From 4d0d54745fc54a1c412afab6043aff50ae370ab7 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 29 2020 17:14:59 +0000 Subject: import kernel-rt-4.18.0-193.14.3.rt13.67.el8_2 --- diff --git a/.gitignore b/.gitignore index bd6f9f3..f4b665f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/linux-4.18.0-193.13.2.rt13.65.el8_2.tar.xz +SOURCES/linux-4.18.0-193.14.3.rt13.67.el8_2.tar.xz diff --git a/.kernel-rt.metadata b/.kernel-rt.metadata index 36edd90..fb11ad8 100644 --- a/.kernel-rt.metadata +++ b/.kernel-rt.metadata @@ -1 +1 @@ -6995bb4ccc97f3fd43d4b5b68f8787d222174687 SOURCES/linux-4.18.0-193.13.2.rt13.65.el8_2.tar.xz +7d175a53e97e1a2449eec92560e29eeeca45489a SOURCES/linux-4.18.0-193.14.3.rt13.67.el8_2.tar.xz diff --git a/SOURCES/redhatsecureboot301.cer b/SOURCES/redhatsecureboot301.cer new file mode 100644 index 0000000..20e6604 Binary files /dev/null and b/SOURCES/redhatsecureboot301.cer differ diff --git a/SOURCES/redhatsecureboot501.cer b/SOURCES/redhatsecureboot501.cer new file mode 100644 index 0000000..dfa7afb Binary files /dev/null and b/SOURCES/redhatsecureboot501.cer differ diff --git a/SOURCES/redhatsecurebootca3.cer b/SOURCES/redhatsecurebootca3.cer new file mode 100644 index 0000000..b235400 Binary files /dev/null and b/SOURCES/redhatsecurebootca3.cer differ diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer new file mode 100644 index 0000000..dfb0284 Binary files /dev/null and b/SOURCES/redhatsecurebootca5.cer differ diff --git a/SOURCES/secureboot.cer b/SOURCES/secureboot.cer deleted file mode 100644 index 20e6604..0000000 Binary files a/SOURCES/secureboot.cer and /dev/null differ diff --git a/SOURCES/securebootca.cer b/SOURCES/securebootca.cer deleted file mode 100644 index b235400..0000000 Binary files a/SOURCES/securebootca.cer and /dev/null differ diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 44ab1df..8a75d76 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -42,10 +42,10 @@ # define buildid .local %define rpmversion 4.18.0 -%define pkgrelease 193.13.2.rt13.65.el8_2 +%define pkgrelease 193.14.3.rt13.67.el8_2 # allow pkg_release to have configurable %%{?dist} tag -%define specrelease 193.13.2.rt13.65%{?dist} +%define specrelease 193.14.3.rt13.67%{?dist} %define pkg_release %{specrelease}%{?buildid} @@ -149,7 +149,7 @@ # The preempt RT patch level %global rttag .rt13 # realtimeN -%global rtbuild .65 +%global rtbuild .67 %define with_doc 0 %define with_headers 0 %define with_cross_headers 0 @@ -409,7 +409,7 @@ BuildRequires: asciidoc Source0: linux-%{rpmversion}-%{pkgrelease}.tar.xz -Source11: x509.genkey +Source9: x509.genkey # Name of the packaged file containing signing key %ifarch ppc64le @@ -421,34 +421,44 @@ Source11: x509.genkey %if %{?released_kernel} -Source12: securebootca.cer -Source13: secureboot.cer +Source10: redhatsecurebootca5.cer +Source11: redhatsecurebootca3.cer +Source12: redhatsecureboot501.cer +Source13: redhatsecureboot301.cer Source14: secureboot_s390.cer Source15: secureboot_ppc.cer -%define secureboot_ca %{SOURCE12} +%define secureboot_ca_0 %{SOURCE11} +%define secureboot_ca_1 %{SOURCE10} %ifarch x86_64 aarch64 -%define secureboot_key %{SOURCE13} -%define pesign_name redhatsecureboot301 +%define secureboot_key_0 %{SOURCE13} +%define pesign_name_0 redhatsecureboot301 +%define secureboot_key_1 %{SOURCE12} +%define pesign_name_1 redhatsecureboot501 %endif %ifarch s390x -%define secureboot_key %{SOURCE14} -%define pesign_name redhatsecureboot302 +%define secureboot_key_0 %{SOURCE14} +%define pesign_name_0 redhatsecureboot302 %endif %ifarch ppc64le -%define secureboot_key %{SOURCE15} -%define pesign_name redhatsecureboot303 +%define secureboot_key_0 %{SOURCE15} +%define pesign_name_0 redhatsecureboot303 %endif # released_kernel %else +Source11: redhatsecurebootca4.cer Source12: redhatsecurebootca2.cer -Source13: redhatsecureboot003.cer +Source13: redhatsecureboot401.cer +Source14: redhatsecureboot003.cer -%define secureboot_ca %{SOURCE12} -%define secureboot_key %{SOURCE13} -%define pesign_name redhatsecureboot003 +%define secureboot_ca_0 %{SOURCE11} +%define secureboot_ca_1 %{SOURCE12} +%define secureboot_key_0 %{SOURCE13} +%define pesign_name_0 redhatsecureboot401 +%define secureboot_key_1 %{SOURCE14} +%define pesign_name_1 redhatsecureboot003 # released_kernel %endif @@ -1179,7 +1189,7 @@ BuildKernel() { cp configs/$Config .config %if %{signkernel}%{signmodules} - cp %{SOURCE11} certs/. + cp %{SOURCE9} certs/. %endif Arch=`head -1 .config | cut -b 3-` @@ -1245,11 +1255,13 @@ BuildKernel() { fi %ifarch x86_64 aarch64 - %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca} -c %{secureboot_key} -n %{pesign_name} + %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} + %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1} + rm vmlinuz.tmp %endif %ifarch s390x ppc64le if [ -x /usr/bin/rpm-sign ]; then - rpm-sign --key "%{pesign_name}" --lkmsign $SignImage --output vmlinuz.signed + rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed elif [ $DoModules -eq 1 ]; then chmod +x scripts/sign-file ./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed @@ -1645,11 +1657,17 @@ BuildKernel() { # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer - install -m 0644 %{secureboot_ca} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %ifarch x86_64 aarch64 + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer + install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer + ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %else + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %endif %ifarch s390x ppc64le if [ $DoModules -eq 1 ]; then if [ -x /usr/bin/rpm-sign ]; then - install -m 0644 %{secureboot_key} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} + install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} else install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} @@ -2404,12 +2422,7 @@ fi /lib/modules/%{KVERREL}%{?3:+%{3}}/updates\ /lib/modules/%{KVERREL}%{?3:+%{3}}/weak-updates\ /lib/modules/%{KVERREL}%{?3:+%{3}}/bls.conf\ -%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca.cer\ -%ifarch s390x ppc64le\ -%if 0%{!?4:1}\ -%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/%{signing_key_filename} \ -%endif\ -%endif\ +%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}\ %if %{1}\ /lib/modules/%{KVERREL}%{?3:+%{3}}/vdso\ /etc/ld.so.conf.d/%{name}-%{KVERREL}%{?3:+%{3}}.conf\ @@ -2465,6 +2478,31 @@ fi # # %changelog +* Sun Jul 19 2020 Luis Claudio R. Goncalves [4.18.0-193.14.3.rt13.67.el8_2] +- Reverse keys order for dual-signing (Frantisek Hrbata) [1837433 1837434] {CVE-2020-10713} + +* Sun Jul 19 2020 Luis Claudio R. Goncalves [4.18.0-193.14.2.rt13.66.el8_2] +- [kernel] Move to dual-signing to split signing keys up better (pjones) [1837433 1837434] {CVE-2020-10713} +- [crypto] pefile: Tolerate other pefile signatures after first (Lenny Szubowicz) [1837433 1837434] {CVE-2020-10713} +- [acpi] ACPI: configfs: Disallow loading ACPI tables when locked down (Lenny Szubowicz) [1852968 1852969] {CVE-2020-15780} +- [firmware] efi: Restrict efivar_ssdt_load when the kernel is locked down (Lenny Szubowicz) [1852948 1852949] {CVE-2019-20908} + +* Mon Jul 13 2020 Luis Claudio R. Goncalves [4.18.0-193.14.1.rt13.65.el8_2] +- [md] dm mpath: add DM device name to Failing/Reinstating path log messages (Mike Snitzer) [1852050 1822975] +- [md] dm mpath: enhance queue_if_no_path debugging (Mike Snitzer) [1852050 1822975] +- [md] dm mpath: restrict queue_if_no_path state machine (Mike Snitzer) [1852050 1822975] +- [md] dm mpath: simplify __must_push_back (Mike Snitzer) [1852050 1822975] +- [md] dm: use DMDEBUG macros now that they use pr_debug variants (Mike Snitzer) [1852050 1822975] +- [include] dm: use dynamic debug instead of compile-time config option (Mike Snitzer) [1852050 1822975] +- [md] dm mpath: switch paths in dm_blk_ioctl() code path (Mike Snitzer) [1852050 1822975] +- [md] dm multipath: use updated MPATHF_QUEUE_IO on mapping for bio-based mpath (Mike Snitzer) [1852050 1822975] +- [md] dm: bump version of core and various targets (Mike Snitzer) [1852050 1822975] +- [md] dm mpath: Add timeout mechanism for queue_if_no_path (Mike Snitzer) [1852050 1822975] +- [md] dm mpath: use true_false for bool variable (Mike Snitzer) [1852050 1822975] +- [md] dm mpath: remove harmful bio-based optimization (Mike Snitzer) [1852050 1822975] +- [scsi] scsi: libiscsi: fall back to sendmsg for slab pages (Maurizio Lombardi) [1852048 1825775] +- [s390] s390/mm: fix panic in gup_fast on large pud (Philipp Rudo) [1853336 1816980] + * Tue Jul 07 2020 Luis Claudio R. Goncalves [4.18.0-193.13.1.rt13.64.el8_2] - [x86] x86/efi: Allocate e820 buffer before calling efi_exit_boot_service (Lenny Szubowicz) [1846180 1824005]