diff --git a/.gitignore b/.gitignore index 3e154d7..1d3a3fc 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/kernel-abi-whitelists-4.18.0-240.tar.bz2 SOURCES/kernel-kabi-dw-4.18.0-240.tar.bz2 -SOURCES/linux-4.18.0-240.1.1.el8_3.tar.xz +SOURCES/linux-4.18.0-240.8.1.el8_3.tar.xz diff --git a/.kernel.metadata b/.kernel.metadata index ba14368..b39f60c 100644 --- a/.kernel.metadata +++ b/.kernel.metadata @@ -1,3 +1,3 @@ 8d861248716a82a9ff7442c6150f5f9eccbb3243 SOURCES/kernel-abi-whitelists-4.18.0-240.tar.bz2 59861274c73f8acc9a5c9da435ab98c09e54fac8 SOURCES/kernel-kabi-dw-4.18.0-240.tar.bz2 -692f8f751c9e55a5e157be6f2173ec06ccd0d22d SOURCES/linux-4.18.0-240.1.1.el8_3.tar.xz +057594f1ec50439eef1fea97e81f71c090943f3e SOURCES/linux-4.18.0-240.8.1.el8_3.tar.xz diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der deleted file mode 100644 index 44a2563..0000000 Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ diff --git a/SOURCES/centos.pem b/SOURCES/centos.pem deleted file mode 100644 index 82ad817..0000000 --- a/SOURCES/centos.pem +++ /dev/null @@ -1,42 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDgTCCAmmgAwIBAgIJALYWFXFy+zGAMA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV -BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB -FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE5MDYwMzE0MjA0MFoXDTM4MDEwMTE0 -MjA0MFowVTEvMC0GA1UEAwwmQ2VudE9TIExpbnV4IERyaXZlciB1cGRhdGUgc2ln -bmluZyBrZXkxIjAgBgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEi -MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD5ECuosQ4HKRRf+Kxfm+BcICBK -PGqB+E/qalqQ3CCM3LWezq0ns/GZTD0CtSAzmOObqJb3gJ9S5gcbaMVBc3JxLlQ+ -RwVy0oNy91uy9TKhYQ3lpHDyujxiFmXPSJLMKOYbOBNObJ7qF6+ptnmDWMu7GWDc -4UGdBdU/evt92LIxsi9ZQCEoZIqdyKBE/Y3V9gBZIZa/4oXMHfW9dWxhy9UszmR9 -hT7ZdgLFpWMFmJW+SS5QEWtp5CpRlcui4QJZl42bMp5JOrVWc+BlKPIsLdY8TqLp -9FdhQ5Ih4auT7zn2V89YgYpq6VMZnPsn/v5piB6i6RK8Falr6SP5SV0cwV/jAgMB -AAGjXTBbMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBQpvUwN -BtLpkRBEtdyXMwkTm1HW1TAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q6 -8zANBgkqhkiG9w0BAQsFAAOCAQEAK+f4c4aP9TQDiQM4TDyw8iDapr7eBc+Yr0M5 -ELkWEQu55/OwLQrgCA5bdD86diaAXQAlUOXCtFRrbUQHQACEL77/32YdooHfVZZ7 -04CeE+JWxF/cQ3M5hhJnkyxaqFKC+B+bn7Z6eloMnYUPsXwfQEOuyxKaKergAJdq -KnC0pEG3NGgwlwvnD0dwUqbbEUUqL3UQh96hCYDidhCUmuap1E2OGoxGex3ekszf -ErCgwVYb46cv91ba2KqXVWl1FoO3c5MyZcxL46ihQgiY0BI975+HDFjpUZ69n+Um -OhSscRUiKeEQKMVtHzyQUp5t+HCeaZBRPy3rFoIjTEqijKZ6tQ== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIDejCCAmKgAwIBAgIJALYWFXFy+zF/MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV -BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB -FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE5MDYwMzE0MjAwMloXDTM4MDEwMTE0 -MjAwMlowTjEoMCYGA1UEAwwfQ2VudE9TIExpbnV4IGtwYXRjaCBzaWduaW5nIGtl -eTEiMCAGCSqGSIb3DQEJARYTc2VjdXJpdHlAY2VudG9zLm9yZzCCASIwDQYJKoZI -hvcNAQEBBQADggEPADCCAQoCggEBAMG+5OclqB0NE5azrGkSitqUFcZjpRk/rS2P -CetB6jwxOn06TrLGzqnhcE9VBKyEs7CXBLy6lfnORcYOybcR2XvrgqGa1txOZggl -hc8zCj9X7ZCMK2UsWglxQCOtbo0m/vdor/VO3SFbrf/W9+PXhvNtcxMP9yjydbP+ -lS1St8uQv952hu7C1TevyOQN3jpvWRD7DSJIU/2uRFcdIo2QCGokuB/xESXeuGJ2 -F2P9w0h74V18AlVTxtGp/RSJqZaQ2Gi5h4Oa7UsRmhmCoLdmdBe7xnYJrJ4GhxKQ -yG0kU1ikEhZW3YjoVPgBJzTsIhCAzFrOUq0d67a1wTVMiyL60fUCAwEAAaNdMFsw -DAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCB4AwHQYDVR0OBBYEFLSfCGIFkJ3E2iz6 -mTdvsZHS8J54MB8GA1UdIwQYMBaAFFTsgYWJPuka2wj3RIhUfo4/dDrzMA0GCSqG -SIb3DQEBCwUAA4IBAQBcDnjWh8Mx6yaS/OvBOYZprYy5Su0tn+YHiN0czpjVw+zl -NUt2YmRSA/g6xks04CYx+UAL/xnvRcxXd17Ni7eWiROxvgQvBo5nScVkFPq2IIP5 -8aj7LoHR1MUeXfiNqf1JoSlgpRV47wv/+jZD0hmbt1rC2NJp0ZU8OHmt2GWk0jmM -MK72D/pyCUfHetBzPpU9M0cNiukjMUdIL+U7+CXDgKsfdFHcQ76ebWyka7vRSXTs -lBMa2g20Atwz2Hj7tEEAZ74ioQ9029RAlUSNipACe31YdT4/BBWIqHPpeDFkp8W0 -9v4jeTX/2kMBXkjzMfKjhpooa+bFFFLogLeX3P4W ------END CERTIFICATE----- diff --git a/SOURCES/centossecureboot001.der b/SOURCES/centossecureboot001.der deleted file mode 100644 index e8216b1..0000000 Binary files a/SOURCES/centossecureboot001.der and /dev/null differ diff --git a/SOURCES/centossecureboot201.der b/SOURCES/centossecureboot201.der deleted file mode 100644 index ca3c134..0000000 Binary files a/SOURCES/centossecureboot201.der and /dev/null differ diff --git a/SOURCES/centossecurebootca2.der b/SOURCES/centossecurebootca2.der deleted file mode 100644 index 42bdfcf..0000000 Binary files a/SOURCES/centossecurebootca2.der and /dev/null differ diff --git a/SOURCES/debrand-rh-i686-cpu.patch b/SOURCES/debrand-rh-i686-cpu.patch deleted file mode 100644 index 5592a59..0000000 --- a/SOURCES/debrand-rh-i686-cpu.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/arch/x86/boot/main.c 2019-03-13 04:04:53.000000000 -0700 -+++ b/arch/x86/boot/main.c 2019-05-25 14:31:21.043272496 -0700 -@@ -147,7 +147,7 @@ void main(void) - - /* Make sure we have all the proper CPU support */ - if (validate_cpu()) { -- puts("This processor is not supported in this version of RHEL.\n"); -+ puts("This processor is not supported in this version of CentOS Linux.\n"); - die(); - } - diff --git a/SOURCES/debrand-rh_taint.patch b/SOURCES/debrand-rh_taint.patch deleted file mode 100644 index 74f2e15..0000000 --- a/SOURCES/debrand-rh_taint.patch +++ /dev/null @@ -1,81 +0,0 @@ ---- a/kernel/rh_taint.c 2020-10-16 10:41:51.000000000 -0500 -+++ b/kernel/rh_taint.c 2020-11-19 10:50:24.853039167 -0600 -@@ -2,12 +2,12 @@ - #include - - /* -- * The following functions are used by Red Hat to indicate to users that -- * hardware and drivers are unsupported, or have limited support in RHEL major -+ * The following functions are used by CentOS Linux to indicate to users that -+ * hardware and drivers are unsupported, or have limited support in CentOS Linux major - * and minor releases. These functions output loud warning messages to the end - * user and should be USED WITH CAUTION. - * -- * Any use of these functions _MUST_ be documented in the RHEL Release Notes, -+ * Any use of these functions _MUST_ be documented in the CentOS Linux Release Notes, - * and have approval of management. - */ - -@@ -16,15 +16,15 @@ - * @msg: Hardware name, class, or type - * - * Called to mark a device, class of devices, or types of devices as not having -- * support in any RHEL minor release. This does not TAINT the kernel. Red Hat -- * will not fix bugs against this hardware in this minor release. Red Hat may -+ * support in any CentOS Linux minor release. This does not TAINT the kernel. CentOS Linux -+ * will not fix bugs against this hardware in this minor release. CentOS Linux may - * declare support in a future major or minor update release. This cannot be - * used to mark drivers unsupported. - */ - void mark_hardware_unsupported(const char *msg) - { - /* Print one single message */ -- pr_crit("Warning: %s - this hardware has not undergone testing by Red Hat and might not be certified. Please consult https://catalog.redhat.com for certified hardware.\n", msg); -+ pr_crit("Warning: %s - this hardware has not undergone testing by CentOS Linux and might not be certified. Please consult https://catalog.redhat.com for certified hardware.