From 284ac7bdd9cff37ecdf5c830aa51b97f52220c04 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 29 2020 17:15:05 +0000 Subject: import kernel-4.18.0-193.14.3.el8_2 --- diff --git a/.gitignore b/.gitignore index be7c8f1..8106fb9 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/kernel-abi-whitelists-4.18.0-193.tar.bz2 SOURCES/kernel-kabi-dw-4.18.0-193.tar.bz2 -SOURCES/linux-4.18.0-193.13.2.el8_2.tar.xz +SOURCES/linux-4.18.0-193.14.3.el8_2.tar.xz diff --git a/.kernel.metadata b/.kernel.metadata index 27b005b..9aba916 100644 --- a/.kernel.metadata +++ b/.kernel.metadata @@ -1,3 +1,3 @@ e784eb39f12543661810c04a478fd6a3e342644d SOURCES/kernel-abi-whitelists-4.18.0-193.tar.bz2 89d98f66f0a35a19ab31b2d7943d3199ca8a15c1 SOURCES/kernel-kabi-dw-4.18.0-193.tar.bz2 -30ee087d6f5b2717ad74fcb869826338463742e8 SOURCES/linux-4.18.0-193.13.2.el8_2.tar.xz +a6118277a62b58e342526c5828a7d72294bf7ae0 SOURCES/linux-4.18.0-193.14.3.el8_2.tar.xz diff --git a/README.debrand b/README.debrand deleted file mode 100644 index 01c46d2..0000000 --- a/README.debrand +++ /dev/null @@ -1,2 +0,0 @@ -Warning: This package was configured for automatic debranding, but the changes -failed to apply. diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der deleted file mode 100644 index 44a2563..0000000 Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ diff --git a/SOURCES/centos.pem b/SOURCES/centos.pem deleted file mode 100644 index 82ad817..0000000 --- a/SOURCES/centos.pem +++ /dev/null @@ -1,42 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDgTCCAmmgAwIBAgIJALYWFXFy+zGAMA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV -BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB -FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE5MDYwMzE0MjA0MFoXDTM4MDEwMTE0 -MjA0MFowVTEvMC0GA1UEAwwmQ2VudE9TIExpbnV4IERyaXZlciB1cGRhdGUgc2ln -bmluZyBrZXkxIjAgBgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEi -MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD5ECuosQ4HKRRf+Kxfm+BcICBK -PGqB+E/qalqQ3CCM3LWezq0ns/GZTD0CtSAzmOObqJb3gJ9S5gcbaMVBc3JxLlQ+ -RwVy0oNy91uy9TKhYQ3lpHDyujxiFmXPSJLMKOYbOBNObJ7qF6+ptnmDWMu7GWDc -4UGdBdU/evt92LIxsi9ZQCEoZIqdyKBE/Y3V9gBZIZa/4oXMHfW9dWxhy9UszmR9 -hT7ZdgLFpWMFmJW+SS5QEWtp5CpRlcui4QJZl42bMp5JOrVWc+BlKPIsLdY8TqLp -9FdhQ5Ih4auT7zn2V89YgYpq6VMZnPsn/v5piB6i6RK8Falr6SP5SV0cwV/jAgMB -AAGjXTBbMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBQpvUwN -BtLpkRBEtdyXMwkTm1HW1TAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q6 -8zANBgkqhkiG9w0BAQsFAAOCAQEAK+f4c4aP9TQDiQM4TDyw8iDapr7eBc+Yr0M5 -ELkWEQu55/OwLQrgCA5bdD86diaAXQAlUOXCtFRrbUQHQACEL77/32YdooHfVZZ7 -04CeE+JWxF/cQ3M5hhJnkyxaqFKC+B+bn7Z6eloMnYUPsXwfQEOuyxKaKergAJdq -KnC0pEG3NGgwlwvnD0dwUqbbEUUqL3UQh96hCYDidhCUmuap1E2OGoxGex3ekszf -ErCgwVYb46cv91ba2KqXVWl1FoO3c5MyZcxL46ihQgiY0BI975+HDFjpUZ69n+Um -OhSscRUiKeEQKMVtHzyQUp5t+HCeaZBRPy3rFoIjTEqijKZ6tQ== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIDejCCAmKgAwIBAgIJALYWFXFy+zF/MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV -BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB -FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE5MDYwMzE0MjAwMloXDTM4MDEwMTE0 -MjAwMlowTjEoMCYGA1UEAwwfQ2VudE9TIExpbnV4IGtwYXRjaCBzaWduaW5nIGtl -eTEiMCAGCSqGSIb3DQEJARYTc2VjdXJpdHlAY2VudG9zLm9yZzCCASIwDQYJKoZI -hvcNAQEBBQADggEPADCCAQoCggEBAMG+5OclqB0NE5azrGkSitqUFcZjpRk/rS2P -CetB6jwxOn06TrLGzqnhcE9VBKyEs7CXBLy6lfnORcYOybcR2XvrgqGa1txOZggl -hc8zCj9X7ZCMK2UsWglxQCOtbo0m/vdor/VO3SFbrf/W9+PXhvNtcxMP9yjydbP+ -lS1St8uQv952hu7C1TevyOQN3jpvWRD7DSJIU/2uRFcdIo2QCGokuB/xESXeuGJ2 -F2P9w0h74V18AlVTxtGp/RSJqZaQ2Gi5h4Oa7UsRmhmCoLdmdBe7xnYJrJ4GhxKQ -yG0kU1ikEhZW3YjoVPgBJzTsIhCAzFrOUq0d67a1wTVMiyL60fUCAwEAAaNdMFsw -DAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCB4AwHQYDVR0OBBYEFLSfCGIFkJ3E2iz6 -mTdvsZHS8J54MB8GA1UdIwQYMBaAFFTsgYWJPuka2wj3RIhUfo4/dDrzMA0GCSqG -SIb3DQEBCwUAA4IBAQBcDnjWh8Mx6yaS/OvBOYZprYy5Su0tn+YHiN0czpjVw+zl -NUt2YmRSA/g6xks04CYx+UAL/xnvRcxXd17Ni7eWiROxvgQvBo5nScVkFPq2IIP5 -8aj7LoHR1MUeXfiNqf1JoSlgpRV47wv/+jZD0hmbt1rC2NJp0ZU8OHmt2GWk0jmM -MK72D/pyCUfHetBzPpU9M0cNiukjMUdIL+U7+CXDgKsfdFHcQ76ebWyka7vRSXTs -lBMa2g20Atwz2Hj7tEEAZ74ioQ9029RAlUSNipACe31YdT4/BBWIqHPpeDFkp8W0 -9v4jeTX/2kMBXkjzMfKjhpooa+bFFFLogLeX3P4W ------END CERTIFICATE----- diff --git a/SOURCES/centossecureboot001.crt b/SOURCES/centossecureboot001.crt deleted file mode 100644 index 321c4ec..0000000 --- a/SOURCES/centossecureboot001.crt +++ /dev/null @@ -1,81 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - b6:16:15:71:72:fb:31:7e - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN=CentOS Secure Boot (CA key 1)/emailAddress=security@centos.org - Validity - Not Before: Aug 1 11:47:30 2018 GMT - Not After : Dec 31 11:47:30 2037 GMT - Subject: CN=CentOS Secure Boot (key 1)/emailAddress=security@centos.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:c1:a3:6a:f4:2d:71:83:6c:21:ca:0c:b7:ac:fa: - 76:80:43:03:40:87:5d:de:e9:1e:df:ad:e7:2b:51: - cb:f8:31:0f:9a:db:ab:23:25:04:11:05:57:7d:f2: - 4b:8d:1e:b3:75:78:1d:b9:57:8b:18:0b:bb:7e:e3: - 24:0f:6a:40:5f:2b:4f:03:a5:85:94:d2:f9:08:a0: - bc:db:a5:ea:4f:7f:e8:7c:d1:a9:f8:f0:9c:25:18: - 00:14:c4:c4:35:7d:1d:4c:8a:8d:95:f8:ed:65:97: - a5:a4:da:7d:cb:f0:33:3b:b7:03:94:68:47:05:57: - 6c:96:91:ac:14:f2:e3:f6:6d:4a:18:cf:68:8a:35: - 6f:8e:26:99:7f:db:c9:83:54:c2:c3:bf:ad:45:a0: - aa:a0:86:5f:20:b1:86:1b:ae:b7:28:15:11:f9:65: - 53:5d:70:33:9b:a3:c7:b5:c8:11:ff:55:3b:e7:46: - f1:6c:6b:8c:bb:f2:9f:36:23:b1:2d:23:2f:8f:4f: - 6c:a8:cc:ae:f5:56:9e:22:6c:0e:9a:4a:b1:bd:b2: - 76:15:5c:05:85:b8:5e:dc:8c:a5:c3:e0:75:51:a4: - 94:9b:03:2e:7b:f8:d3:b9:dd:7f:88:ce:2e:2f:28: - 4c:b4:92:2f:e6:e0:67:0a:d0:ff:c5:d2:79:a6:ef: - 94:0f - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Key Usage: - Digital Signature - X509v3 Subject Key Identifier: - F0:37:C6:EA:EC:36:D4:05:7A:52:6C:0E:C6:D5:A9:5B:32:4E:E1:29 - X509v3 Authority Key Identifier: - keyid:54:EC:81:85:89:3E:E9:1A:DB:08:F7:44:88:54:7E:8E:3F:74:3A:F3 - - Signature Algorithm: sha256WithRSAEncryption - 97:97:ba:a6:0b:5b:bb:84:39:2e:ef:8b:51:9a:89:bb:65:3c: - dc:15:d0:5a:88:c5:af:ce:93:f5:c1:74:98:15:59:a9:38:da: - 11:fd:46:d5:4f:23:7c:03:1f:ae:0c:70:93:94:a7:61:2f:4b: - 2f:5f:bb:cc:8a:d7:4a:24:66:73:85:b4:19:13:fc:6a:61:4a: - 28:1f:a2:38:f4:72:90:03:c4:3e:64:63:8b:fb:15:22:22:4e: - b9:43:d9:b4:3d:3a:60:c1:4d:3a:09:85:68:7a:bc:3b:f9:ef: - f3:f5:e9:c9:4f:80:8c:c6:e9:cb:ef:28:44:b0:5d:d4:9e:4f: - 0f:02:9a:65:aa:98:35:b4:6f:d2:80:e3:08:ef:12:d0:17:56: - a6:a1:42:1e:1d:ab:e5:33:c0:fd:88:0d:40:42:81:c8:27:30: - 17:07:57:3e:05:9d:aa:05:0e:5b:3a:79:b4:29:aa:7c:42:5a: - ad:43:59:fb:34:4d:dc:62:58:63:e4:fb:de:bb:fd:6c:4e:97: - 58:f4:b9:99:4a:71:fe:7f:16:50:55:25:46:39:96:9b:88:6c: - 75:19:33:9e:70:b3:04:82:fe:16:a8:8e:22:47:83:6d:16:77: - da:26:ad:31:d8:06:6d:c5:7e:46:4b:21:ab:ae:ec:2a:93:71: - da:7f:89:1d ------BEGIN CERTIFICATE----- -MIIDdTCCAl2gAwIBAgIJALYWFXFy+zF+MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV -BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB -FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE4MDgwMTExNDczMFoXDTM3MTIzMTEx -NDczMFowSTEjMCEGA1UEAxMaQ2VudE9TIFNlY3VyZSBCb290IChrZXkgMSkxIjAg -BgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDBo2r0LXGDbCHKDLes+naAQwNAh13e6R7frecrUcv4 -MQ+a26sjJQQRBVd98kuNHrN1eB25V4sYC7t+4yQPakBfK08DpYWU0vkIoLzbpepP -f+h80an48JwlGAAUxMQ1fR1Mio2V+O1ll6Wk2n3L8DM7twOUaEcFV2yWkawU8uP2 -bUoYz2iKNW+OJpl/28mDVMLDv61FoKqghl8gsYYbrrcoFRH5ZVNdcDObo8e1yBH/ -VTvnRvFsa4y78p82I7EtIy+PT2yozK71Vp4ibA6aSrG9snYVXAWFuF7cjKXD4HVR -pJSbAy57+NO53X+Izi4vKEy0ki/m4GcK0P/F0nmm75QPAgMBAAGjXTBbMAwGA1Ud -EwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBTwN8bq7DbUBXpSbA7G1alb -Mk7hKTAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q68zANBgkqhkiG9w0B -AQsFAAOCAQEAl5e6pgtbu4Q5Lu+LUZqJu2U83BXQWojFr86T9cF0mBVZqTjaEf1G -1U8jfAMfrgxwk5SnYS9LL1+7zIrXSiRmc4W0GRP8amFKKB+iOPRykAPEPmRji/sV -IiJOuUPZtD06YMFNOgmFaHq8O/nv8/XpyU+AjMbpy+8oRLBd1J5PDwKaZaqYNbRv -0oDjCO8S0BdWpqFCHh2r5TPA/YgNQEKByCcwFwdXPgWdqgUOWzp5tCmqfEJarUNZ -+zRN3GJYY+T73rv9bE6XWPS5mUpx/n8WUFUlRjmWm4hsdRkznnCzBIL+FqiOIkeD -bRZ32iatMdgGbcV+Rkshq67sKpNx2n+JHQ== ------END CERTIFICATE----- diff --git a/SOURCES/debrand-rh_taint.patch b/SOURCES/debrand-rh_taint.patch deleted file mode 100644 index c2ae3c4..0000000 --- a/SOURCES/debrand-rh_taint.patch +++ /dev/null @@ -1,81 +0,0 @@ ---- a/kernel/rh_taint.c 2019-05-25 14:06:27.474558423 -0700 -+++ b/kernel/rh_taint.c 2019-05-25 14:25:53.471345832 -0700 -@@ -2,12 +2,12 @@ - #include - - /* -- * The following functions are used by Red Hat to indicate to users that -- * hardware and drivers are unsupported, or have limited support in RHEL major -+ * The following functions are used by CentOS to indicate to users that -+ * hardware and drivers are unsupported, or have limited support in CentOS Linux major - * and minor releases. These functions output loud warning messages to the end - * user and should be USED WITH CAUTION. - * -- * Any use of these functions _MUST_ be documented in the RHEL Release Notes, -+ * Any use of these functions _MUST_ be documented in the CentOS Linux Release Notes, - * and have approval of management. - */ - -@@ -16,15 +16,15 @@ - * @msg: Hardware name, class, or type - * - * Called to mark a device, class of devices, or types of devices as not having -- * support in any RHEL minor release. This does not TAINT the kernel. Red Hat -- * will not fix bugs against this hardware in this minor release. Red Hat may -+ * support in any CentOS Linux minor release. This does not TAINT the kernel. CentOS -+ * will not fix bugs against this hardware in this minor release. CentOS may - * declare support in a future major or minor update release. This cannot be - * used to mark drivers unsupported. - */ - void mark_hardware_unsupported(const char *msg) - { - /* Print one single message */ -- pr_crit("Warning: %s - this hardware has not undergone testing by Red Hat and might not be certified. Please consult https://hardware.redhat.com for certified hardware.