diff --git a/.gitignore b/.gitignore index 429943a..be7c8f1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/kernel-abi-whitelists-4.18.0-193.tar.bz2 SOURCES/kernel-kabi-dw-4.18.0-193.tar.bz2 -SOURCES/linux-4.18.0-193.6.3.el8_2.tar.xz +SOURCES/linux-4.18.0-193.13.2.el8_2.tar.xz diff --git a/.kernel.metadata b/.kernel.metadata index 9cffd75..27b005b 100644 --- a/.kernel.metadata +++ b/.kernel.metadata @@ -1,3 +1,3 @@ e784eb39f12543661810c04a478fd6a3e342644d SOURCES/kernel-abi-whitelists-4.18.0-193.tar.bz2 89d98f66f0a35a19ab31b2d7943d3199ca8a15c1 SOURCES/kernel-kabi-dw-4.18.0-193.tar.bz2 -0dc471dcaa6001250583429d9b5a4d4d7e8607e7 SOURCES/linux-4.18.0-193.6.3.el8_2.tar.xz +30ee087d6f5b2717ad74fcb869826338463742e8 SOURCES/linux-4.18.0-193.13.2.el8_2.tar.xz diff --git a/README.debrand b/README.debrand deleted file mode 100644 index 01c46d2..0000000 --- a/README.debrand +++ /dev/null @@ -1,2 +0,0 @@ -Warning: This package was configured for automatic debranding, but the changes -failed to apply. diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der deleted file mode 100644 index 44a2563..0000000 Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ diff --git a/SOURCES/centos.pem b/SOURCES/centos.pem deleted file mode 100644 index 82ad817..0000000 --- a/SOURCES/centos.pem +++ /dev/null @@ -1,42 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDgTCCAmmgAwIBAgIJALYWFXFy+zGAMA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV -BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB -FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE5MDYwMzE0MjA0MFoXDTM4MDEwMTE0 -MjA0MFowVTEvMC0GA1UEAwwmQ2VudE9TIExpbnV4IERyaXZlciB1cGRhdGUgc2ln -bmluZyBrZXkxIjAgBgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEi -MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD5ECuosQ4HKRRf+Kxfm+BcICBK -PGqB+E/qalqQ3CCM3LWezq0ns/GZTD0CtSAzmOObqJb3gJ9S5gcbaMVBc3JxLlQ+ -RwVy0oNy91uy9TKhYQ3lpHDyujxiFmXPSJLMKOYbOBNObJ7qF6+ptnmDWMu7GWDc -4UGdBdU/evt92LIxsi9ZQCEoZIqdyKBE/Y3V9gBZIZa/4oXMHfW9dWxhy9UszmR9 -hT7ZdgLFpWMFmJW+SS5QEWtp5CpRlcui4QJZl42bMp5JOrVWc+BlKPIsLdY8TqLp -9FdhQ5Ih4auT7zn2V89YgYpq6VMZnPsn/v5piB6i6RK8Falr6SP5SV0cwV/jAgMB -AAGjXTBbMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBQpvUwN -BtLpkRBEtdyXMwkTm1HW1TAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q6 -8zANBgkqhkiG9w0BAQsFAAOCAQEAK+f4c4aP9TQDiQM4TDyw8iDapr7eBc+Yr0M5 -ELkWEQu55/OwLQrgCA5bdD86diaAXQAlUOXCtFRrbUQHQACEL77/32YdooHfVZZ7 -04CeE+JWxF/cQ3M5hhJnkyxaqFKC+B+bn7Z6eloMnYUPsXwfQEOuyxKaKergAJdq -KnC0pEG3NGgwlwvnD0dwUqbbEUUqL3UQh96hCYDidhCUmuap1E2OGoxGex3ekszf -ErCgwVYb46cv91ba2KqXVWl1FoO3c5MyZcxL46ihQgiY0BI975+HDFjpUZ69n+Um -OhSscRUiKeEQKMVtHzyQUp5t+HCeaZBRPy3rFoIjTEqijKZ6tQ== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIDejCCAmKgAwIBAgIJALYWFXFy+zF/MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV -BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB -FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE5MDYwMzE0MjAwMloXDTM4MDEwMTE0 -MjAwMlowTjEoMCYGA1UEAwwfQ2VudE9TIExpbnV4IGtwYXRjaCBzaWduaW5nIGtl -eTEiMCAGCSqGSIb3DQEJARYTc2VjdXJpdHlAY2VudG9zLm9yZzCCASIwDQYJKoZI -hvcNAQEBBQADggEPADCCAQoCggEBAMG+5OclqB0NE5azrGkSitqUFcZjpRk/rS2P -CetB6jwxOn06TrLGzqnhcE9VBKyEs7CXBLy6lfnORcYOybcR2XvrgqGa1txOZggl -hc8zCj9X7ZCMK2UsWglxQCOtbo0m/vdor/VO3SFbrf/W9+PXhvNtcxMP9yjydbP+ -lS1St8uQv952hu7C1TevyOQN3jpvWRD7DSJIU/2uRFcdIo2QCGokuB/xESXeuGJ2 -F2P9w0h74V18AlVTxtGp/RSJqZaQ2Gi5h4Oa7UsRmhmCoLdmdBe7xnYJrJ4GhxKQ -yG0kU1ikEhZW3YjoVPgBJzTsIhCAzFrOUq0d67a1wTVMiyL60fUCAwEAAaNdMFsw -DAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCB4AwHQYDVR0OBBYEFLSfCGIFkJ3E2iz6 -mTdvsZHS8J54MB8GA1UdIwQYMBaAFFTsgYWJPuka2wj3RIhUfo4/dDrzMA0GCSqG -SIb3DQEBCwUAA4IBAQBcDnjWh8Mx6yaS/OvBOYZprYy5Su0tn+YHiN0czpjVw+zl -NUt2YmRSA/g6xks04CYx+UAL/xnvRcxXd17Ni7eWiROxvgQvBo5nScVkFPq2IIP5 -8aj7LoHR1MUeXfiNqf1JoSlgpRV47wv/+jZD0hmbt1rC2NJp0ZU8OHmt2GWk0jmM -MK72D/pyCUfHetBzPpU9M0cNiukjMUdIL+U7+CXDgKsfdFHcQ76ebWyka7vRSXTs -lBMa2g20Atwz2Hj7tEEAZ74ioQ9029RAlUSNipACe31YdT4/BBWIqHPpeDFkp8W0 -9v4jeTX/2kMBXkjzMfKjhpooa+bFFFLogLeX3P4W ------END CERTIFICATE----- diff --git a/SOURCES/centossecureboot001.crt b/SOURCES/centossecureboot001.crt deleted file mode 100644 index 321c4ec..0000000 --- a/SOURCES/centossecureboot001.crt +++ /dev/null @@ -1,81 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - b6:16:15:71:72:fb:31:7e - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN=CentOS Secure Boot (CA key 1)/emailAddress=security@centos.org - Validity - Not Before: Aug 1 11:47:30 2018 GMT - Not After : Dec 31 11:47:30 2037 GMT - Subject: CN=CentOS Secure Boot (key 1)/emailAddress=security@centos.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:c1:a3:6a:f4:2d:71:83:6c:21:ca:0c:b7:ac:fa: - 76:80:43:03:40:87:5d:de:e9:1e:df:ad:e7:2b:51: - cb:f8:31:0f:9a:db:ab:23:25:04:11:05:57:7d:f2: - 4b:8d:1e:b3:75:78:1d:b9:57:8b:18:0b:bb:7e:e3: - 24:0f:6a:40:5f:2b:4f:03:a5:85:94:d2:f9:08:a0: - bc:db:a5:ea:4f:7f:e8:7c:d1:a9:f8:f0:9c:25:18: - 00:14:c4:c4:35:7d:1d:4c:8a:8d:95:f8:ed:65:97: - a5:a4:da:7d:cb:f0:33:3b:b7:03:94:68:47:05:57: - 6c:96:91:ac:14:f2:e3:f6:6d:4a:18:cf:68:8a:35: - 6f:8e:26:99:7f:db:c9:83:54:c2:c3:bf:ad:45:a0: - aa:a0:86:5f:20:b1:86:1b:ae:b7:28:15:11:f9:65: - 53:5d:70:33:9b:a3:c7:b5:c8:11:ff:55:3b:e7:46: - f1:6c:6b:8c:bb:f2:9f:36:23:b1:2d:23:2f:8f:4f: - 6c:a8:cc:ae:f5:56:9e:22:6c:0e:9a:4a:b1:bd:b2: - 76:15:5c:05:85:b8:5e:dc:8c:a5:c3:e0:75:51:a4: - 94:9b:03:2e:7b:f8:d3:b9:dd:7f:88:ce:2e:2f:28: - 4c:b4:92:2f:e6:e0:67:0a:d0:ff:c5:d2:79:a6:ef: - 94:0f - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Key Usage: - Digital Signature - X509v3 Subject Key Identifier: - F0:37:C6:EA:EC:36:D4:05:7A:52:6C:0E:C6:D5:A9:5B:32:4E:E1:29 - X509v3 Authority Key Identifier: - keyid:54:EC:81:85:89:3E:E9:1A:DB:08:F7:44:88:54:7E:8E:3F:74:3A:F3 - - Signature Algorithm: sha256WithRSAEncryption - 97:97:ba:a6:0b:5b:bb:84:39:2e:ef:8b:51:9a:89:bb:65:3c: - dc:15:d0:5a:88:c5:af:ce:93:f5:c1:74:98:15:59:a9:38:da: - 11:fd:46:d5:4f:23:7c:03:1f:ae:0c:70:93:94:a7:61:2f:4b: - 2f:5f:bb:cc:8a:d7:4a:24:66:73:85:b4:19:13:fc:6a:61:4a: - 28:1f:a2:38:f4:72:90:03:c4:3e:64:63:8b:fb:15:22:22:4e: - b9:43:d9:b4:3d:3a:60:c1:4d:3a:09:85:68:7a:bc:3b:f9:ef: - f3:f5:e9:c9:4f:80:8c:c6:e9:cb:ef:28:44:b0:5d:d4:9e:4f: - 0f:02:9a:65:aa:98:35:b4:6f:d2:80:e3:08:ef:12:d0:17:56: - a6:a1:42:1e:1d:ab:e5:33:c0:fd:88:0d:40:42:81:c8:27:30: - 17:07:57:3e:05:9d:aa:05:0e:5b:3a:79:b4:29:aa:7c:42:5a: - ad:43:59:fb:34:4d:dc:62:58:63:e4:fb:de:bb:fd:6c:4e:97: - 58:f4:b9:99:4a:71:fe:7f:16:50:55:25:46:39:96:9b:88:6c: - 75:19:33:9e:70:b3:04:82:fe:16:a8:8e:22:47:83:6d:16:77: - da:26:ad:31:d8:06:6d:c5:7e:46:4b:21:ab:ae:ec:2a:93:71: - da:7f:89:1d ------BEGIN CERTIFICATE----- -MIIDdTCCAl2gAwIBAgIJALYWFXFy+zF+MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV -BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB -FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE4MDgwMTExNDczMFoXDTM3MTIzMTEx -NDczMFowSTEjMCEGA1UEAxMaQ2VudE9TIFNlY3VyZSBCb290IChrZXkgMSkxIjAg -BgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDBo2r0LXGDbCHKDLes+naAQwNAh13e6R7frecrUcv4 -MQ+a26sjJQQRBVd98kuNHrN1eB25V4sYC7t+4yQPakBfK08DpYWU0vkIoLzbpepP -f+h80an48JwlGAAUxMQ1fR1Mio2V+O1ll6Wk2n3L8DM7twOUaEcFV2yWkawU8uP2 -bUoYz2iKNW+OJpl/28mDVMLDv61FoKqghl8gsYYbrrcoFRH5ZVNdcDObo8e1yBH/ -VTvnRvFsa4y78p82I7EtIy+PT2yozK71Vp4ibA6aSrG9snYVXAWFuF7cjKXD4HVR -pJSbAy57+NO53X+Izi4vKEy0ki/m4GcK0P/F0nmm75QPAgMBAAGjXTBbMAwGA1Ud -EwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBTwN8bq7DbUBXpSbA7G1alb -Mk7hKTAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q68zANBgkqhkiG9w0B -AQsFAAOCAQEAl5e6pgtbu4Q5Lu+LUZqJu2U83BXQWojFr86T9cF0mBVZqTjaEf1G -1U8jfAMfrgxwk5SnYS9LL1+7zIrXSiRmc4W0GRP8amFKKB+iOPRykAPEPmRji/sV -IiJOuUPZtD06YMFNOgmFaHq8O/nv8/XpyU+AjMbpy+8oRLBd1J5PDwKaZaqYNbRv -0oDjCO8S0BdWpqFCHh2r5TPA/YgNQEKByCcwFwdXPgWdqgUOWzp5tCmqfEJarUNZ -+zRN3GJYY+T73rv9bE6XWPS5mUpx/n8WUFUlRjmWm4hsdRkznnCzBIL+FqiOIkeD -bRZ32iatMdgGbcV+Rkshq67sKpNx2n+JHQ== ------END CERTIFICATE----- diff --git a/SOURCES/debrand-rh_taint.patch b/SOURCES/debrand-rh_taint.patch deleted file mode 100644 index c2ae3c4..0000000 --- a/SOURCES/debrand-rh_taint.patch +++ /dev/null @@ -1,81 +0,0 @@ ---- a/kernel/rh_taint.c 2019-05-25 14:06:27.474558423 -0700 -+++ b/kernel/rh_taint.c 2019-05-25 14:25:53.471345832 -0700 -@@ -2,12 +2,12 @@ - #include - - /* -- * The following functions are used by Red Hat to indicate to users that -- * hardware and drivers are unsupported, or have limited support in RHEL major -+ * The following functions are used by CentOS to indicate to users that -+ * hardware and drivers are unsupported, or have limited support in CentOS Linux major - * and minor releases. These functions output loud warning messages to the end - * user and should be USED WITH CAUTION. - * -- * Any use of these functions _MUST_ be documented in the RHEL Release Notes, -+ * Any use of these functions _MUST_ be documented in the CentOS Linux Release Notes, - * and have approval of management. - */ - -@@ -16,15 +16,15 @@ - * @msg: Hardware name, class, or type - * - * Called to mark a device, class of devices, or types of devices as not having -- * support in any RHEL minor release. This does not TAINT the kernel. Red Hat -- * will not fix bugs against this hardware in this minor release. Red Hat may -+ * support in any CentOS Linux minor release. This does not TAINT the kernel. CentOS -+ * will not fix bugs against this hardware in this minor release. CentOS may - * declare support in a future major or minor update release. This cannot be - * used to mark drivers unsupported. - */ - void mark_hardware_unsupported(const char *msg) - { - /* Print one single message */ -- pr_crit("Warning: %s - this hardware has not undergone testing by Red Hat and might not be certified. Please consult https://hardware.redhat.com for certified hardware.\n", msg); -+ pr_crit("Warning: %s - this hardware has not undergone upstream testing. Please consult http://wiki.centos.org/FAQ for more information\n", msg); - } - EXPORT_SYMBOL(mark_hardware_unsupported); - -@@ -35,12 +35,12 @@ EXPORT_SYMBOL(mark_hardware_unsupported) - * Called to minimize the support status of a previously supported device in - * a minor release. This does not TAINT the kernel. Marking hardware - * deprecated is usually done in conjunction with the hardware vendor. Future -- * RHEL major releases may not include this driver. Driver updates and fixes -+ * CentOS Linux major releases may not include this driver. Driver updates and fixes - * for this device will be limited to critical issues in future minor releases. - */ - void mark_hardware_deprecated(const char *msg) - { -- pr_crit("Warning: %s - this hardware is not recommended for new deployments. It continues to be supported in this RHEL release, but it is likely to be removed in the next major release. Driver updates and fixes for this device will be limited to critical issues. Please contact Red Hat Support or your device's hardware vendor for additional information.\n", msg); -+ pr_crit("Warning: %s - this hardware is not recommended for new deployments. It continues to be supported in this CentOS Linux release, but it is likely to be removed in the next major release. Driver updates and fixes for this device will be limited to critical issues. Please contact CentOS Support or your device's hardware vendor for additional information.