\n", msg); - } - EXPORT_SYMBOL(mark_hardware_unsupported); - -@@ -35,12 +35,12 @@ EXPORT_SYMBOL(mark_hardware_unsupported) - * Called to minimize the support status of a previously supported device in - * a minor release. This does not TAINT the kernel. Marking hardware - * deprecated is usually done in conjunction with the hardware vendor. Future -- * RHEL major releases may not include this driver. Driver updates and fixes -+ * CentOS Linux major releases may not include this driver. Driver updates and fixes - * for this device will be limited to critical issues in future minor releases. - */ - void mark_hardware_deprecated(const char *msg) - { -- pr_crit("Warning: %s - this hardware is not recommended for new deployments. It continues to be supported in this RHEL release, but it is likely to be removed in the next major release. Driver updates and fixes for this device will be limited to critical issues. Please contact Red Hat Support or your device's hardware vendor for additional information.\n", msg); -+ pr_crit("Warning: %s - this hardware is not recommended for new deployments. It continues to be supported in this CentOS Linux release, but it is likely to be removed in the next major release. Driver updates and fixes for this device will be limited to critical issues. Please contact CentOS Linux Support or your device's hardware vendor for additional information.\n", msg); - } - EXPORT_SYMBOL(mark_hardware_deprecated); - -@@ -50,9 +50,9 @@ EXPORT_SYMBOL(mark_hardware_deprecated); - * - * Called to minimize the support status of a new driver. This does TAINT the - * kernel. Calling this function indicates that the driver or subsystem has -- * had limited testing and is not marked for full support within this RHEL -- * minor release. The next RHEL minor release may contain full support for -- * this driver. Red Hat does not guarantee that bugs reported against this -+ * had limited testing and is not marked for full support within this CentOS Linux -+ * minor release. The next CentOS Linux minor release may contain full support for -+ * this driver. CentOS Linux does not guarantee that bugs reported against this - * driver or subsystem will be resolved. - */ - void mark_tech_preview(const char *msg, struct module *mod) -@@ -81,13 +81,13 @@ EXPORT_SYMBOL(mark_tech_preview); - * mark_driver_unsupported - drivers that we know we don't want to support - * @name: the name of the driver - * -- * In some cases Red Hat has chosen to build a driver for internal QE -+ * In some cases CentOS Linux has chosen to build a driver for internal QE - * use. Use this function to mark those drivers as unsupported for - * customers. - */ - void mark_driver_unsupported(const char *name) - { -- pr_crit("Warning: %s - This driver has not undergone sufficient testing by Red Hat for this release and therefore cannot be used in production systems.\n", -+ pr_crit("Warning: %s - This driver has not undergone sufficient testing by CentOS Linux for this release and therefore cannot be used in production systems.\n", - name ? name : "kernel"); - } - EXPORT_SYMBOL(mark_driver_unsupported); diff --git a/SOURCES/debrand-single-cpu.patch b/SOURCES/debrand-single-cpu.patch deleted file mode 100644 index b3eed51..0000000 --- a/SOURCES/debrand-single-cpu.