rpms / kernel-rt

Clone
Source Code
GIT

4d0d54 import kernel-rt-4.18.0-193.14.3.rt13.67.el8_2

Authored and Committed by centosrcm 4 years ago
raw patch tree parent
7 files changed. 68 lines added. 30 lines removed.
.gitignore
file modified
+1 -1
.kernel-rt.metadata
file modified
+1 -1
SOURCES/redhatsecureboot301.cerSOURCES/secureboot.cer
file renamed
+0 -0
SOURCES/redhatsecureboot501.cer
file added
+0
SOURCES/redhatsecurebootca3.cerSOURCES/securebootca.cer
file renamed
+0 -0
SOURCES/redhatsecurebootca5.cer
file added
+0
SPECS/kernel.spec
file modified
+66 -28 
    import kernel-rt-4.18.0-193.14.3.rt13.67.el8_2
file modified
+1 -1
.gitignore CHANGED
@@ -1 +1 @@
1
- SOURCES/linux-4.18.0-193.13.2.rt13.65.el8_2.tar.xz
1
+ SOURCES/linux-4.18.0-193.14.3.rt13.67.el8_2.tar.xz
file modified
+1 -1
.kernel-rt.metadata CHANGED
@@ -1 +1 @@
1
- 6995bb4ccc97f3fd43d4b5b68f8787d222174687 SOURCES/linux-4.18.0-193.13.2.rt13.65.el8_2.tar.xz
1
+ 7d175a53e97e1a2449eec92560e29eeeca45489a SOURCES/linux-4.18.0-193.14.3.rt13.67.el8_2.tar.xz
SOURCES/redhatsecureboot301.cer SOURCES/secureboot.cer
file renamed
file was renamed with no change to the file
file added
+0
empty file added
SOURCES/redhatsecurebootca3.cer SOURCES/securebootca.cer
file renamed
file was renamed with no change to the file
file added
+0
empty file added
file modified
+66 -28
SPECS/kernel.spec CHANGED
@@ -42,10 +42,10 @@
42
42
# define buildid .local
43
43
44
44
%define rpmversion 4.18.0
45
- %define pkgrelease 193.13.2.rt13.65.el8_2
45
+ %define pkgrelease 193.14.3.rt13.67.el8_2
46
46
47
47
# allow pkg_release to have configurable %%{?dist} tag
48
- %define specrelease 193.13.2.rt13.65%{?dist}
48
+ %define specrelease 193.14.3.rt13.67%{?dist}
49
49
50
50
%define pkg_release %{specrelease}%{?buildid}
51
51
@@ -149,7 +149,7 @@
149
149
# The preempt RT patch level
150
150
%global rttag .rt13
151
151
# realtimeN
152
- %global rtbuild .65
152
+ %global rtbuild .67
153
153
%define with_doc 0
154
154
%define with_headers 0
155
155
%define with_cross_headers 0
@@ -409,7 +409,7 @@ BuildRequires: asciidoc
409
409
410
410
Source0: linux-%{rpmversion}-%{pkgrelease}.tar.xz
411
411
412
- Source11: x509.genkey
412
+ Source9: x509.genkey
413
413
414
414
# Name of the packaged file containing signing key
415
415
%ifarch ppc64le
@@ -421,34 +421,44 @@ Source11: x509.genkey
421
421
422
422
%if %{?released_kernel}
423
423
424
- Source12: securebootca.cer
425
- Source13: secureboot.cer
424
+ Source10: redhatsecurebootca5.cer
425
+ Source11: redhatsecurebootca3.cer
426
+ Source12: redhatsecureboot501.cer
427
+ Source13: redhatsecureboot301.cer
426
428
Source14: secureboot_s390.cer
427
429
Source15: secureboot_ppc.cer
428
430
429
- %define secureboot_ca %{SOURCE12}
431
+ %define secureboot_ca_0 %{SOURCE11}
432
+ %define secureboot_ca_1 %{SOURCE10}
430
433
%ifarch x86_64 aarch64
431
- %define secureboot_key %{SOURCE13}
432
- %define pesign_name redhatsecureboot301
434
+ %define secureboot_key_0 %{SOURCE13}
435
+ %define pesign_name_0 redhatsecureboot301
436
+ %define secureboot_key_1 %{SOURCE12}
437
+ %define pesign_name_1 redhatsecureboot501
433
438
%endif
434
439
%ifarch s390x
435
- %define secureboot_key %{SOURCE14}
436