\n", msg); -+ pr_crit("Warning: %s - this hardware has not undergone upstream testing. Please consult http://wiki.centos.org/FAQ for more information\n", msg); - } - EXPORT_SYMBOL(mark_hardware_unsupported); - -@@ -35,12 +35,12 @@ EXPORT_SYMBOL(mark_hardware_unsupported) - * Called to minimize the support status of a previously supported device in - * a minor release. This does not TAINT the kernel. Marking hardware - * deprecated is usually done in conjunction with the hardware vendor. Future -- * RHEL major releases may not include this driver. Driver updates and fixes -+ * CentOS Linux major releases may not include this driver. Driver updates and fixes - * for this device will be limited to critical issues in future minor releases. - */ - void mark_hardware_deprecated(const char *msg) - { -- pr_crit("Warning: %s - this hardware is not recommended for new deployments. It continues to be supported in this RHEL release, but it is likely to be removed in the next major release. Driver updates and fixes for this device will be limited to critical issues. Please contact Red Hat Support or your device's hardware vendor for additional information.\n", msg); -+ pr_crit("Warning: %s - this hardware is not recommended for new deployments. It continues to be supported in this CentOS Linux release, but it is likely to be removed in the next major release. Driver updates and fixes for this device will be limited to critical issues. Please contact CentOS Support or your device's hardware vendor for additional information.\n", msg); - } - EXPORT_SYMBOL(mark_hardware_deprecated); - -@@ -50,9 +50,9 @@ EXPORT_SYMBOL(mark_hardware_deprecated); - * - * Called to minimize the support status of a new driver. This does TAINT the - * kernel. Calling this function indicates that the driver or subsystem has -- * had limited testing and is not marked for full support within this RHEL -- * minor release. The next RHEL minor release may contain full support for -- * this driver. Red Hat does not guarantee that bugs reported against this -+ * had limited testing and is not marked for full support within this CentOS Linux -+ * minor release. The next CentOS Linux minor release may contain full support for -+ * this driver. CentOS does not guarantee that bugs reported against this - * driver or subsystem will be resolved. - */ - void mark_tech_preview(const char *msg, struct module *mod) -@@ -81,13 +81,13 @@ EXPORT_SYMBOL(mark_tech_preview); - * mark_driver_unsupported - drivers that we know we don't want to support - * @name: the name of the driver - * -- * In some cases Red Hat has chosen to build a driver for internal QE -+ * In some cases CentOS has chosen to build a driver for internal QE - * use. Use this function to mark those drivers as unsupported for - * customers. - */ - void mark_driver_unsupported(const char *name) - { -- pr_crit("Warning: %s - This driver has not undergone sufficient testing by Red Hat for this release and therefore cannot be used in production systems.