUX_KVM_H
++# include <linux/kvm.h>
++# include <sys/ioctl.h>
++#endif
+ 
+ #define VIR_FROM_THIS VIR_FROM_QEMU
+ 
+ VIR_LOG_INIT("qemu.qemu_capabilities");
+ 
++#define KVM_DEVICE "/dev/kvm"
++
+ /* While not public, these strings must not change. They
+  * are used in domain status files which are read on
+  * daemon restarts
+@@ -3653,6 +3659,50 @@ virQEMUCapsProbeQMPSEVCapabilities(virQEMUCaps *qemuCaps,
+ }
+ 
+ 
++bool
++virQEMUCapsKVMSupportsVMTypeTDX(void)
++{
++#if defined(KVM_CAP_VM_TYPES) && defined(KVM_X86_TDX_VM)
++    VIR_AUTOCLOSE kvmfd = -1;
++    int types;
++
++    if (!virFileExists(KVM_DEVICE))
++        return false;
++
++    if ((kvmfd = open(KVM_DEVICE, O_RDONLY)) < 0) {
++        VIR_DEBUG("Unable to open %s, cannot check TDX", KVM_DEVICE);
++        return false;
++    }
++
++    if ((types = ioctl(kvmfd, KVM_CHECK_EXTENSION, KVM_CAP_VM_TYPES)) < 0)
++        types = 0;
++
++    VIR_DEBUG("KVM VM types: 0x%x", types);
++
++    return !!(types & (1 << KVM_X86_TDX_VM));
++#else
++    VIR_DEBUG("KVM not compiled");
++    return false;
++#endif
++}
++
++
++/* This ought to be virQEMUCapsProbeQMPTDXCapabilities,
++ * but there is no 'query-tdx-capabilities' command
++ * available in QEMU currently. If one arrives, rename
++ * this method & switch to using that on new enough QEMU
++ */
++static void
++virQEMUCapsProbeTDXCapabilities(virQEMUCaps *qemuCaps)
++{
++    if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_TDX_GUEST))
++        return;
++
++    if (!virQEMUCapsKVMSupportsVMTypeTDX())
++        virQEMUCapsClear(qemuCaps, QEMU_CAPS_TDX_GUEST);
++}
++
++
+ static int
+ virQEMUCapsProbeQMPSGXCapabilities(virQEMUCaps *qemuCaps,
+                                    qemuMonitor *mon)
+@@ -5792,6 +5842,7 @@ virQEMUCapsInitQMPMonitor(virQEMUCaps *qemuCaps,
+         return -1;
+     if (virQEMUCapsProbeQMPSGXCapabilities(qemuCaps, mon) < 0)
+         return -1;
++    virQEMUCapsProbeTDXCapabilities(qemuCaps);
+ 
+     virQEMUCapsInitProcessCaps(qemuCaps);
+ 
+diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
+index 2c78ea14f3..2d13b374c4 100644
+--- a/src/qemu/qemu_capabilities.h
++++ b/src/qemu/qemu_capabilities.h
+@@ -969,3 +969,6 @@ int
+ virQEMUCapsProbeQMPMachineTypes(virQEMUCaps *qemuCaps,
+                                 virDomainVirtType virtType,
+                                 qemuMonitor *mon);
++
++bool
++virQEMUCapsKVMSupportsVMTypeTDX(void) ATTRIBUTE_MOCKABLE;
+diff --git a/tests/domaincapsmock.c b/tests/domaincapsmock.c
+index cb6e98dbb8..7bece6c8c1 100644
+--- a/tests/domaincapsmock.c
++++ b/tests/domaincapsmock.c
+@@ -48,6 +48,12 @@ virHostCPUGetPhysAddrSize(const virArch hostArch,
+ }
+ 
+ #if WITH_QEMU
++bool
++virQEMUCapsKVMSupportsVMTypeTDX(void)
++{
++    return true;
++}
++
+ static bool (*real_virQEMUCapsGetKVMSupportsSecureGuest)(virQEMUCaps *qemuCaps);
+ 
+ bool
+-- 
+2.52.0

libvirt-qemu-tpm-Account-for-possible-migration-without-actually-sharing-storage.patch

