From 683e9a8eabc6d85860bfe07a034404a6b92c5edd Mon Sep 17 00:00:00 2001 From: Akemi Yagi Date: Jul 30 2020 08:01:50 +0000 Subject: c7 plus kernel: update to 3.10.0-1127.18.2.el7 Signed-off-by: Akemi Yagi --- diff --git a/SOURCES/centossecureboot001.crt b/SOURCES/centossecureboot001.crt index c67b0f3..294b05f 100644 --- a/SOURCES/centossecureboot001.crt +++ b/SOURCES/centossecureboot001.crt @@ -1,4 +1,226 @@ -Certificate: + + + + + + Tree - rpms/kernel - CentOS Git server + + + + + + + + + + + + + + + + +
+ + +
+
+
+
+
+
+

+

+
+
+

+rpms / kernel +

+
+
+
+
+
+
+ + + Clone + + + +
+
+
+
+ + +
+
+ +
+
+ +
+ +
+
+ +
+ +
+
+
+ + +
+ + Blob + + Blame + + Raw +
+ +
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
@@ -79,3 +301,125 @@ IiJOuUPZtD06YMFNOgmFaHq8O/nv8/XpyU+AjMbpy+8oRLBd1J5PDwKaZaqYNbRv
 +zRN3GJYY+T73rv9bE6XWPS5mUpx/n8WUFUlRjmWm4hsdRkznnCzBIL+FqiOIkeD
 bRZ32iatMdgGbcV+Rkshq67sKpNx2n+JHQ==
 -----END CERTIFICATE-----
+
+
+
+ +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/SOURCES/centossecureboot201.crt b/SOURCES/centossecureboot201.crt new file mode 100644 index 0000000..f9d9675 --- /dev/null +++ b/SOURCES/centossecureboot201.crt @@ -0,0 +1,84 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 93:c2:04:d8:bd:77:6b:11 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=CentOS Secure Boot CA 2/emailAddress=security@centos.org + Validity + Not Before: Jun 9 10:04:20 2020 GMT + Not After : Jan 18 10:04:20 2038 GMT + Subject: CN=CentOS Secure Boot Signing 201/emailAddress=security@centos.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:9e:ef:fe:76:1c:9f:9b:3e:f2:e4:c5:29:bd:19: + 32:01:59:f3:e6:99:fa:eb:b5:f8:94:0c:95:3a:65: + 5e:b1:72:d0:50:3e:70:64:8a:1a:d1:f6:4d:af:6d: + 57:ee:40:71:40:09:dd:30:0c:81:a1:8b:26:63:12: + 07:bf:e1:d1:45:9f:9b:09:a6:57:98:9e:ef:97:e9: + bd:68:38:ea:aa:63:92:2e:0d:2f:8e:fb:be:88:40: + 9b:59:e3:bc:b7:6f:e3:bb:6b:1e:6e:9e:ee:57:b8: + 28:c6:d5:d6:bf:47:a6:e9:38:a9:8f:08:73:98:49: + a8:58:d2:62:73:f1:1e:44:d4:88:3d:f9:aa:43:e2: + 72:2e:d7:43:3e:1d:b6:65:f6:d1:2e:ef:31:cb:9f: + 5e:e3:d4:ea:3c:23:9a:07:af:f9:4a:ee:43:9a:75: + 06:ed:9a:54:2c:ed:5b:ca:85:a5:10:16:cd:30:64: + ea:d5:27:7e:23:f6:fc:ec:69:a9:43:2f:78:73:6b: + 33:78:8b:f8:54:db:3f:ce:95:a4:5a:04:9a:15:49: + 98:cd:34:7c:c7:8c:a9:8a:32:82:ae:c0:d6:34:93: + e7:d2:54:82:45:ee:eb:54:9a:96:d4:da:4b:24:f8: + 09:56:d8:cd:7f:ec:7b:f3:bd:db:9b:8c:b6:18:87: + fa:07 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: critical + Digital Signature + X509v3 Extended Key Usage: critical + Code Signing + X509v3 Subject Key Identifier: + 5D:4B:64:F2:FA:63:1E:5E:5F:DB:AA:DC:14:67:C6:6C:99:21:7A:22 + X509v3 Authority Key Identifier: + keyid:70:00:7F:99:20:9C:12:6B:E1:47:74:EA:EC:7B:6D:96:31:F3:4D:CA + + Signature Algorithm: sha256WithRSAEncryption + 39:4b:b5:cc:37:3f:cd:db:84:0f:63:7c:c4:e4:53:fb:5e:fd: + db:12:19:23:6f:0a:50:14:fd:4f:7c:f9:87:3d:f9:6d:5b:af: + 07:a5:94:34:1b:84:07:f4:f1:a0:de:cc:73:87:99:31:c3:93: + 66:c0:bc:f2:0f:b2:69:65:8e:da:b9:1a:8e:ae:38:56:f3:7c: + 5a:8d:29:0d:3d:ad:84:e7:86:31:a2:8e:2a:a8:f8:f8:f7:87: + 32:65:5d:81:47:53:b8:40:c5:1b:a7:46:1f:b0:60:a7:b4:97: + 89:51:26:3c:de:46:b9:14:d5:a0:7d:99:cc:a7:7e:ed:89:18: + 02:ce:e6:07:45:49:e2:04:7d:5b:03:65:ec:e6:c3:86:0d:82: + 31:24:45:51:ec:15:ad:31:83:a8:1c:6e:52:4d:b8:0f:5d:0b: + e4:7b:51:49:39:46:8a:0b:fd:0c:46:af:b4:19:65:0f:12:f1: + fc:ee:fd:6b:4f:df:9a:73:7c:e0:c8:3d:c3:d5:b5:ab:4a:86: + 36:97:e8:89:fb:af:f4:f1:c2:05:5d:17:fb:b6:df:a5:0e:45: + 89:db:89:99:93:ce:f0:4e:e9:9c:f4:4a:03:b0:6e:be:a2:69: + ab:b1:f3:3b:ed:c7:97:f4:0e:0a:53:27:5a:7e:70:9a:35:ea: + 7a:76:d1:bc +-----BEGIN CERTIFICATE----- +MIIDjjCCAnagAwIBAgIJAJPCBNi9d2sRMA0GCSqGSIb3DQEBCwUAMEYxIDAeBgNV +BAMMF0NlbnRPUyBTZWN1cmUgQm9vdCBDQSAyMSIwIAYJKoZIhvcNAQkBFhNzZWN1 +cml0eUBjZW50b3Mub3JnMB4XDTIwMDYwOTEwMDQyMFoXDTM4MDExODEwMDQyMFow +TTEnMCUGA1UEAwweQ2VudE9TIFNlY3VyZSBCb290IFNpZ25pbmcgMjAxMSIwIAYJ +KoZIhvcNAQkBFhNzZWN1cml0eUBjZW50b3Mub3JnMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAnu/+dhyfmz7y5MUpvRkyAVnz5pn667X4lAyVOmVesXLQ +UD5wZIoa0fZNr21X7kBxQAndMAyBoYsmYxIHv+HRRZ+bCaZXmJ7vl+m9aDjqqmOS +Lg0vjvu+iECbWeO8t2/ju2sebp7uV7goxtXWv0em6TipjwhzmEmoWNJic/EeRNSI +PfmqQ+JyLtdDPh22ZfbRLu8xy59e49TqPCOaB6/5Su5DmnUG7ZpULO1byoWlEBbN +MGTq1Sd+I/b87GmpQy94c2szeIv4VNs/zpWkWgSaFUmYzTR8x4ypijKCrsDWNJPn +0lSCRe7rVJqW1NpLJPgJVtjNf+x7873bm4y2GIf6BwIDAQABo3gwdjAMBgNVHRMB +Af8EAjAAMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzAd +BgNVHQ4EFgQUXUtk8vpjHl5f26rcFGfGbJkheiIwHwYDVR0jBBgwFoAUcAB/mSCc +EmvhR3Tq7HttljHzTcowDQYJKoZIhvcNAQELBQADggEBADlLtcw3P83bhA9jfMTk +U/te/dsSGSNvClAU/U98+Yc9+W1brwellDQbhAf08aDezHOHmTHDk2bAvPIPsmll +jtq5Go6uOFbzfFqNKQ09rYTnhjGijiqo+Pj3hzJlXYFHU7hAxRunRh+wYKe0l4lR +JjzeRrkU1aB9mcynfu2JGALO5gdFSeIEfVsDZezmw4YNgjEkRVHsFa0xg6gcblJN +uA9dC+R7UUk5RooL/QxGr7QZZQ8S8fzu/WtP35pzfODIPcPVtatKhjaX6In7r/Tx +wgVdF/u236UORYnbiZmTzvBO6Zz0SgOwbr6iaaux8zvtx5f0DgpTJ1p+cJo16np2 +0bw= +-----END CERTIFICATE----- diff --git a/SOURCES/centossecurebootca2.der b/SOURCES/centossecurebootca2.der new file mode 100644 index 0000000..42bdfcf Binary files /dev/null and b/SOURCES/centossecurebootca2.der differ diff --git a/SPECS/kernel-plus.spec b/SPECS/kernel-plus.spec index 5cd962d..c25f272 100644 --- a/SPECS/kernel-plus.spec +++ b/SPECS/kernel-plus.spec @@ -14,10 +14,10 @@ Summary: The Linux kernel %global distro_build 1127 %define rpmversion 3.10.0 -%define pkgrelease 1127.13.1.el7 +%define pkgrelease 1127.18.2.el7 # allow pkg_release to have configurable %%{?dist} tag -%define specrelease 1127.13.1%{?dist} +%define specrelease 1127.18.2%{?dist} %define pkg_release %{specrelease}%{?buildid} @@ -285,7 +285,8 @@ Summary: The Linux kernel # problems with the newer kernel or lack certain things that make # integration in the distro harder than needed. # -%define package_conflicts initscripts < 7.23, udev < 063-6, iptables < 1.3.2-1, ipw2200-firmware < 2.4, iwl4965-firmware < 228.57.2, selinux-policy-targeted < 3.13.1-201, squashfs-tools < 4.0, wireless-tools < 29-3, xfsprogs < 4.3.0, kmod < 20-9, kexec-tools < 2.0.14-3, shim-x64 < 12-2 + +%define package_conflicts initscripts < 7.23, udev < 063-6, iptables < 1.3.2-1, ipw2200-firmware < 2.4, iwl4965-firmware < 228.57.2, selinux-policy-targeted < 3.13.1-201, squashfs-tools < 4.0, wireless-tools < 29-3, xfsprogs < 4.3.0, kmod < 20-9, kexec-tools < 2.0.14-3 # We moved the drm include files into kernel-headers, make sure there's # a recent enough libdrm-devel on the system that doesn't have those. @@ -411,16 +412,22 @@ Source12: extra_certificates %if %{?released_kernel} Source13: centos-ca-secureboot.der Source14: centossecureboot001.crt -%define pesign_name centossecureboot001 +Source15: centossecurebootca2.der +Source16: centossecureboot201.crt +%define pesign_name_0 centossecureboot001 +%define pesign_name_1 centossecureboot201 %else Source13: centos-ca-secureboot.der Source14: centossecureboot001.crt -%define pesign_name centossecureboot001 +Source15: centossecurebootca2.der +Source16: centossecureboot201.crt +%define pesign_name_0 centossecureboot001 +%define pesign_name_1 centossecureboot201 %endif -Source15: centos-ldup.x509 -Source16: centos-kpatch.x509 +Source17: centos-ldup.x509 +Source18: centos-kpatch.x509 -Source18: check-kabi +Source19: check-kabi Source20: Module.kabi_x86_64 #Source21: Module.kabi_ppc64 @@ -1171,8 +1178,8 @@ BuildKernel() { cp %{SOURCE11} . # x509.genkey cp %{SOURCE12} . # extra_certificates - cp %{SOURCE15} . # rheldup3.x509 - cp %{SOURCE16} . # rhelkpatch1.x509 + cp %{SOURCE17} . # rheldup3.x509 + cp %{SOURCE18} . # rhelkpatch1.x509 cp configs/$Config .config @@ -1212,7 +1219,9 @@ BuildKernel() { fi # EFI SecureBoot signing, x86_64-only %ifarch x86_64 - %pesign -s -i $KernelImage -o $KernelImage.signed -a %{SOURCE13} -c %{SOURCE14} -n %{pesign_name} + %pesign -s -i $KernelImage -o $KernelImage.tmp -a %{SOURCE13} -c %{SOURCE14} -n %{pesign_name_0} + %pesign -s -i $KernelImage.tmp -o $KernelImage.signed -a %{SOURCE15} -c %{SOURCE16} -n %{pesign_name_1} + rm $KernelImage.tmp mv $KernelImage.signed $KernelImage %endif $CopyKernel $KernelImage $RPM_BUILD_ROOT/%{image_install_path}/$InstallName-$KernelVer @@ -1712,7 +1721,9 @@ make %{?cross_opts} ARCH=%{hdrarch} DESTDIR=$RPM_BUILD_ROOT bootwrapper_install %if %{with_doc} # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/%{rpmversion}-%{pkgrelease} -install -m 0644 %{SOURCE13} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/%{rpmversion}-%{pkgrelease}/kernel-signing-ca.cer +install -m 0644 %{SOURCE13} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/%{rpmversion}-%{pkgrelease}/kernel-signing-ca-20140212.cer +install -m 0644 %{SOURCE15} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/%{rpmversion}-%{pkgrelease}/kernel-signing-ca-20200609.cer +ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/%{rpmversion}-%{pkgrelease}/kernel-signing-ca.cer %endif # We have to do the headers checksum calculation after the tools install because @@ -1841,6 +1852,14 @@ do fi done +### re-generate initramfs upon microcode_ctl update + +%triggerin -- microcode_ctl +KVERSION=%{version}-%{release}.