\n", -+ pr_crit("Warning: %s - This driver has not undergone sufficient testing by CentOS for this release and therefore cannot be used in production systems.\n", - name ? name : "kernel"); - } - EXPORT_SYMBOL(mark_driver_unsupported); diff --git a/SOURCES/debrand-single-cpu.patch b/SOURCES/debrand-single-cpu.patch deleted file mode 100644 index b3eed51..0000000 --- a/SOURCES/debrand-single-cpu.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/arch/x86/kernel/setup.c 2019-03-13 04:04:53.000000000 -0700 -+++ b/arch/x86/kernel/setup.c 2019-05-27 08:35:54.580595314 -0700 -@@ -900,7 +900,7 @@ static void rh_check_supported(void) - if (((boot_cpu_data.x86_max_cores * smp_num_siblings) == 1) && - !guest && is_kdump_kernel()) { - pr_crit("Detected single cpu native boot.\n"); -- pr_crit("Important: In Red Hat Enterprise Linux 8, single threaded, single CPU 64-bit physical systems are unsupported by Red Hat. Please contact your Red Hat support representative for a list of certified and supported systems."); -+ pr_crit("Important: In CentOS Linux 8, single threaded, single CPU 64-bit physical systems are unsupported. Please see http://wiki.centos.org/FAQ for more information"); - } - - /* diff --git a/SOURCES/redhatsecureboot301.cer b/SOURCES/redhatsecureboot301.cer new file mode 100644 index 0000000..20e6604 Binary files /dev/null and b/SOURCES/redhatsecureboot301.cer differ diff --git a/SOURCES/redhatsecureboot501.cer b/SOURCES/redhatsecureboot501.cer new file mode 100644 index 0000000..dfa7afb Binary files /dev/null and b/SOURCES/redhatsecureboot501.cer differ diff --git a/SOURCES/redhatsecurebootca3.cer b/SOURCES/redhatsecurebootca3.cer new file mode 100644 index 0000000..b235400 Binary files /dev/null and b/SOURCES/redhatsecurebootca3.cer differ diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer new file mode 100644 index 0000000..dfb0284 Binary files /dev/null and b/SOURCES/redhatsecurebootca5.cer differ diff --git a/SOURCES/secureboot.cer b/SOURCES/secureboot.cer deleted file mode 100644 index 20e6604..0000000 Binary files a/SOURCES/secureboot.cer and /dev/null differ diff --git a/SOURCES/securebootca.cer b/SOURCES/securebootca.cer deleted file mode 100644 index b235400..0000000 Binary files a/SOURCES/securebootca.cer and /dev/null differ diff --git a/SOURCES/x509.genkey b/SOURCES/x509.genkey index d98f8fe..b1bbe38 100644 --- a/SOURCES/x509.genkey +++ b/SOURCES/x509.genkey @@ -5,9 +5,9 @@ prompt = no x509_extensions = myexts [ req_distinguished_name ] -O = CentOS -CN = CentOS Linux kernel signing key -emailAddress = security@centos.org +O = Red Hat +CN = Red Hat Enterprise Linux kernel signing key +emailAddress = secalert@redhat.com [ myexts ] basicConstraints=critical,CA:FALSE diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index e777e53..ac208c2 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -19,7 +19,7 @@ %global distro_build 193 # Sign the x86_64 kernel for secure boot authentication -%ifarch x86_64 aarch64 +%ifarch x86_64 aarch64 s390x ppc64le %global signkernel 1 %else %global signkernel 0 @@ -42,10 +42,10 @@ # define buildid .local %define rpmversion 4.18.0 -%define pkgrelease 193.13.2.el8_2 +%define pkgrelease 193.14.3.el8_2 # allow pkg_release to have configurable %%{?dist} tag -%define specrelease 193.13.2%{?dist} +%define specrelease 