\n", msg); - } - EXPORT_SYMBOL(mark_hardware_deprecated); - -@@ -50,9 +50,9 @@ EXPORT_SYMBOL(mark_hardware_deprecated); - * - * Called to minimize the support status of a new driver. This does TAINT the - * kernel. Calling this function indicates that the driver or subsystem has -- * had limited testing and is not marked for full support within this RHEL -- * minor release. The next RHEL minor release may contain full support for -- * this driver. Red Hat does not guarantee that bugs reported against this -+ * had limited testing and is not marked for full support within this CentOS Linux -+ * minor release. The next CentOS Linux minor release may contain full support for -+ * this driver. CentOS does not guarantee that bugs reported against this - * driver or subsystem will be resolved. - */ - void mark_tech_preview(const char *msg, struct module *mod) -@@ -81,13 +81,13 @@ EXPORT_SYMBOL(mark_tech_preview); - * mark_driver_unsupported - drivers that we know we don't want to support - * @name: the name of the driver - * -- * In some cases Red Hat has chosen to build a driver for internal QE -+ * In some cases CentOS has chosen to build a driver for internal QE - * use. Use this function to mark those drivers as unsupported for - * customers. - */ - void mark_driver_unsupported(const char *name) - { -- pr_crit("Warning: %s - This driver has not undergone sufficient testing by Red Hat for this release and therefore cannot be used in production systems.\n", -+ pr_crit("Warning: %s - This driver has not undergone sufficient testing by CentOS for this release and therefore cannot be used in production systems.\n", - name ? name : "kernel"); - } - EXPORT_SYMBOL(mark_driver_unsupported); diff --git a/SOURCES/debrand-single-cpu.patch b/SOURCES/debrand-single-cpu.patch deleted file mode 100644 index b3eed51..0000000 --- a/SOURCES/debrand-single-cpu.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/arch/x86/kernel/setup.c 2019-03-13 04:04:53.000000000 -0700 -+++ b/arch/x86/kernel/setup.c 2019-05-27 08:35:54.580595314 -0700 -@@ -900,7 +900,7 @@ static void rh_check_supported(void) - if (((boot_cpu_data.x86_max_cores * smp_num_siblings) == 1) && - !guest && is_kdump_kernel()) { - pr_crit("Detected single cpu native boot.\n"); -- pr_crit("Important: In Red Hat Enterprise Linux 8, single threaded, single CPU 64-bit physical systems are unsupported by Red Hat. Please contact your Red Hat support representative for a list of certified and supported systems."); -+ pr_crit("Important: In CentOS Linux 8, single threaded, single CPU 64-bit physical systems are unsupported. Please see http://wiki.centos.org/FAQ for more information"); - } - - /* diff --git a/SOURCES/x509.genkey b/SOURCES/x509.genkey index d98f8fe..b1bbe38 100644 --- a/SOURCES/x509.genkey +++ b/SOURCES/x509.genkey @@ -5,9 +5,9 @@ prompt = no x509_extensions = myexts [ req_distinguished_name ] -O = CentOS -CN = CentOS Linux kernel signing key -emailAddress = security@centos.org +O = Red Hat +CN = Red Hat Enterprise Linux kernel signing key +emailAddress = secalert@redhat.com [ myexts ] basicConstraints=critical,CA:FALSE diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 7994b25..e50978b 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -19,7 +19,7 @@ %global distro_build 193 # Sign the x86_64 kernel for secure boot authentication -%ifarch x86_64 aarch64 +%ifarch x86_64 aarch64 s390x ppc64le %global signkernel 1 %else %global signkernel 0 @@ -42,10 +42,10 @@ # define buildid .local %define rpmversion 4.18.0 -%define pkgrelease 193.6.3.el8_2 +%define pkgrelease 193.13.2.el8_2 # allow pkg_release to have configurable %%{?dist} tag -%define specrelease 193.6.3%{?dist} +%define specrelease 193.13.2%{?dist} %define pkg_release %{specrelease}%{?buildid} @@ -421,24 +421,34 @@ Source11: x509.genkey %if %{?released_kernel} -Source12: centos-ca-secureboot.der -Source13: centossecureboot001.crt +Source12: securebootca.cer +Source13: secureboot.cer +Source14: secureboot_s390.cer +Source15: secureboot_ppc.cer %define secureboot_ca %{SOURCE12} %ifarch x86_64 aarch64 %define secureboot_key %{SOURCE13} -%define pesign_name centossecureboot001 +%define pesign_name redhatsecureboot301 +%endif +%ifarch s390x +%define secureboot_key %{SOURCE14} +%define pesign_name redhatsecureboot302 +%endif +%ifarch ppc64le +%define secureboot_key %{SOURCE15} +%define pesign_name redhatsecureboot303 %endif # released_kernel %else -Source12: centos-ca-secureboot.der -Source13: centossecureboot001.crt +Source12: redhatsecurebootca2.cer +Source13: redhatsecureboot003.cer %define secureboot_ca %{SOURCE12} %define secureboot_key %{SOURCE13} -%define pesign_name centossecureboot001 +%define pesign_name redhatsecureboot003 # released_kernel %endif @@ -495,13 +505,6 @@ Source400: mod-kvm.list Source2000: cpupower.service Source2001: cpupower.config -# Sources for CentOS debranding -Source9000: centos.pem - -Patch1000: debrand-single-cpu.patch -Patch1001: debrand-rh_taint.patch -#Patch1002: debrand-rh-i686-cpu.patch - ## Patches needed for building this package # empty final patch to facilitate testing of kernel patches @@ -512,7 +515,7 @@ Patch999999: linux-kernel-test.patch BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root %description -This is the package which provides the Linux %{name} for CentOS +This is the package which provides the Linux %{name} for Red Hat Enterprise Linux. It is based on upstream Linux at version %{version} and maintains kABI compatibility of a set of approved symbols, however it is heavily modified with backports and fixes pulled from newer upstream Linux %{name} releases. This means @@ -521,7 +524,7 @@ from newer upstream linux versions, while maintaining a well tested and stable core. Some of the components/backports that may be pulled in are: changes like updates to the core kernel (eg.: scheduler, cgroups, memory management, security fixes and features), updates to block layer, supported filesystems, major driver -updates for supported hardware in CentOS Linux, enhancements for +updates for supported hardware in Red Hat Enterprise Linux, enhancements for enterprise customers, etc. # @@ -754,11 +757,11 @@ kernel-gcov includes the gcov graph and source files for gcov coverage collectio %endif %package -n %{name}-abi-whitelists -Summary: The CentOS Linux kernel ABI symbol whitelists +Summary: The Red Hat Enterprise Linux kernel ABI symbol whitelists Group: System Environment/Kernel AutoReqProv: no %description -n %{name}-abi-whitelists -The kABI package contains information pertaining to the CentOS +The kABI package contains information pertaining to the Red Hat Enterprise Linux kernel ABI, including lists of kernel symbols that are needed by external Linux kernel modules, and a yum plugin to aid enforcement. @@ -768,7 +771,7 @@ Summary: The baseline dataset for kABI verification using DWARF data Group: System Environment/Kernel AutoReqProv: no %description kernel-kabidw-base-internal -The package contains data describing the current ABI of the CentOS +The package contains data describing the current ABI of the Red Hat Enterprise Linux kernel, suitable for the kabi-dw tool. %endif @@ -841,7 +844,7 @@ Requires: %{name}%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\ AutoReq: no\ AutoProv: yes\ %description %{?1:%{1}-}modules-internal\ -This package provides kernel modules for the %{?2:%{2} }kernel package for CentOS internal usage.