%{_target_cpu} +if [ -e "/lib/modules/$KVERSION/modules.dep" ]; then + %{_bindir}/dracut -f --kver $KVERSION +fi + ### end of plus kernel mod ### %kernel_variant_preun @@ -1898,6 +1917,8 @@ fi %dir %{_datadir}/doc/kernel-doc-%{rpmversion}/Documentation %dir %{_datadir}/doc/kernel-doc-%{rpmversion} %{_datadir}/man/man9/* +%{_datadir}/doc/kernel-keys/%{rpmversion}-%{pkgrelease}/kernel-signing-ca-20140212.cer +%{_datadir}/doc/kernel-keys/%{rpmversion}-%{pkgrelease}/kernel-signing-ca-20200609.cer %{_datadir}/doc/kernel-keys/%{rpmversion}-%{pkgrelease}/kernel-signing-ca.cer %dir %{_datadir}/doc/kernel-keys/%{rpmversion}-%{pkgrelease} %dir %{_datadir}/doc/kernel-keys @@ -2054,7 +2075,7 @@ fi %kernel_variant_files %{with_kdump} kdump %changelog -* Tue Jun 23 2020 Akemi Yagi [3.10.0-1127.13.1.el7.centos.plus] +* Wed Jul 29 2020 Akemi Yagi [3.10.0-1127.18.2.el7.centos.plus] - Apply debranding changes - Roll in i686 mods addmissing.patch [puias] @@ -2113,6 +2134,60 @@ fi - Apply a patch to fix ICMP redirects [bug#16521] - Apply a patch to fix cifs [bug#16824] - Apply a patch to fix acpi bug [bug#17118] +- Added a triggerin scriptlet to rebuild the initramfs image + when the system microcode package is updated. [bug#17539] + +* Mon Jul 20 2020 Augusto Caringi [3.10.0-1127.18.2.el7] +- [crypto] pefile: Tolerate other pefile signatures after first (Lenny Szubowicz) [1837429 1837430] {CVE-2020-10713} +- [kernel] Move to dual-signing to split signing keys up better (pjones) [1837429 1837430] {CVE-2020-10713} + +* Mon Jul 13 2020 Augusto Caringi [3.10.0-1127.18.1.el7] +- [fs] locks: allow filesystems to request that ->setlease be called without i_lock (Jeff Layton) [1838602 1830606] +- [fs] locks: move fasync setup into generic_add_lease (Jeff Layton) [1838602 1830606] + +* Tue Jul 07 2020 Augusto Caringi [3.10.0-1127.17.1.el7] +- [vfio] vfio/pci: Fix SR-IOV VF handling with MMIO blocking (Alex Williamson) [1852245 1820632] +- [fs] aio: fix inconsistent ring state (Jeff Moyer) [1850055 1845326] +- [wireless] mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() (Jarod Wilson) [1844069 1844070] {CVE-2020-12654} +- [wireless] mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() (Jarod Wilson) [1844025 1844026] {CVE-2020-12653} +- [x86] mm: Fix mremap not considering huge pmd devmap (Rafael Aquini) [1843436 1843437] {CVE-2020-10757} +- [mm] mm, dax: check for pmd_none() after split_huge_pmd() (Rafael Aquini) [1843436 1843437] {CVE-2020-10757} +- [mm] mm: mremap: streamline move_page_tables()'s move_huge_pmd() corner case (Rafael Aquini) [1843436 1843437] {CVE-2020-10757} +- [mm] mm: mremap: validate input before taking lock (Rafael Aquini) [1843436 1843437] {CVE-2020-10757} + +* Tue Jun 30 2020 Augusto Caringi [3.10.0-1127.16.1.el7] +- [kernel] sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision (Artem