- %define pesign_name redhatsecureboot302
440
+ %define secureboot_key_0 %{SOURCE14}
441
+ %define pesign_name_0 redhatsecureboot302
437
442
%endif
438
443
%ifarch ppc64le
439
- %define secureboot_key %{SOURCE15}
440
- %define pesign_name redhatsecureboot303
444
+ %define secureboot_key_0 %{SOURCE15}
445
+ %define pesign_name_0 redhatsecureboot303
441
446
%endif
442
447
443
448
# released_kernel
444
449
%else
445
450
451
+ Source11: redhatsecurebootca4.cer
446
452
Source12: redhatsecurebootca2.cer
447
- Source13: redhatsecureboot003.cer
453
+ Source13: redhatsecureboot401.cer
454
+ Source14: redhatsecureboot003.cer
448
455
449
- %define secureboot_ca %{SOURCE12}
450
- %define secureboot_key %{SOURCE13}
451
- %define pesign_name redhatsecureboot003
456
+ %define secureboot_ca_0 %{SOURCE11}
457
+ %define secureboot_ca_1 %{SOURCE12}
458
+ %define secureboot_key_0 %{SOURCE13}
459
+ %define pesign_name_0 redhatsecureboot401
460
+ %define secureboot_key_1 %{SOURCE14}
461
+ %define pesign_name_1 redhatsecureboot003
452
462
453
463
# released_kernel
454
464
%endif
@@ -1179,7 +1189,7 @@ BuildKernel() {
1179
1189
cp configs/$Config .config
1180
1190
1181
1191
%if %{signkernel}%{signmodules}
1182
- cp %{SOURCE11} certs/.
1192
+ cp %{SOURCE9} certs/.
1183
1193
%endif
1184
1194
1185
1195
Arch=`head -1 .config | cut -b 3-`
@@ -1245,11 +1255,13 @@ BuildKernel() {
1245
1255
fi
1246
1256
1247
1257
%ifarch x86_64 aarch64
1248
- %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca} -c %{secureboot_key} -n %{pesign_name}
1258
+ %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
1259
+ %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
1260
+ rm vmlinuz.tmp
1249
1261
%endif
1250
1262
%ifarch s390x ppc64le
1251
1263
if [ -x /usr/bin/rpm-sign ]; then
1252
- rpm-sign --key "%{pesign_name}" --lkmsign $SignImage --output vmlinuz.signed
1264
+ rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed
1253
1265
elif [ $DoModules -eq 1 ]; then
1254
1266
chmod +x scripts/sign-file
1255
1267
./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed
@@ -1645,11 +1657,17 @@ BuildKernel() {
1645
1657
1646
1658
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
1647
1659
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
1648
- install -m 0644 %{secureboot_ca} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
1660
+ %ifarch x86_64 aarch64
1661
+ install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
1662
+ install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
1663
+ ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
1664
+ %else
1665
+ install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
1666
+ %endif
1649
1667
%ifarch s390x ppc64le
1650
1668
if [ $DoModules -eq 1 ]; then
1651
1669
if [ -x /usr/bin/rpm-sign ]; then
1652
- install -m 0644 %{secureboot_key} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
1670
+ install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
1653
1671
else
1654
1672
install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
1655
1673
openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
@@ -2404,12 +2422,7 @@ fi
2404
2422
/lib/modules/%{KVERREL}%{?3:+%{3}}/updates\
2405
2423
/lib/modules/%{KVERREL}%{?3:+%{3}}/weak-updates\
