Performs a verified launch using Intel TXT
3479b43a73
Bump nvr to tboot-1.11.10-2.el10.x86_64.rpm Previous builds appended "ibt=off" to GRUB_CMDLINE_LINUX_TBOOT to avoid shutdown crashes on CET-enabled systems. With RHEL-10 kernels enabling CET/IBT, the tboot > firmware shutdown path triggered #CP faults because firmware shutdown_entry code lacks ENDBR instructions and is not CET-safe. The global disable was a temporary mitigation. Upstream discussion continues to debate a final fix, but the solution posted in https://sourceforge.net/p/tboot/mailman/message/59247821/ surgically disables CET only around the tboot shutdown_entry call, preventing the crash without disabling IBT system-wide. The current discussion centers on whether the fix belongs in the kernel or in the tboot codebase. RHEL commit 358ed91e4c8a2eb2ab0df50d0e6b71b01dc7e1ed incorporates the kernel side fix in kernel kernel-6.12.0-205.el10, so the current "ibt=off" workaround should be removed. Also update gating.yaml to remove infeasible automated test requirement. tboot requires physical TPM hardware and manual GRUB interaction, making automated functional testing impractical. Resolves: RHEL-149438 JIRA: https://issues.redhat.com/browse/RHEL-149438 Signed-off-by: Tony Camuso <tcamuso@redhat.com> |
||
|---|---|---|
| .gitignore | ||
| gating.yaml | ||
| sources | ||
| tboot-gcc14.patch | ||
| tboot-no-engine.patch | ||
| tboot.spec | ||