193.14.3%{?dist} %define pkg_release %{specrelease}%{?buildid} @@ -409,7 +409,7 @@ BuildRequires: asciidoc Source0: linux-%{rpmversion}-%{pkgrelease}.tar.xz -Source11: x509.genkey +Source9: x509.genkey # Name of the packaged file containing signing key %ifarch ppc64le @@ -421,24 +421,44 @@ Source11: x509.genkey %if %{?released_kernel} -Source12: centos-ca-secureboot.der -Source13: centossecureboot001.crt +Source10: redhatsecurebootca5.cer +Source11: redhatsecurebootca3.cer +Source12: redhatsecureboot501.cer +Source13: redhatsecureboot301.cer +Source14: secureboot_s390.cer +Source15: secureboot_ppc.cer -%define secureboot_ca %{SOURCE12} +%define secureboot_ca_0 %{SOURCE11} +%define secureboot_ca_1 %{SOURCE10} %ifarch x86_64 aarch64 -%define secureboot_key %{SOURCE13} -%define pesign_name centossecureboot001 +%define secureboot_key_0 %{SOURCE13} +%define pesign_name_0 redhatsecureboot301 +%define secureboot_key_1 %{SOURCE12} +%define pesign_name_1 redhatsecureboot501 +%endif +%ifarch s390x +%define secureboot_key_0 %{SOURCE14} +%define pesign_name_0 redhatsecureboot302 +%endif +%ifarch ppc64le +%define secureboot_key_0 %{SOURCE15} +%define pesign_name_0 redhatsecureboot303 %endif # released_kernel %else -Source12: centos-ca-secureboot.der -Source13: centossecureboot001.crt +Source11: redhatsecurebootca4.cer +Source12: redhatsecurebootca2.cer +Source13: redhatsecureboot401.cer +Source14: redhatsecureboot003.cer -%define secureboot_ca %{SOURCE12} -%define secureboot_key %{SOURCE13} -%define pesign_name centossecureboot001 +%define secureboot_ca_0 %{SOURCE11} +%define secureboot_ca_1 %{SOURCE12} +%define secureboot_key_0 %{SOURCE13} +%define pesign_name_0 redhatsecureboot401 +%define secureboot_key_1 %{SOURCE14} +%define pesign_name_1 redhatsecureboot003 # released_kernel %endif @@ -495,13 +515,6 @@ Source400: mod-kvm.list Source2000: cpupower.service Source2001: cpupower.config -# Sources for CentOS debranding -Source9000: centos.pem - -Patch1000: debrand-single-cpu.patch -Patch1001: debrand-rh_taint.patch -#Patch1002: debrand-rh-i686-cpu.patch - ## Patches needed for building this package # empty final patch to facilitate testing of kernel patches @@ -512,7 +525,7 @@ Patch999999: linux-kernel-test.patch BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root %description -This is the package which provides the Linux %{name} for CentOS +This is the package which provides the Linux %{name} for Red Hat Enterprise Linux. It is based on upstream Linux at version %{version} and maintains kABI compatibility of a set of approved symbols, however it is heavily modified with backports and fixes pulled from newer upstream Linux %{name} releases. This means @@ -521,7 +534,7 @@ from newer upstream linux versions, while maintaining a well tested and stable core. Some of the components/backports that may be pulled in are: changes like updates to the core kernel (eg.: scheduler, cgroups, memory management, security fixes and features), updates to block layer, supported filesystems, major driver -updates for supported hardware in CentOS Linux, enhancements for +updates for supported hardware in Red Hat Enterprise Linux, enhancements for enterprise customers, etc. # @@ -754,11 +767,11 @@ kernel-gcov includes the gcov graph and