@@ -0,0 +1,119 @@
+From 37eccd8775799d5914f21df0a62279df23478576 Mon Sep 17 00:00:00 2001
+Message-ID: <37eccd8775799d5914f21df0a62279df23478576.1765457625.git.jdenemar@redhat.com>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Mon, 1 Dec 2025 11:35:32 +0100
+Subject: [PATCH] qemu: tpm: Account for possible migration without actually
+ sharing storage
+
+The current logic in 'qemuTPMEmulatorBuildCommand' skips all setup if
+the *location* of the data is on what we'd consider shared storage.
+
+This means that if the location is not actually shared (e.g. it's shared
+betweeh some other hosts than the two doing the migration) and the path
+wasn't ever used (e.g. by migrating out) from the host where we're
+migrating into the complete setup of the location would be skipped even
+when it doesn't exist.
+
+Fix the logic by skipping only some of the setup steps so that
+'qemuTPMEmulatorCreateStorage' can still create the storage if it
+doesn't exist.
+
+The rest of the code then needs to take the 'created' flag returned from
+'qemuTPMEmulatorCreateStorage' into account.
+
+Fixes: 68103e9daf633b789428fedef56f816c92f6ee75
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit d56d0560946770d4364a4918cc289e6a7fe5d15c)
+https://issues.redhat.com/browse/RHEL-132920
+---
+ src/qemu/qemu_tpm.c | 29 ++++++++++++++++++++---------
+ 1 file changed, 20 insertions(+), 9 deletions(-)
+
+diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
+index 2e5ec823b2..671eed002a 100644
+--- a/src/qemu/qemu_tpm.c
++++ b/src/qemu/qemu_tpm.c
+@@ -158,6 +158,7 @@ qemuTPMEmulatorGetPid(const char *swtpmStateDir,
+ /**
+  * qemuTPMEmulatorCreateStorage:
+  * @tpm: TPM definition for an emulator type
++ * @sharedStorageMigration: VM is being migrated with possibly shared storage
+  * @created: a pointer to a bool that will be set to true if the
+  *           storage was created because it did not exist yet
+  * @swtpm_user: The uid that needs to be able to access the directory
+@@ -169,6 +170,7 @@ qemuTPMEmulatorGetPid(const char *swtpmStateDir,
+  */
+ static int
+ qemuTPMEmulatorCreateStorage(virDomainTPMDef *tpm,
++                             bool sharedStorageMigration,
+                              bool *created,
+                              uid_t swtpm_user,
+                              gid_t swtpm_group)
+@@ -187,8 +189,17 @@ qemuTPMEmulatorCreateStorage(virDomainTPMDef *tpm,
+     *created = false;
+ 
+     if (!virFileExists(source_path) ||
+-        virDirIsEmpty(source_path, true) > 0)
++        virDirIsEmpty(source_path, true) > 0) {
+         *created = true;
++    } else {
++        /* If the location exists and is shared, we don't need to create it
++         * during migration */
++        if (sharedStorageMigration) {
++            VIR_DEBUG("Skipping TPM storage creation. Path '%s' already exists and is on shared storage.",
++                      source_path);
++            return 0;
++        }
++    }
+ 
+     if (virDirCreate(source_path, 0700, swtpm_user, swtpm_group,
+                      VIR_DIR_CREATE_ALLOW_EXIST) < 0) {
+@@ -809,16 +820,13 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm,
+         run_setup = true;
+     }
+ 
+-    /* Do not create storage and run swtpm_setup on incoming migration over
+-     * shared storage
+-     */
+     on_shared_storage = virFileIsSharedFS(tpm->data.emulator.source_path,
+                                           cfg->sharedFilesystems) == 1;
+-    if (incomingMigration && on_shared_storage)
+-        create_storage = false;
+ 
+     if (create_storage) {
+-        if (qemuTPMEmulatorCreateStorage(tpm, &created,
++        if (qemuTPMEmulatorCreateStorage(tpm,
++                                         incomingMigration && on_shared_storage,
++                                         &created,
+                                          cfg->swtpm_user, cfg->swtpm_group) < 0)
+             return NULL;
+         run_setup = created;
+@@ -885,6 +893,9 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm,
+     /* If swtpm supports it and the TPM state is stored on shared storage,
+      * start swtpm with --migration release-lock-outgoing so it can migrate
+      * across shared storage if needed.
++     *
++     * Note that if 'created' is true, the location didn't exist so the storage
++     * is not actually shared.
+      */
+     QEMU_DOMAIN_TPM_PRIVATE(tpm)->swtpm.can_migrate_shared_storage = false;
+     if (on_shared_storage &&
+@@ -892,13 +903,13 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm,
+ 
+         virCommandAddArg(cmd, "--migration");
+         virCommandAddArgFormat(cmd, "release-lock-outgoing%s",
+-                               incomingMigration ? ",incoming": "");
++                               incomingMigration && !created ? ",incoming": "");
+         QEMU_DOMAIN_TPM_PRIVATE(tpm)->swtpm.can_migrate_shared_storage = true;
+     } else {
+         /* Report an error if there's an incoming migration across shared
+          * storage and swtpm does not support the --migration option.
+          */
+-        if (incomingMigration && on_shared_storage) {
++        if (incomingMigration && on_shared_storage && !created) {
+             virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED,
+                            _("%1$s (on destination side) does not support the --migration option needed for migration with shared storage"),
+                            swtpm);
+-- 
+2.52.0

libvirt.spec

@@ -289,7 +289,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 11.5.0
-Release: 4.2%{?dist}%{?extra_release}
+Release: 4.5.0.1%{?dist}%{?extra_release}
 License: GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND OFL-1.1
 URL: https://libvirt.org/
 
@@ -345,6 +345,11 @@ Patch45: libvirt-qemu_domain-Fix-qemuDomainFixupCPUs.patch
 Patch46: libvirt-qemu_process-Always-fix-CPUs-on-reconnect.patch
 Patch47: libvirt-qemu_monitor-Filter-CPU-features-reported-by-QEMU.patch
 Patch48: libvirt-qemu-Ignore-ht-CPU-feature.patch
+Patch49: libvirt-qemu-tpm-Account-for-possible-migration-without-actually-sharing-storage.patch
+Patch50: libvirt-qemu-correctly-detect-working-TDX-support.patch
+Patch51: libvirt-esx-Allow-disk-images-in-subdirectories.patch
+Patch52: libvirt-esx_util-Introduce-esxUtil_EscapeInventoryObject.patch
+Patch53: libvirt-esx-URI-encode-inventory-objects-twice.patch
 
 
 Requires: libvirt-daemon = %{version}-%{release}
@@ -1394,7 +1399,8 @@ exit 1
 %define arg_packager_version -Dpackager_version="%{release}"
 %define arg_selinux_mount -Dselinux_mount="/sys/fs/selinux"
 
-# place macros above and build commands below this comment
+# Set SOURCE_DATE_EPOCH from changelog
+%define source_date_epoch_from_changelog 1
 
 export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
 
@@ -2740,6 +2746,20 @@ exit 0
 %endif
 
 %changelog
+* Wed Feb 04 2026 EL Errata <el-errata_ww@oracle.com> - 11.5.0-4.5.0.1
+- Set SOURCE_DATE_EPOCH from changelog [Orabug: 32019554]
+
+* Tue Jan 13 2026 Jiri Denemark <jdenemar@redhat.com> - 11.5.0-4.5.el10_1
+- esx: Allow disk images in subdirectories (RHEL-140865)
+- esx_util: Introduce esxUtil_EscapeInventoryObject() (RHEL-140465)
+- esx: URI encode inventory objects twice (RHEL-140465)
+
+* Thu Dec 18 2025 Jiri Denemark <jdenemar@redhat.com> - 11.5.0-4.4.el10_1
+- qemu: correctly detect working TDX support (RHEL-129673)
+
+* Thu Dec 11 2025 Jiri Denemark <jdenemar@redhat.com> - 11.5.0-4.3.el10_1
+- qemu: tpm: Account for possible migration without actually sharing storage (RHEL-132920)
+
 * Fri Nov 21 2025 Jiri Denemark <jdenemar@redhat.com> - 11.5.0-4.2.el10_1
 - cpu_conf: Make virCPUDefFilterFeatures return void (RHEL-126094)
 - qemu_domain: Simplify qemuDomainFixupCPUs (RHEL-126094)