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/arch/x86/kernel/setup.c 2019-03-13 04:04:53.000000000 -0700 -+++ b/arch/x86/kernel/setup.c 2019-05-27 08:35:54.580595314 -0700 -@@ -900,7 +900,7 @@ static void rh_check_supported(void) - if (((boot_cpu_data.x86_max_cores * smp_num_siblings) == 1) && - !guest && is_kdump_kernel()) { - pr_crit("Detected single cpu native boot.\n"); -- pr_crit("Important: In Red Hat Enterprise Linux 8, single threaded, single CPU 64-bit physical systems are unsupported by Red Hat. Please contact your Red Hat support representative for a list of certified and supported systems."); -+ pr_crit("Important: In CentOS Linux 8, single threaded, single CPU 64-bit physical systems are unsupported. Please see http://wiki.centos.org/FAQ for more information"); - } - - /* diff --git a/SOURCES/kernel-aarch64-debug.config b/SOURCES/kernel-aarch64-debug.config index c26bf62..98f1b73 100644 --- a/SOURCES/kernel-aarch64-debug.config +++ b/SOURCES/kernel-aarch64-debug.config @@ -2840,7 +2840,7 @@ CONFIG_CRYPTO_CRC32_ARM64_CE=m CONFIG_CRYPTO_CRCT10DIF_ARM64_CE=m CONFIG_CRYPTO_CRYPTD=y CONFIG_CRYPTO_CTR=y -CONFIG_CRYPTO_CTS=m +CONFIG_CRYPTO_CTS=y CONFIG_CRYPTO_DEFLATE=y CONFIG_CRYPTO_DES=m CONFIG_CRYPTO_DEV_BCM_SPU=m diff --git a/SOURCES/kernel-aarch64.config b/SOURCES/kernel-aarch64.config index d4f3256..3b7a0c6 100644 --- a/SOURCES/kernel-aarch64.config +++ b/SOURCES/kernel-aarch64.config @@ -2904,7 +2904,7 @@ CONFIG_CRYPTO_CRC32_ARM64_CE=m CONFIG_CRYPTO_CRCT10DIF_ARM64_CE=m CONFIG_CRYPTO_CRYPTD=y CONFIG_CRYPTO_CTR=y -CONFIG_CRYPTO_CTS=m +CONFIG_CRYPTO_CTS=y CONFIG_CRYPTO_DEFLATE=y CONFIG_CRYPTO_DES=m CONFIG_CRYPTO_DEV_BCM_SPU=m diff --git a/SOURCES/kernel-ppc64le-debug.config b/SOURCES/kernel-ppc64le-debug.config index fee218d..336b691 100644 --- a/SOURCES/kernel-ppc64le-debug.config +++ b/SOURCES/kernel-ppc64le-debug.config @@ -2514,7 +2514,7 @@ CONFIG_CRYPTO_CRC32=m CONFIG_CRYPTO_CRC32C=y CONFIG_CRYPTO_CRYPTD=y CONFIG_CRYPTO_CTR=y -CONFIG_CRYPTO_CTS=m +CONFIG_CRYPTO_CTS=y CONFIG_CRYPTO_DEFLATE=y CONFIG_CRYPTO_DES=m CONFIG_CRYPTO_DEV_CCP_CRYPTO=m diff --git a/SOURCES/kernel-ppc64le.config b/SOURCES/kernel-ppc64le.config index f8182fd..e58e080 100644 --- a/SOURCES/kernel-ppc64le.config +++ b/SOURCES/kernel-ppc64le.config @@ -2576,7 +2576,7 @@ CONFIG_CRYPTO_CRC32=m CONFIG_CRYPTO_CRC32C=y CONFIG_CRYPTO_CRYPTD=y CONFIG_CRYPTO_CTR=y -CONFIG_CRYPTO_CTS=m +CONFIG_CRYPTO_CTS=y CONFIG_CRYPTO_DEFLATE=y CONFIG_CRYPTO_DES=m CONFIG_CRYPTO_DEV_CCP_CRYPTO=m diff --git a/SOURCES/kernel-s390x-debug.config b/SOURCES/kernel-s390x-debug.config index c3f5d5d..d80e251 100644 --- a/SOURCES/kernel-s390x-debug.config +++ b/SOURCES/kernel-s390x-debug.config @@ -2644,7 +2644,7 @@ CONFIG_CRYPTO_CRC32C=y CONFIG_CRYPTO_CRC32_S390=y CONFIG_CRYPTO_CRYPTD=y CONFIG_CRYPTO_CTR=y -CONFIG_CRYPTO_CTS=m +CONFIG_CRYPTO_CTS=y CONFIG_CRYPTO_DEFLATE=y CONFIG_CRYPTO_DES=m CONFIG_CRYPTO_DES_S390=m diff --git a/SOURCES/kernel-s390x.config b/SOURCES/kernel-s390x.config index 420654d..5b14f1b 100644 --- a/SOURCES/kernel-s390x.config +++ b/SOURCES/kernel-s390x.config @@ -2706,7 +2706,7 @@ CONFIG_CRYPTO_CRC32C=y CONFIG_CRYPTO_CRC32_S390=y CONFIG_CRYPTO_CRYPTD=y CONFIG_CRYPTO_CTR=y -CONFIG_CRYPTO_CTS=m +CONFIG_CRYPTO_CTS=y CONFIG_CRYPTO_DEFLATE=y CONFIG_CRYPTO_DES=m CONFIG_CRYPTO_DES_S390=m diff --git a/SOURCES/kernel-x86_64-debug.config b/SOURCES/kernel-x86_64-debug.config index 86167d2..2329768 100644 --- a/SOURCES/kernel-x86_64-debug.config +++ b/SOURCES/kernel-x86_64-debug.config @@ -2585,7 +2585,7 @@ CONFIG_CRYPTO_CRC32_PCLMUL=m CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m CONFIG_CRYPTO_CRYPTD=y CONFIG_CRYPTO_CTR=y -CONFIG_CRYPTO_CTS=m +CONFIG_CRYPTO_CTS=y CONFIG_CRYPTO_DEFLATE=y CONFIG_CRYPTO_DES3_EDE_X86_64=m CONFIG_CRYPTO_DES=m diff --git a/SOURCES/kernel-x86_64.config b/SOURCES/kernel-x86_64.config index 18528ab..8cf9e4b 100644 --- a/SOURCES/kernel-x86_64.config +++ b/SOURCES/kernel-x86_64.config @@ -2647,7 +2647,7 @@ CONFIG_CRYPTO_CRC32_PCLMUL=m CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m CONFIG_CRYPTO_CRYPTD=y CONFIG_CRYPTO_CTR=y -CONFIG_CRYPTO_CTS=m +CONFIG_CRYPTO_CTS=y CONFIG_CRYPTO_DEFLATE=y CONFIG_CRYPTO_DES3_EDE_X86_64=m CONFIG_CRYPTO_DES=m diff --git a/SOURCES/redhatsecureboot301.cer b/SOURCES/redhatsecureboot301.cer new file mode 100644 index 0000000..20e6604 Binary files /dev/null and b/SOURCES/redhatsecureboot301.cer differ diff --git a/SOURCES/redhatsecureboot501.cer b/SOURCES/redhatsecureboot501.cer new file mode 100644 index 0000000..dfa7afb Binary files /dev/null and b/SOURCES/redhatsecureboot501.cer differ diff --git a/SOURCES/redhatsecurebootca3.cer b/SOURCES/redhatsecurebootca3.cer new file mode 100644 index 0000000..b235400 Binary files /dev/null and b/SOURCES/redhatsecurebootca3.cer differ diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer new file mode 100644 index 0000000..dfb0284 Binary files /dev/null and b/SOURCES/redhatsecurebootca5.cer differ diff --git a/SOURCES/secureboot_ppc.cer b/SOURCES/secureboot_ppc.cer new file mode 100644 index 0000000..2c0087d Binary files /dev/null and b/SOURCES/secureboot_ppc.cer differ diff --git a/SOURCES/secureboot_s390.cer b/SOURCES/secureboot_s390.cer new file mode 100644 index 0000000..137d385 Binary files /dev/null and b/SOURCES/secureboot_s390.cer differ diff --git a/SOURCES/x509.genkey b/SOURCES/x509.genkey index dbfe9a7..b1bbe38 100644 --- a/SOURCES/x509.genkey +++ b/SOURCES/x509.genkey @@ -5,9 +5,9 @@ prompt = no x509_extensions = myexts [ req_distinguished_name ] -O = CentOS -CN = CentOS kernel signing key -emailAddress = security@centos.org +O = Red Hat +CN = Red Hat Enterprise Linux kernel signing key +emailAddress = secalert@redhat.com [ myexts ] basicConstraints=critical,CA:FALSE diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 8bb3e88..23347b1 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -19,7 +19,7 @@ %global distro_build 240 # Sign the x86_64 kernel for secure boot authentication -%ifarch x86_64 aarch64 +%ifarch x86_64 aarch64 s390x ppc64le %global signkernel 1 %else %global signkernel 0 @@ -42,10 +42,10 @@ # define buildid .local %define rpmversion 4.18.0 -%define pkgrelease 240.1.1.el8_3 +%define pkgrelease 240.8.1.el8_3 # allow pkg_release to have configurable %%{?dist} tag -%define specrelease 240.1.1%{?dist} +%define specrelease 240.8.1%{?dist} %define pkg_release %{specrelease}%{?buildid} @@ -446,34 +446,44 @@ Source9: x509.genkey %if %{?released_kernel} -Source10: centossecurebootca2.der -Source11: centos-ca-secureboot.der -Source12: centossecureboot201.der -Source13: centossecureboot001.der +Source10: redhatsecurebootca5.cer +Source11: redhatsecurebootca3.cer +Source12: redhatsecureboot501.cer +Source13: redhatsecureboot301.cer +Source14: secureboot_s390.cer +Source15: secureboot_ppc.cer %define secureboot_ca_0 %{SOURCE11} %define secureboot_ca_1 %{SOURCE10} %ifarch x86_64 aarch64 %define secureboot_key_0 %{SOURCE13} -%define pesign_name_0 centossecureboot001 +%define pesign_name_0 redhatsecureboot301 %define secureboot_key_1 %{SOURCE12} -%define pesign_name_1 centossecureboot201 +%define pesign_name_1 redhatsecureboot501 +%endif +%ifarch