\ +This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat internal usage.\ %{nil} # @@ -1036,17 +1039,11 @@ ApplyOptionalPatch() } %setup -q -n %{name}-%{rpmversion}-%{pkgrelease} -c - -cp -v %{SOURCE9000} linux-%{rpmversion}-%{pkgrelease}/certs/rhel.pem - mv linux-%{rpmversion}-%{pkgrelease} linux-%{KVERREL} cd linux-%{KVERREL} ApplyOptionalPatch linux-kernel-test.patch -ApplyOptionalPatch debrand-single-cpu.patch -ApplyOptionalPatch debrand-rh_taint.patch -#ApplyOptionalPatch debrand-rh-i686-cpu.patch # END OF PATCH APPLICATIONS @@ -1645,7 +1642,7 @@ BuildKernel() { # build a BLS config for this kernel %{SOURCE43} "$KernelVer" "$RPM_BUILD_ROOT" "%{?variant}" - # CentOS UEFI Secure Boot CA cert, which can be used to authenticate the kernel + # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer install -m 0644 %{secureboot_ca} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer %ifarch s390x ppc64le @@ -2465,19 +2462,109 @@ fi # # %changelog -* Tue Jun 09 2020 CentOS Sources - 4.18.0-193.6.3.el8.centos -- Apply debranding changes - -* Mon Jun 01 2020 Bruno Meneguele [4.18.0-193.6.3.el8_2] -- rebuild to enable xt_u32 module (Jiri Benc) [1840800 1840799 1834769 1838190] - -* Tue May 26 2020 Bruno Meneguele [4.18.0-193.6.2.el8_2] +* Mon Jul 13 2020 Bruno Meneguele [4.18.0-193.13.2.el8_2] +- Rebuild to get kernel image properly signed (Bruno Meneguele) + +* Tue Jul 07 2020 Bruno Meneguele [4.18.0-193.13.1.el8_2] +- [x86] x86/efi: Allocate e820 buffer before calling efi_exit_boot_service (Lenny Szubowicz) [1846180 1824005] + +* Thu Jul 02 2020 Bruno Meneguele [4.18.0-193.12.1.el8_2] +- [net] openvswitch: simplify the ovs_dp_cmd_new (Eelco Chaudron) [1851235 1819202] +- [net] openvswitch: fix possible memleak on destroy flow-table (Eelco Chaudron) [1851235 1819202] +- [net] openvswitch: add likely in flow_lookup (Eelco Chaudron) [1851235 1819202] +- [net] openvswitch: simplify the flow_hash (Eelco Chaudron) [1851235 1819202] +- [net] openvswitch: optimize flow-mask looking up (Eelco Chaudron) [1851235 1819202] +- [net] openvswitch: optimize flow mask cache hash collision (Eelco Chaudron) [1851235 1819202] +- [net] openvswitch: shrink the mask array if necessary (Eelco Chaudron) [1851235 1819202] +- [net] openvswitch: convert mask list in mask array (Eelco Chaudron) [1851235 1819202] +- [net] openvswitch: add flow-mask cache for performance (Eelco Chaudron) [1851235 1819202] +- [net] netfilter: nf_tables: use-after-free in dynamic operations (Phil Sutter) [1845164 1757933] +- [net] netfilter: nf_tables: add missing ->release_ops() in error path of newrule() (Phil Sutter) [1845164 1757933] +- [net] netfilter: nft_compat: use .release_ops and remove list of extension (Phil Sutter) [1845164 1757933] +- [vfio] vfio/pci: Fix SR-IOV VF handling with MMIO blocking (Alex Williamson) [1837309 1837310] {CVE-2020-12888} +- [pci] PCI: pciehp: Fix MSI interrupt race (Myron Stowe) [1852045 1779610] +- [kernel] smp: Allow smp_call_function_single_async() to insert locked csd (Peter Xu) [1851406 1830014] +- [x86] kvm: Clean up host's steal time structure (Jon Maloy) [1795128 1813987] {CVE-2019-3016} +- [x86] kvm: Make sure KVM_VCPU_FLUSH_TLB flag is not missed (Jon Maloy) [1795128 1813987] {CVE-2019-3016} +- [virt] x86/kvm: Cache gfn to pfn translation (Jon Maloy) [1795128 1813987] {CVE-2019-3016} +- [virt] x86/kvm: Introduce kvm_(un)map_gfn() (Jon Maloy) [1795128 1813987] {CVE-2019-3016} +- [x86] kvm: Be careful not to clear KVM_VCPU_FLUSH_TLB bit (Jon Maloy) [1795128 1813987] {CVE-2019-3016} + +* Fri Jun 26 2020 Bruno Meneguele [4.18.0-193.11.1.el8_2] +- [net] netfilter: conntrack: fix infinite loop on rmmod (Florian Westphal) [1851005 1832381] +- [net] netfilter: conntrack: allow insertion of clashing entries (Florian Westphal) [1851003 1821404] +- [net] netfilter: conntrack: split resolve_clash function (Florian Westphal) [1851003 1821404] +- [net] netfilter: conntrack: place confirm-bit setting in a helper (Florian Westphal) [1851003 1821404] +- [net] netfilter: never get/set skb->tstamp (Florian Westphal) [1851003 1821404] +- [net] netfilter: conntrack: remove two args from resolve_clash (Florian Westphal) [1851003 1821404] +- [net] netfilter: conntrack: tell compiler to not inline nf_ct_resolve_clash (Florian Westphal) [1851003 1821404] +- [x86] mm: Fix mremap not considering huge pmd devmap (Rafael Aquini) [1843440 1843441] {CVE-2020-10757} +- [x86] x86/vector: Remove warning on managed interrupt migration (Peter Xu) [1848545 1812331] +- [s390] s390/cio: fix virtio-ccw DMA without PV (Philipp Rudo) [1842620 1814787] + +* Fri Jun 19 2020 Bruno Meneguele [4.18.0-193.10.1.el8_2] +- [misc] dma-mapping: zero memory returned from dma_alloc_* (Philipp Rudo) [1847453 1788928] +- [nvme] nvme-multipath: fix crash in nvme_mpath_clear_ctrl_paths (Gopal Tiwari) [1846405 1781927] +- [net] netfilter: nf_tables: fix infinite loop when expr is not available (Phil Sutter) [1845164 1757933] +- [net] netfilter: nf_tables: autoload modules from the abort path (Phil Sutter) [1845164 1757933] +- [net] netfilter: nf_tables: remove WARN and add NLA_STRING upper limits (Phil Sutter) [1845164 1757933] +- [net] netfilter: nf_tables: store transaction list locally while requesting module (Phil Sutter) [1845164 1757933] +- [net] netfilter: nf_tables: use-after-free in failing rule with bound set (Phil Sutter) [1845164 1757933] +- [net] netfilter: nft_meta: skip EAGAIN if nft_meta_bridge is not a module (Phil Sutter) [1845164 1757933] +- [net] netfilter: nf_tables: force module load in case select_ops() returns -EAGAIN (Phil Sutter) [1845164 1757933] +- [net] netfilter: nf_tables: add nft_expr_type_request_module() (Phil Sutter) [1845164 1757933] +- [net] netfilter: nf_tables: bogus EBUSY in helper removal from transaction (Phil Sutter) [1845164 1757933] +- [net] netfilter: nf_tables: fix set double-free in abort path (Phil Sutter) [1845164 1757933] +- [net] netfilter: nft_compat: don't use refcount_inc on newly allocated entry (Phil Sutter) [1845164 1757933] +- [net] netfilter: nf_tables: unbind set in rule from commit path (Phil Sutter) [1845164 1757933] +- [net] netfilter: nft_compat: destroy function must not have side effects (Phil Sutter) [1845164 1757933] +- [net] netfilter: nft_compat: make lists per netns (Phil Sutter) [1845164 1757933] +- [net] netfilter: nft_compat: use refcnt_t type for nft_xt reference count (Phil Sutter) [1845164 1757933] +- [net] netfilter: nf_tables: fix suspicious RCU usage in nft_chain_stats_replace() (Phil Sutter) [1845164 1757933] +- [net] netfilter: nf_tables: asynchronous release (Phil Sutter) [1845164 1757933] +- [net] netfilter: nf_tables: split set destruction in deactivate and destroy phase (Phil Sutter) [1845164 1757933] +- [net] netfilter: nf_tables: flow event notifier must use transaction mutex (Phil Sutter) [1845164 1757933] +- [net] netfilter: nf_tables: use dedicated mutex to guard transactions (Phil Sutter) [1845164 1757933] +- [net] netfilter: nf_tables: avoid global info storage (Phil Sutter) [1845164 1757933] +- [net] netfilter: nf_tables: take module reference when starting a batch (Phil Sutter) [1845164 1757933] +- [net] netfilter: nf_tables: make valid_genid callback mandatory (Phil Sutter) [1845164 1757933] +- [net] netfilter: nf_tables: add and use helper for module autoload (Phil