Savkov) [1850500 1752067] +- [block] virtio-blk: improve virtqueue error to BLK_STS (Philipp Rudo) [1842994 1818001] +- [block] virtio-blk: fix hw_queue stopped on arbitrary error (Philipp Rudo) [1842994 1818001] + +* Fri Jun 19 2020 Augusto Caringi [3.10.0-1127.15.1.el7] +- [fs] ext4: fix setting of referenced bit in ext4_es_lookup_extent() (Lukas Czerner) [1847343 1663720] +- [fs] ext4: introduce aging to extent status tree (Lukas Czerner) [1847343 1663720] +- [fs] ext4: cleanup flag definitions for extent status tree (Lukas Czerner) [1847343 1663720] +- [fs] ext4: limit number of scanned extents in status tree shrinker (Lukas Czerner) [1847343 1663720] +- [fs] ext4: move handling of list of shrinkable inodes into extent status code (Lukas Czerner) [1847343 1663720] +- [fs] ext4: change LRU to round-robin in extent status tree shrinker (Lukas Czerner) [1847343 1663720] +- [net] netfilter: nat: never update the UDP checksum when it's 0 (Guillaume Nault) [1847333 1834278] +- [char] ipmi_si: Only schedule continuously in the thread in maintenance mode (Alexey Klimov) [1841825 1837127] +- [scsi] scsi: ibmvfc: Fix NULL return compiler warning (Steve Best) [1830889 1810643] +- [scsi] scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (Steve Best) [1830889 1810643] +- [hid] HID: hiddev: do cleanup in failure of opening a device (Torez Smith) [1803448 1814257] {CVE-2019-19527} +- [hid] HID: hiddev: avoid opening a disconnected device (Torez Smith) [1803448 1814257] {CVE-2019-19527} + +* Tue Jun 16 2020 Augusto Caringi [3.10.0-1127.14.1.el7] +- [fs] NFS: Fix a race between mmap() and O_DIRECT (Benjamin Coddington) [1845520 1813803] +- [fs] NFS: Remove a redundant call to unmap_mapping_range() (Benjamin Coddington) [1845520 1813803] +- [fs] NFS: Remove redundant waits for O_DIRECT in fsync() and write_begin() (Benjamin Coddington) [1845520 1813803] +- [fs] NFS: Cleanup nfs_direct_complete() (Benjamin Coddington) [1845520 1813803] +- [fs] NFS: Do not serialise O_DIRECT reads and writes (Benjamin Coddington) [1845520 1813803] +- [fs] NFS: Move buffered I/O locking into nfs_file_write() (Benjamin Coddington) [1845520 1813803] +- [fs] bdi: make inode_to_bdi() inline (Benjamin Coddington) [1845520 1813803] +- [fs] NFS: Remove racy size manipulations in O_DIRECT (Benjamin Coddington) [1845520 1813803] +- [fs] NFS: Don't hold the inode lock across fsync() (Benjamin Coddington) [1845520 1813803] +- [fs] nfs: remove nfs_inode_dio_wait (Benjamin Coddington) [1845520 1813803] +- [fs] nfs: remove nfs4_file_fsync (Benjamin Coddington) [1845520 1813803] +- [fs] NFS: Kill NFS_INO_NFS_INO_FLUSHING: it is a performance killer (Benjamin Coddington) [1845520 1813803] +- [infiniband] RDMA/bnxt_re: Fix chip number validation Broadcom's Gen P5 series (Jonathan Toppins) [1834190 1823679] * Fri Jun 12 2020 Augusto Caringi [3.10.0-1127.13.1.el7] - [x86] x86/speculation: Support old struct x86_cpu_id & x86_match_cpu() kABI (Waiman Long) [1827187 1827188] {CVE-2020-0543}