s390x +%define secureboot_key_0 %{SOURCE14} +%define pesign_name_0 redhatsecureboot302 +%endif +%ifarch ppc64le +%define secureboot_key_0 %{SOURCE15} +%define pesign_name_0 redhatsecureboot303 %endif # released_kernel %else -Source11: centossecurebootca2.der -Source12: centos-ca-secureboot.der -Source13: centossecureboot201.der -Source14: centossecureboot001.der +Source11: redhatsecurebootca4.cer +Source12: redhatsecurebootca2.cer +Source13: redhatsecureboot401.cer +Source14: redhatsecureboot003.cer %define secureboot_ca_0 %{SOURCE12} %define secureboot_ca_1 %{SOURCE11} %define secureboot_key_0 %{SOURCE14} -%define pesign_name_0 centossecureboot001 +%define pesign_name_0 redhatsecureboot003 %define secureboot_key_1 %{SOURCE13} -%define pesign_name_1 centossecureboot201 +%define pesign_name_1 redhatsecureboot401 # released_kernel %endif @@ -530,24 +540,18 @@ Source400: mod-kvm.list Source2000: cpupower.service Source2001: cpupower.config -Source9000: centos.pem - ## Patches needed for building this package # empty final patch to facilitate testing of kernel patches Patch999999: linux-kernel-test.patch -Patch1000: debrand-single-cpu.patch -Patch1001: debrand-rh_taint.patch -Patch1002: debrand-rh-i686-cpu.patch - # END OF PATCH DEFINITIONS BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root %description -This is the package which provides the Linux %{name} for CentOS. -It is based on upstream Linux at version %{version} and maintains kABI +This is the package which provides the Linux %{name} for Red Hat Enterprise +Linux. It is based on upstream Linux at version %{version} and maintains kABI compatibility of a set of approved symbols, however it is heavily modified with backports and fixes pulled from newer upstream Linux %{name} releases. This means this is not a %{version} kernel anymore: it includes several components which come @@ -555,7 +559,7 @@ from newer upstream linux versions, while maintaining a well tested and stable core. Some of the components/backports that may be pulled in are: changes like updates to the core kernel (eg.: scheduler, cgroups, memory management, security fixes and features), updates to block layer, supported filesystems, major driver -updates for supported hardware in CentOS, enhancements for +updates for supported hardware in Red Hat Enterprise Linux, enhancements for enterprise customers, etc. # @@ -796,12 +800,12 @@ kernel-gcov includes the gcov graph and source files for gcov coverage collectio %endif %package -n %{name}-abi-whitelists -Summary: The CentOS kernel ABI symbol whitelists +Summary: The Red Hat Enterprise Linux kernel ABI symbol whitelists Group: System Environment/Kernel AutoReqProv: no %description -n %{name}-abi-whitelists -The kABI package contains information pertaining to the CentOS -kernel ABI, including lists of kernel symbols that are needed by +The kABI package contains information pertaining to the Red Hat Enterprise +Linux kernel ABI, including lists of kernel symbols that are needed by external Linux kernel modules, and a yum plugin to aid enforcement. %if %{with_kabidw_base} @@ -810,8 +814,8 @@ Summary: The baseline dataset for kABI verification using DWARF data Group: System Environment/Kernel AutoReqProv: no %description kernel-kabidw-base-internal -The package contains data describing the current ABI of the CentOS -kernel, suitable for the kabi-dw tool. +The package contains data describing the current ABI of the Red Hat Enterprise +Linux kernel, suitable for the kabi-dw tool. %endif # @@ -883,7 +887,7 @@ Requires: %{name}%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\ AutoReq: no\ AutoProv: yes\ %description %{?1:%{1}-}modules-internal\ -This package provides kernel modules for the %{?2:%{2} }kernel package for CentOS internal usage.