Sutter) [1845164 1757933] +- [net] netfilter: nat: never update the UDP checksum when it's 0 (Guillaume Nault) [1847128 1794714] +- [x86] x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches (Waiman Long) [1847395 1847396] {CVE-2020-10768} +- [x86] x86/speculation: Prevent rogue cross-process SSBD shutdown (Waiman Long) [1847357 1847358] {CVE-2020-10766} +- [x86] x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS (Waiman Long) [1847378 1847379] {CVE-2020-10767} +- [x86] x86/speculation: Add support for STIBP always-on preferred mode (Waiman Long) [1847378 1847379] {CVE-2020-10767} +- [x86] x86/speculation: Change misspelled STIPB to STIBP (Waiman Long) [1847378 1847379] {CVE-2020-10767} +- [powerpc] powerpc/pseries/ddw: Extend upper limit for huge DMA window for persistent memory (Steve Best) [1842406 1817596] + +* Sun Jun 14 2020 Bruno Meneguele [4.18.0-193.9.1.el8_2] +- [wireless] mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() (Jarod Wilson) [1844073 1844031] {CVE-2020-12654} +- [wireless] mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() (Jarod Wilson) [1844049 1844039] {CVE-2020-12653} +- [netdrv] net/mlx5: FPGA, support network cards with standalone FPGA (Alaa Hleihel) [1843544 1789380] +- [mm] hugetlbfs: don't retry when pool page allocations start to fail (Rafael Aquini) [1835789 1727288] +- [mm] mm, compaction: raise compaction priority after it withdrawns (Rafael Aquini) [1835789 1727288] +- [mm] mm, reclaim: cleanup should_continue_reclaim() (Rafael Aquini) [1835789 1727288] +- [mm] mm, reclaim: make should_continue_reclaim perform dryrun detection (Rafael Aquini) [1835789 1727288] +- [kernel] exit: panic before exit_mm() on global init exit (Oleg Nesterov) [1821378 1808944] - [documentation] x86/speculation: Add Ivy Bridge to affected list (Josh Poimboeuf) [1827191 1827192] {CVE-2020-0543} - [documentation] x86/speculation: Add SRBDS vulnerability and mitigation documentation (Josh Poimboeuf) [1827191 1827192] {CVE-2020-0543} - [x86] x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation (Josh Poimboeuf) [1827191 1827192] {CVE-2020-0543} - [x86] x86/cpu: Add 'table' argument to cpu_matches() (Josh Poimboeuf) [1827191 1827192] {CVE-2020-0543} - [x86] x86/cpu: Add a steppings field to struct x86_cpu_id (Josh Poimboeuf) [1827191 1827192] {CVE-2020-0543} +* Mon Jun 08 2020 Bruno Meneguele [4.18.0-193.8.1.el8_2] +- [vfio] vfio-pci: Invalidate mmaps and block MMIO access on disabled memory (Alex Williamson) [1837309 1837310] {CVE-2020-12888} +- [vfio] vfio-pci: Fault mmaps to enable vma tracking (Alex Williamson) [1837309 1837310] {CVE-2020-12888} +- [vfio] vfio/type1: Support faulting PFNMAP vmas (Alex Williamson) [1837309 1837310] {CVE-2020-12888} +- [vfio] vfio/type1: Fix VA->PA translation for PFNMAP VMAs in vaddr_get_pfn() (Alex Williamson) [1837309 1837310] {CVE-2020-12888} +- [vfio] vfio/pci: call irq_bypass_unregister_producer() before freeing irq (Alex Williamson) [1837309 1837310] {CVE-2020-12888} +- [vfio] vfio_pci: Enable memory accesses before calling pci_map_rom (Alex Williamson) [1837309 1837310] {CVE-2020-12888} + +* Mon Jun 01 2020 Bruno Meneguele [4.18.0-193.7.1.el8_2] +- [sound] ALSA: timer: Fix incorrectly assigned timer instance (Jaroslav Kysela) [1821714 1798468] {CVE-2019-19807} +- [netdrv] ibmvnic: Do not process device remove during device reset (Steve Best) [1836229 1813223] +- [net] ipv4: really enforce backoff for redirects (Paolo Abeni) [1836302 1834184] + * Fri May 22 2020 Bruno Meneguele [4.18.0-193.6.1.el8_2] - [char] tpm: ibmvtpm: retry on H_CLOSED in tpm_ibmvtpm_send() (Steve Best) [1827632 1808048] - [netdrv] bonding: fix active-backup transition after link failure (Jarod Wilson) [1838477 1819408]