diff --git a/gating.yaml b/gating.yaml index 3442642..2e18cc3 100644 --- a/gating.yaml +++ b/gating.yaml @@ -1,6 +1,7 @@ --- !Policy +# tboot requires physical TPM hardware and manual boot interaction +# Automated functional testing is not feasible for this package product_versions: - rhel-10 decision_context: osci_compose_gate -rules: - - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional} +rules: [] diff --git a/tboot-disa-ibt.patch b/tboot-disa-ibt.patch deleted file mode 100644 index 7fe6689..0000000 --- a/tboot-disa-ibt.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -r 5220085b54dd tboot/20_linux_tboot ---- a/tboot/20_linux_tboot Thu Apr 17 08:33:41 2025 -0400 -+++ b/tboot/20_linux_tboot Thu Aug 21 09:23:08 2025 -0400 -@@ -44,7 +44,7 @@ - # Command line for tboot itself - : ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga'} - # Linux kernel parameters to append for tboot --: ${GRUB_CMDLINE_LINUX_TBOOT='intel_iommu=on'} -+: ${GRUB_CMDLINE_LINUX_TBOOT='intel_iommu=on ibt=off'} - # Base name of LCP policy data file for list policy - : ${GRUB_TBOOT_POLICY_DATA=''} - # List of SINIT modules to use, glob patterns are supported diff --git a/tboot.spec b/tboot.spec index 333843d..2791e4f 100644 --- a/tboot.spec +++ b/tboot.spec @@ -1,7 +1,7 @@ Summary: Performs a verified launch using Intel TXT Name: tboot Version: 1.11.10 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 1 License: BSD-3-Clause @@ -9,7 +9,6 @@ URL: http://sourceforge.net/projects/tboot/ Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz Patch0: tboot-gcc14.patch Patch1: tboot-no-engine.patch -Patch2: tboot-disa-ibt.patch BuildRequires: make BuildRequires: gcc @@ -99,6 +98,24 @@ grub2-mkconfig -o /etc/grub2.cfg /boot/tboot-syms %changelog +* Fri Feb 13 2026 Tony Camuso - 1:1.11.10-2 +- Remove downstream tboot-disa-ibt.patch workaround .(RHEL-149438) + Previous builds appended "ibt=off" to GRUB_CMDLINE_LINUX_TBOOT to avoid + shutdown crashes on CET-enabled systems. With RHEL-10 kernels enabling + CET/IBT, the tboot > firmware shutdown path triggered #CP faults because + firmware shutdown_entry code lacks ENDBR instructions and is not CET-safe. + The global disable was a temporary mitigation. + Upstream discussion continues to debate a final fix, but the solution + posted in https://sourceforge.net/p/tboot/mailman/message/59247821/ + surgically disables CET only around the tboot shutdown_entry call, + preventing the crash without disabling IBT system-wide. + RHEL commit 358ed91e4c8a2eb2ab0df50d0e6b71b01dc7e1ed incorporates this fix + in kernel kernel-6.12.0-205.el10, so the downstream workaround is no longer + required. + Update gating.yaml: remove infeasible automated test requirement + (tboot requires physical TPM and manual GRUB interaction) + Resolves: RHEL-149438 + * Tue Sep 16 2025 Tony Camuso - 1:1.11.10-1 - Update to latest upstream Add tboot-disa-ibt.patch (see https://issues.redhat.com/browse/RHEL-109479)