\ +This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat internal usage.\ %{nil} # @@ -1081,14 +1085,10 @@ ApplyOptionalPatch() } %setup -q -n %{name}-%{rpmversion}-%{pkgrelease} -c -cp -v %{SOURCE9000} linux-%{rpmversion}-%{pkgrelease}/certs/rhel.pem mv linux-%{rpmversion}-%{pkgrelease} linux-%{KVERREL} cd linux-%{KVERREL} -ApplyOptionalPatch debrand-single-cpu.patch -ApplyOptionalPatch debrand-rh_taint.patch -ApplyOptionalPatch debrand-rh-i686-cpu.patch ApplyOptionalPatch linux-kernel-test.patch # END OF PATCH APPLICATIONS @@ -2568,6 +2568,74 @@ fi # # %changelog +* Fri Dec 04 2020 Frantisek Hrbata [4.18.0-240.8.1.el8_3] +- [s390] s390/dasd: Fix zero write for FBA devices (Ming Lei) [1896787 1881760] +- [s390] mm/gup: fix gup_fast with dynamic page table folding (Philipp Rudo) [1896351 1883266] +- [netdrv] ibmveth: Identify ingress large send packets (Gustavo Duarte) [1896299 1887038] +- [netdrv] ibmveth: Switch order of ibmveth_helper calls (Gustavo Duarte) [1896299 1887038] + +* Tue Dec 01 2020 Frantisek Hrbata [4.18.0-240.7.1.el8_3] +- [fs] writeback: Drop I_DIRTY_TIME_EXPIRE (Waiman Long) [1901547 1860031] +- [fs] writeback: Fix sync livelock due to b_dirty_time processing (Waiman Long) [1901547 1860031] +- [fs] writeback: Avoid skipping inode writeback (Waiman Long) [1901547 1860031] +- [fs] writeback: Protect inode->i_io_list with inode->i_lock (Waiman Long) [1901547 1860031] +- [fs] fs: Introduce DCACHE_DONTCACHE (Waiman Long) [1901547 1860031] +- [fs] fs: Lift XFS_IDONTCACHE to the VFS layer (Waiman Long) [1901547 1860031] +- [fs] dcache: sort the freeing-without-RCU-delay mess for good (Waiman Long) [1901547 1860031] +- [net] ip_tunnel_core: Fix build for archs without _HAVE_ARCH_IPV6_CSUM (Aaron Conole) [1885766 1849736] +- [tools] selftests: pmtu.sh: Add tests for UDP tunnels handled by Open vSwitch (Aaron Conole) [1885766 1849736] +- [tools] selftests: pmtu.sh: Add tests for bridged UDP tunnels (Aaron Conole) [1885766 1849736] +- [net] geneve: Support for PMTU discovery on directly bridged links (Aaron Conole) [1885766 1849736] +- [net] vxlan: Support for PMTU discovery on directly bridged links (Aaron Conole) [1885766 1849736] +- [net] tunnels: PMTU discovery support for directly bridged IP packets (Aaron Conole) [1885766 1849736] +- [net] ipv4: route: Ignore output interface in FIB lookup for PMTU route (Aaron Conole) [1885766 1849736] +- [netdrv] geneve: add transport ports in route lookup for geneve (Mark Gray) [1891818 1884481] {CVE-2020-25645} +- [kernel] PM: hibernate: Batch hibernate and resume IO requests (Lenny Szubowicz) [1894629 1868096] +- [md] dm: fix comment in __dm_suspend() (Mike Snitzer) [1890233 1881531] +- [md] dm: fold dm_process_bio() into dm_make_request() (Mike Snitzer) [1890233 1881531] +- [md] dm: fix missing imposition of queue_limits from dm_wq_work() thread (Mike Snitzer) [1890233 1881531] +- [md] dm: optimize max_io_len() by inlining max_io_len_target_boundary() (Mike Snitzer) [1890233 1881531] +- [md] dm: push md->immutable_target optimization down to __process_bio() (Mike Snitzer) [1890233 1881531] +- [md] dm: change max_io_len() to use blk_max_size_offset() (Mike Snitzer) [1890233 1881531] +- [md] dm table: stack 