Remove downstream tboot-disa-ibt.patch workaround.

Bump nvr to tboot-1.11.10-2.el10.x86_64.rpm

Previous builds appended "ibt=off" to GRUB_CMDLINE_LINUX_TBOOT to avoid
shutdown crashes on CET-enabled systems. With RHEL-10 kernels enabling
CET/IBT, the tboot > firmware shutdown path triggered #CP faults because
firmware shutdown_entry code lacks ENDBR instructions and is not CET-safe.
The global disable was a temporary mitigation.

Upstream discussion continues to debate a final fix, but the solution
posted in https://sourceforge.net/p/tboot/mailman/message/59247821/
surgically disables CET only around the tboot shutdown_entry call,
preventing the crash without disabling IBT system-wide. The current
discussion centers on whether the fix belongs in the kernel or in the
tboot codebase.

RHEL commit 358ed91e4c8a2eb2ab0df50d0e6b71b01dc7e1ed incorporates the
kernel side fix in kernel kernel-6.12.0-205.el10, so the current
"ibt=off" workaround should be removed.

Also update gating.yaml to remove infeasible automated test requirement.
tboot requires physical TPM hardware and manual GRUB interaction,
making automated functional testing impractical.

Resolves: RHEL-149438
JIRA: https://issues.redhat.com/browse/RHEL-149438

Signed-off-by: Tony Camuso <tcamuso@redhat.com>

gating.yaml

@@ -1,6 +1,7 @@
 --- !Policy
+# tboot requires physical TPM hardware and manual boot interaction
+# Automated functional testing is not feasible for this package
 product_versions:
   - rhel-10
 decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
+rules: []

tboot-disa-ibt.patch

@@ -1,12 +0,0 @@
-diff -r 5220085b54dd tboot/20_linux_tboot
---- a/tboot/20_linux_tboot	Thu Apr 17 08:33:41 2025 -0400
-+++ b/tboot/20_linux_tboot	Thu Aug 21 09:23:08 2025 -0400
-@@ -44,7 +44,7 @@
- # Command line for tboot itself
- : ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga'}
- # Linux kernel parameters to append for tboot
--: ${GRUB_CMDLINE_LINUX_TBOOT='intel_iommu=on'}
-+: ${GRUB_CMDLINE_LINUX_TBOOT='intel_iommu=on ibt=off'}
- # Base name of LCP policy data file for list policy
- : ${GRUB_TBOOT_POLICY_DATA=''}
- # List of SINIT modules to use, glob patterns are supported

tboot.spec

@@ -1,7 +1,7 @@
 Summary:       Performs a verified launch using Intel TXT
 Name:          tboot
 Version:       1.11.10
-Release:       1%{?dist}
+Release:       2%{?dist}
 Epoch:         1
 
 License:       BSD-3-Clause
@@ -9,7 +9,6 @@ URL:           http://sourceforge.net/projects/tboot/
 Source0:       http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
 Patch0: tboot-gcc14.patch
 Patch1: tboot-no-engine.patch
-Patch2: tboot-disa-ibt.patch
 
 BuildRequires: make
 BuildRequires: gcc
@@ -99,6 +98,24 @@ grub2-mkconfig -o /etc/grub2.cfg
 /boot/tboot-syms
 
 %changelog
+* Fri Feb 13 2026 Tony Camuso <tcamuso@redhat.com> - 1:1.11.10-2
+- Remove downstream tboot-disa-ibt.patch workaround .(RHEL-149438)
+  Previous builds appended "ibt=off" to GRUB_CMDLINE_LINUX_TBOOT to avoid
+  shutdown crashes on CET-enabled systems. With RHEL-10 kernels enabling
+  CET/IBT, the tboot > firmware shutdown path triggered #CP faults because
+  firmware shutdown_entry code lacks ENDBR instructions and is not CET-safe.
+  The global disable was a temporary mitigation.
+  Upstream discussion continues to debate a final fix, but the solution
+  posted in https://sourceforge.net/p/tboot/mailman/message/59247821/
+  surgically disables CET only around the tboot shutdown_entry call,
+  preventing the crash without disabling IBT system-wide.
+  RHEL commit 358ed91e4c8a2eb2ab0df50d0e6b71b01dc7e1ed incorporates this fix
+  in kernel kernel-6.12.0-205.el10, so the downstream workaround is no longer
+  required.
+  Update gating.yaml: remove infeasible automated test requirement
+  (tboot requires physical TPM and manual GRUB interaction)
+  Resolves: RHEL-149438
+
 * Tue Sep 16 2025 Tony Camuso <tcamuso@redhat.com> - 1:1.11.10-1
 - Update to latest upstream
   Add tboot-disa-ibt.patch (see https://issues.redhat.com/browse/RHEL-109479)