2406
2424
/lib/modules/%{KVERREL}%{?3:+%{3}}/bls.conf\
2407
- %{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca.cer\
2425
+ %{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}\
2408
- %ifarch s390x ppc64le\
2409
- %if 0%{!?4:1}\
2410
- %{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/%{signing_key_filename} \
2411
- %endif\
2412
- %endif\
2413
2426
%if %{1}\
2414
2427
/lib/modules/%{KVERREL}%{?3:+%{3}}/vdso\
2415
2428
/etc/ld.so.conf.d/%{name}-%{KVERREL}%{?3:+%{3}}.conf\
@@ -2465,6 +2478,31 @@ fi
2465
2478
#
2466
2479
#
2467
2480
%changelog
2481
+ * Sun Jul 19 2020 Luis Claudio R. Goncalves <lgoncalv@redhat.com> [4.18.0-193.14.3.rt13.67.el8_2]
2482
+ - Reverse keys order for dual-signing (Frantisek Hrbata) [1837433 1837434] {CVE-2020-10713}
2483
+
2484
+ * Sun Jul 19 2020 Luis Claudio R. Goncalves <lgoncalv@redhat.com> [4.18.0-193.14.2.rt13.66.el8_2]
2485
+ - [kernel] Move to dual-signing to split signing keys up better (pjones) [1837433 1837434] {CVE-2020-10713}
2486
+ - [crypto] pefile: Tolerate other pefile signatures after first (Lenny Szubowicz) [1837433 1837434] {CVE-2020-10713}
2487
+ - [acpi] ACPI: configfs: Disallow loading ACPI tables when locked down (Lenny Szubowicz) [1852968 1852969] {CVE-2020-15780}
2488
+ - [firmware] efi: Restrict efivar_ssdt_load when the kernel is locked down (Lenny Szubowicz) [1852948 1852949] {CVE-2019-20908}
2489
+
2490
+ * Mon Jul 13 2020 Luis Claudio R. Goncalves <lgoncalv@redhat.com> [4.18.0-193.14.1.rt13.65.el8_2]
2491
+ - [md] dm mpath: add DM device name to Failing/Reinstating path log messages (Mike Snitzer) [1852050 1822975]
2492
+ - [md] dm mpath: enhance queue_if_no_path debugging (Mike Snitzer) [1852050 1822975]
2493
+ - [md] dm mpath: restrict queue_if_no_path state machine (Mike Snitzer) [1852050 1822975]
2494
+ - [md] dm mpath: simplify __must_push_back (Mike Snitzer) [1852050 1822975]
2495
+ - [md] dm: use DMDEBUG macros now that they use pr_debug variants (Mike Snitzer) [1852050 1822975]
2496
+ - [include] dm: use dynamic debug instead of compile-time config option (Mike Snitzer) [1852050 1822975]
2497
+ - [md] dm mpath: switch paths in dm_blk_ioctl() code path (Mike Snitzer) [1852050 1822975]
2498
+ - [md] dm multipath: use updated MPATHF_QUEUE_IO on mapping for bio-based mpath (Mike Snitzer) [1852050 1822975]
2499
+ - [md] dm: bump version of core and various targets (Mike Snitzer) [1852050 1822975]
2500
+ - [md] dm mpath: Add timeout mechanism for queue_if_no_path (Mike Snitzer) [1852050 1822975]
2501
+ - [md] dm mpath: use true_false for bool variable (Mike Snitzer) [1852050 1822975]
2502
+ - [md] dm mpath: remove harmful bio-based optimization (Mike Snitzer) [1852050 1822975]
2503
+ - [scsi] scsi: libiscsi: fall back to sendmsg for slab pages (Maurizio Lombardi) [1852048 1825775]
2504
+ - [s390] s390/mm: fix panic in gup_fast on large pud (Philipp Rudo) [1853336 1816980]
2505
+
2468
2506
* Tue Jul 07 2020 Luis Claudio R. Goncalves <lgoncalv@redhat.com> [4.18.0-193.13.1.rt13.64.el8_2]
2469
2507
- [x86] x86/efi: Allocate e820 buffer before calling efi_exit_boot_service (Lenny Szubowicz) [1846180 1824005]
2470
2508

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation