diff options
-rw-r--r-- | Makefile.rhelver | 2 | ||||
-rwxr-xr-x | kernel.spec | 70 | ||||
-rw-r--r-- | patch-5.14.0-redhat.patch | 10 | ||||
-rw-r--r-- | redhatsecureboot003.cer | bin | 829 -> 0 bytes | |||
-rw-r--r-- | redhatsecurebootca2.cer | bin | 872 -> 0 bytes | |||
-rw-r--r-- | sources | 6 |
6 files changed, 38 insertions, 50 deletions
diff --git a/Makefile.rhelver b/Makefile.rhelver index 514937abf..1bec7bd85 100644 --- a/Makefile.rhelver +++ b/Makefile.rhelver @@ -12,7 +12,7 @@ RHEL_MINOR = 99 # # Use this spot to avoid future merge conflicts. # Do not trim this comment. -RHEL_RELEASE = 50 +RHEL_RELEASE = 54 # # Early y+1 numbering diff --git a/kernel.spec b/kernel.spec index 59e26b836..6e81ce8ab 100755 --- a/kernel.spec +++ b/kernel.spec @@ -78,9 +78,9 @@ Summary: The Linux kernel # Set debugbuildsenabled to 0 to not build a separate debug kernel, but # to build the base kernel using the debug configuration. (Specifying # the --with-release option overrides this setting.) -%define debugbuildsenabled 0 +%define debugbuildsenabled 1 -%global distro_build 0.rc6.20210820gitd992fe5318d8.50 +%global distro_build 0.rc7.54 %if 0%{?fedora} %define secure_boot_arch x86_64 @@ -124,13 +124,13 @@ Summary: The Linux kernel %define kversion 5.14 %define rpmversion 5.14.0 -%define pkgrelease 0.rc6.20210820gitd992fe5318d8.50 +%define pkgrelease 0.rc7.54 # This is needed to do merge window version magic %define patchlevel 14 # allow pkg_release to have configurable %%{?dist} tag -%define specrelease 0.rc6.20210820gitd992fe5318d8.50%{?buildid}%{?dist} +%define specrelease 0.rc7.54%{?buildid}%{?dist} %define pkg_release %{specrelease} @@ -671,7 +671,7 @@ BuildRequires: lld # exact git commit you can run # # xzcat -qq ${TARBALL} | git get-tar-commit-id -Source0: linux-5.14-rc6-125-gd992fe5318d8.tar.xz +Source0: linux-5.14-rc7.tar.xz Source1: Makefile.rhelver @@ -690,26 +690,21 @@ Source9: x509.genkey.fedora %if %{?released_kernel} Source10: redhatsecurebootca5.cer -Source11: redhatsecurebootca1.cer -Source12: redhatsecureboot501.cer -Source13: redhatsecureboot301.cer -Source14: secureboot_s390.cer -Source15: secureboot_ppc.cer - -%define secureboot_ca_1 %{SOURCE10} -%define secureboot_ca_0 %{SOURCE11} +Source11: redhatsecureboot501.cer +Source12: secureboot_s390.cer +Source13: secureboot_ppc.cer + +%define secureboot_ca_0 %{SOURCE10} %ifarch x86_64 aarch64 -%define secureboot_key_1 %{SOURCE12} -%define pesign_name_1 redhatsecureboot501 -%define secureboot_key_0 %{SOURCE13} -%define pesign_name_0 redhatsecureboot301 +%define secureboot_key_0 %{SOURCE11} +%define pesign_name_0 redhatsecureboot501 %endif %ifarch s390x -%define secureboot_key_0 %{SOURCE14} +%define secureboot_key_0 %{SOURCE12} %define pesign_name_0 redhatsecureboot302 %endif %ifarch ppc64le -%define secureboot_key_0 %{SOURCE15} +%define secureboot_key_0 %{SOURCE13} %define pesign_name_0 redhatsecureboot303 %endif @@ -717,16 +712,11 @@ Source15: secureboot_ppc.cer %else Source10: redhatsecurebootca4.cer -Source11: redhatsecurebootca2.cer -Source12: redhatsecureboot401.cer -Source13: redhatsecureboot003.cer - -%define secureboot_ca_1 %{SOURCE10} -%define secureboot_ca_0 %{SOURCE11} -%define secureboot_key_1 %{SOURCE12} -%define pesign_name_1 redhatsecureboot401 -%define secureboot_key_0 %{SOURCE13} -%define pesign_name_0 redhatsecureboot003 +Source11: redhatsecureboot401.cer + +%define secureboot_ca_0 %{SOURCE10} +%define secureboot_key_0 %{SOURCE11} +%define pesign_name_0 redhatsecureboot401 # released_kernel %endif @@ -1357,8 +1347,8 @@ ApplyOptionalPatch() fi } -%setup -q -n kernel-5.14-rc6-125-gd992fe5318d8 -c -mv linux-5.14-rc6-125-gd992fe5318d8 linux-%{KVERREL} +%setup -q -n kernel-5.14-rc7 -c +mv linux-5.14-rc7 linux-%{KVERREL} cd linux-%{KVERREL} cp -a %{SOURCE1} . @@ -1630,9 +1620,7 @@ BuildKernel() { fi %ifarch x86_64 aarch64 - %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} - %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1} - rm vmlinuz.tmp + %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} %endif %ifarch s390x ppc64le if [ -x /usr/bin/rpm-sign ]; then @@ -2097,13 +2085,7 @@ BuildKernel() { # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer - %ifarch x86_64 aarch64 - install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer - install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer - ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer - %else - install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer - %endif + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer %ifarch s390x ppc64le if [ $DoModules -eq 1 ]; then if [ -x /usr/bin/rpm-sign ]; then @@ -2952,6 +2934,12 @@ fi # # %changelog +* Mon Aug 23 2021 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.14.0-0.rc7.54] +- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Herton R. Krzesinski) [1994849] + +* Sat Aug 21 2021 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.14.0-0.rc6.20210821gitfa54d366a6e4.51] +- More Fedora config updates (Justin M. Forbes) + * Fri Aug 20 2021 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.14.0-0.rc6.20210820gitd992fe5318d8.50] - Fedora config updates for 5.14 (Justin M. Forbes) diff --git a/patch-5.14.0-redhat.patch b/patch-5.14.0-redhat.patch index c7f6e5b5e..97503f85e 100644 --- a/patch-5.14.0-redhat.patch +++ b/patch-5.14.0-redhat.patch @@ -139,7 +139,7 @@ index 000000000000..effb81d04bfd + +endmenu diff --git a/Makefile b/Makefile -index c19d1638da25..5392d14f9646 100644 +index 80aa85170d6b..3b0fcfb382a3 100644 --- a/Makefile +++ b/Makefile @@ -18,6 +18,10 @@ $(if $(filter __%, $(MAKECMDGOALS)), \ @@ -1405,7 +1405,7 @@ index 258d5fe3d395..f7298e3dc8f3 100644 if (data->f01_container->dev.driver) { /* Driver already bound, so enable ATTN now. */ diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c -index 5419c4b9f27a..3bce0190f0cd 100644 +index 63f0af10c403..195be16dbd39 100644 --- a/drivers/iommu/iommu.c +++ b/drivers/iommu/iommu.c @@ -7,6 +7,7 @@ @@ -1416,7 +1416,7 @@ index 5419c4b9f27a..3bce0190f0cd 100644 #include <linux/kernel.h> #include <linux/bug.h> #include <linux/types.h> -@@ -3036,6 +3037,27 @@ u32 iommu_sva_get_pasid(struct iommu_sva *handle) +@@ -3039,6 +3040,27 @@ u32 iommu_sva_get_pasid(struct iommu_sva *handle) } EXPORT_SYMBOL_GPL(iommu_sva_get_pasid); @@ -1743,10 +1743,10 @@ index 3a72352aa5cf..47b11f3c7fce 100644 struct pci_driver *drv; struct pci_dev *dev; diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c -index 6d74386eadc2..2333c1e4ae05 100644 +index ab3de1551b50..7bc8ebb58d35 100644 --- a/drivers/pci/quirks.c +++ b/drivers/pci/quirks.c -@@ -4230,6 +4230,30 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_BROADCOM, 0x9000, +@@ -4231,6 +4231,30 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_BROADCOM, 0x9000, DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_BROADCOM, 0x9084, quirk_bridge_cavm_thrx2_pcie_root); diff --git a/redhatsecureboot003.cer b/redhatsecureboot003.cer Binary files differdeleted file mode 100644 index 439b75bf3..000000000 --- a/redhatsecureboot003.cer +++ /dev/null diff --git a/redhatsecurebootca2.cer b/redhatsecurebootca2.cer Binary files differdeleted file mode 100644 index 43502d6bc..000000000 --- a/redhatsecurebootca2.cer +++ /dev/null @@ -1,3 +1,3 @@ -SHA512 (linux-5.14-rc6-125-gd992fe5318d8.tar.xz) = 381645b7843d25375bb15c670c07a7c0ae7c4c5b944ab937ce93a88b148157956e04367d38ee6569b68b31a5d94aa32d6998a8cb568f77462688d9a89ec03ac0 -SHA512 (kernel-abi-stablelists-5.14.0-0.rc6.20210820gitd992fe5318d8.50.tar.bz2) = 8771756b6eca6465cde6f69205b993ceff4be30c53263736d83e4cfdff82a662d52532e1f6ef7e253014fa0f13148161eaa60bf5dcced6995e1f2e6bf95b74bb -SHA512 (kernel-kabi-dw-5.14.0-0.rc6.20210820gitd992fe5318d8.50.tar.bz2) = 1fb402c4172dc1912255c48bb8fe01823194bf0d0b272089b4e04deee5b2e559f81d28644dbfc1cb36e1991ac004ad207247a5eae480f6f80f06de287594e30d +SHA512 (linux-5.14-rc7.tar.xz) = 8682d0a9b88220c3707130150591c7d471d6b2d8d2ddb0c8940c6e59d23f9a4b1a5fcc8ccc5a5a5b68f47f449521b5347d6d979688e40960fdc342b36a9fb012 +SHA512 (kernel-abi-stablelists-5.14.0-0.rc7.54.tar.bz2) = 67e2d05ce2c74e73f40bacb113630ade3be5f95207ea6c8aa1fa13ea7b875c53945458de6395d8ee7b0297f54deda8b8e61a727682cb33e7eeb0dfc1e1b7d998 +SHA512 (kernel-kabi-dw-5.14.0-0.rc7.54.tar.bz2) = fb3ae66655d42c9294899e6c8fe6b684f97c65dca527f863059f419f90a3bb84fc98c0ea69f7939e9b09e1ee54a59a12cd23304b8d55275bfdb24a9d1228f43d |