source files for gcov coverage collectio %endif %package -n %{name}-abi-whitelists -Summary: The CentOS Linux kernel ABI symbol whitelists +Summary: The Red Hat Enterprise Linux kernel ABI symbol whitelists Group: System Environment/Kernel AutoReqProv: no %description -n %{name}-abi-whitelists -The kABI package contains information pertaining to the CentOS +The kABI package contains information pertaining to the Red Hat Enterprise Linux kernel ABI, including lists of kernel symbols that are needed by external Linux kernel modules, and a yum plugin to aid enforcement. @@ -768,7 +781,7 @@ Summary: The baseline dataset for kABI verification using DWARF data Group: System Environment/Kernel AutoReqProv: no %description kernel-kabidw-base-internal -The package contains data describing the current ABI of the CentOS +The package contains data describing the current ABI of the Red Hat Enterprise Linux kernel, suitable for the kabi-dw tool. %endif @@ -841,7 +854,7 @@ Requires: %{name}%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\ AutoReq: no\ AutoProv: yes\ %description %{?1:%{1}-}modules-internal\ -This package provides kernel modules for the %{?2:%{2} }kernel package for CentOS internal usage.\ +This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat internal usage.\ %{nil} # @@ -1036,17 +1049,11 @@ ApplyOptionalPatch() } %setup -q -n %{name}-%{rpmversion}-%{pkgrelease} -c - -cp -v %{SOURCE9000} linux-%{rpmversion}-%{pkgrelease}/certs/rhel.pem - mv linux-%{rpmversion}-%{pkgrelease} linux-%{KVERREL} cd linux-%{KVERREL} ApplyOptionalPatch linux-kernel-test.patch -ApplyOptionalPatch debrand-single-cpu.patch -ApplyOptionalPatch debrand-rh_taint.patch -#ApplyOptionalPatch debrand-rh-i686-cpu.patch # END OF PATCH APPLICATIONS @@ -1181,7 +1188,7 @@ BuildKernel() { cp configs/$Config .config %if %{signkernel}%{signmodules} - cp %{SOURCE11} certs/. + cp %{SOURCE9} certs/. %endif Arch=`head -1 .config | cut -b 3-` @@ -1247,11 +1254,13 @@ BuildKernel() { fi %ifarch x86_64 aarch64 - %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca} -c %{secureboot_key} -n %{pesign_name} + %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} + %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1} + rm vmlinuz.tmp %endif %ifarch s390x ppc64le if [ -x /usr/bin/rpm-sign ]; then - rpm-sign --key "%{pesign_name}" --lkmsign $SignImage --output vmlinuz.signed + rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed elif [ $DoModules -eq 1 ]; then chmod +x scripts/sign-file ./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed @@ -1645,13 +1654,19 @@ BuildKernel() { # build a BLS config for this kernel %{SOURCE43} "$KernelVer" "$RPM_BUILD_ROOT" "%{?variant}" - # CentOS UEFI Secure Boot CA cert, which can be used to authenticate the kernel + # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer - install -m 0644 %{secureboot_ca} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %ifarch x86_64 aarch64 + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer + install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer + ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %else + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %endif %ifarch s390x ppc64le if [ $DoModules -eq 1 ]; then if [ -x /usr/bin/rpm-sign ]; then - install -m 0644 %{secureboot_key} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} + install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} else install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} @@ -2406,12 +2421,7 @@ fi /lib/modules/%{KVERREL}%{?3:+%{3}}/updates\ /lib/modules/%{KVERREL}%{?3:+%{3}}/weak-updates\ /lib/modules/%{KVERREL}%{?3:+%{3}}/bls.conf\ -%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca.cer\ -%ifarch s390x ppc64le\ -%if 0%{!?4:1}\ -%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/%{signing_key_filename} \ -%endif\ -%endif\ +%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}\ %if %{1}\ /lib/modules/%{KVERREL}%{?3:+%{3}}/vdso\ /etc/ld.so.conf.d/%{name}-%{KVERREL}%{?3:+%{3}}.conf\ @@ -2465,11 +2475,30 @@ fi # # %changelog -* Tue Jul 21 2020 CentOS Sources - 4.18.0-193.13.2.el8.centos -- Apply debranding changes - -* Mon Jul 13 2020 Bruno Meneguele [4.18.0-193.13.2.el8_2] -- Rebuild to get kernel image properly signed (Bruno Meneguele) +* Mon Jul 20 2020 Bruno Meneguele [4.18.0-193.14.3.el8_2] +- Reverse keys order for dual-signing (Frantisek Hrbata) [1837433 1837434] {CVE-2020-10713} + +* Sun Jul 19 2020 Bruno Meneguele [4.18.0-193.14.2.el8_2] +- [kernel] Move to dual-signing to split signing keys up better (pjones) [1837433 1837434] {CVE-2020-10713} +- [crypto] pefile: Tolerate other pefile signatures after first (Lenny Szubowicz) [1837433 1837434] {CVE-2020-10713} +- [acpi] ACPI: configfs: Disallow loading ACPI tables when locked down (Lenny Szubowicz) [1852968 1852969] {CVE-2020-15780} +- [firmware] efi: Restrict efivar_ssdt_load when the kernel is locked down (Lenny Szubowicz) [1852948 1852949] {CVE-2019-20908} + +* Mon Jul 13 2020 Bruno Meneguele [4.18.0-193.14.1.el8_2] +- [md] dm mpath: add DM device name to Failing/Reinstating path log messages (Mike Snitzer) [1852050 1822975] +- [md] dm mpath: enhance queue_if_no_path debugging (Mike Snitzer) [1852050 1822975] +- [md] dm mpath: restrict queue_if_no_path state machine (Mike Snitzer) [1852050 1822975] +- [md] dm mpath: simplify __must_push_back (Mike Snitzer) [1852050 1822975] +- [md] dm: use DMDEBUG macros now that they use pr_debug variants (Mike Snitzer) [1852050 1822975] +- [include] dm: use dynamic debug instead of compile-time config option (Mike Snitzer) [1852050 1822975] +- [md] dm mpath: switch paths in dm_blk_ioctl() code path (Mike Snitzer) [1852050 1822975] +- [md] dm multipath: use updated MPATHF_QUEUE_IO on mapping for bio-based mpath (Mike Snitzer) [1852050 1822975] +- [md] dm: bump version of core and various targets (Mike Snitzer) [1852050 1822975] +- [md] dm mpath: Add timeout mechanism for queue_if_no_path (Mike Snitzer) [1852050 1822975] +- [md] dm mpath: use true_false for bool variable (Mike Snitzer) [1852050 1822975] +- [md] dm mpath: remove harmful bio-based optimization (Mike Snitzer) [1852050 1822975] +- [scsi] scsi: libiscsi: fall back to sendmsg for slab pages (Maurizio Lombardi) [1852048 1825775] +- [s390] s390/mm: fix panic in gup_fast on large pud (Philipp Rudo) [1853336 1816980] * Tue Jul 07 2020 Bruno Meneguele [4.18.0-193.13.1.el8_2] - [x86] x86/efi: Allocate e820 buffer before calling efi_exit_boot_service (Lenny Szubowicz) [1846180 1824005]