'chunk_sectors' limit to account for target-specific splitting (Mike Snitzer) [1890233 1881531] +- [block] block: allow 'chunk_sectors' to be non-power-of-2 (Mike Snitzer) [1890233 1881531] +- [block] block: use lcm_not_zero() when stacking chunk_sectors (Mike Snitzer) [1890233 1881531] +- [md] dm: fix bio splitting and its bio completion order for regular IO (Mike Snitzer) [1890233 1881531] + +* Tue Nov 24 2020 Frantisek Hrbata [4.18.0-240.6.1.el8_3] +- [arm64] paravirt: Initialize steal time when cpu is online (Andrew Jones) [1898758 1879137] +- [kvm] Revert "x86/kvm: Move context tracking where it belongs" (Nitesh Narayan Lal) [1897716 1890284] +- [pci] hv: Fix hibernation in case interrupts are not re-created (Mohammed Gamal) [1896435 1846838] +- [hv] hv: vmbus: hibernation: do not hang forever in vmbus_bus_resume() (Mohammed Gamal) [1896434 1876519] +- [netdrv] hv_netvsc: Cache the current data path to avoid duplicate call and message (Mohammed Gamal) [1896433 1876527] +- [netdrv] hv_netvsc: Switch the data path at the right time during hibernation (Mohammed Gamal) [1896433 1876527] +- [netdrv] hv_netvsc: Fix hibernation for mlx5 VF driver (Mohammed Gamal) [1896433 1876527] +- [tools] selftests/powerpc: Make alignment handler test P9N DD2.1 vector CI load workaround (Gustavo Duarte) [1897278 1887442] +- [powerpc] powerpc: Fix undetected data corruption with P9N DD2.1 VSX CI load emulation (Gustavo Duarte) [1897278 1887442] + +* Tue Nov 17 2020 Frantisek Hrbata [4.18.0-240.5.1.el8_3] +- [crypto] crypto: testmgr - mark cts(cbc(aes)) as FIPS allowed (Vladis Dronov) [1886189 1855161] + +* Wed Nov 11 2020 Frantisek Hrbata [4.18.0-240.4.1.el8_3] +- [kernel] sched/features: Fix !CONFIG_JUMP_LABEL case (Daniel Bristot de Oliveira) [1894073 1885850] + +* Wed Nov 04 2020 Frantisek Hrbata [4.18.0-240.3.1.el8_3] +- [iommu] iommu/amd: Fix the overwritten field in IVMD header (Baoquan He) [1888113 1869148] +- [fs] xfs: trim IO to found COW extent limit (Eric Sandeen) [1886895 1882549] +- [char] random32: update the net random state on interrupt and activity (Donghai Qiao) [1888233 1867569] {CVE-2020-16166} +- [net] openvswitch: fixes crash if nf_conncount_init() fails (Eelco Chaudron) [1879935 1876445] + +* Tue Oct 27 2020 Frantisek Hrbata [4.18.0-240.2.1.el8_3] +- [tools] selftests: rtnetlink: Test bridge enslavement with different parent IDs (Jonathan Toppins) [1886017 1860479] +- [tools] selftests: rtnetlink: correct the final return value for the test (Jonathan Toppins) [1886017 1860479] +- [net] Fix bridge enslavement failure (Jonathan Toppins) [1886017 1860479] +- [net] netfilter: conntrack: proc: rename stat column (Florian Westphal) [1882094 1875681] +- [net] netfilter: conntrack: add clash resolution stat counter (Florian Westphal) [1882094 1875681] +- [net] netfilter: conntrack: remove ignore stats (Florian Westphal) [1882094 1875681] +- [net] netfilter: conntrack: do not increment two error counters at same time (Florian Westphal) [1882094 1875681] +- [net] netfilter: conntrack: do not auto-delete clash entries on reply (Florian Westphal) [1882094 1875681] +- [kernel] time/tick-broadcast: Fix tick_broadcast_offline() lockdep complaint (Alexey Klimov) [1880080 1877380] + * Fri Oct 16 2020 Frantisek Hrbata [4.18.0-240.1.1.el8_3] - [net] Bluetooth: fix kernel oops in store_pending_adv_report (Gopal Tiwari) [1888454 1888455] {CVE-2020-24490} - [net] Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel (Gopal Tiwari) [1888257 1888258] {CVE-2020-12351}