summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Makefile.rhelver2
-rwxr-xr-xkernel.spec70
-rw-r--r--patch-5.14.0-redhat.patch10
-rw-r--r--redhatsecureboot003.cerbin829 -> 0 bytes
-rw-r--r--redhatsecurebootca2.cerbin872 -> 0 bytes
-rw-r--r--sources6
6 files changed, 38 insertions, 50 deletions
diff --git a/Makefile.rhelver b/Makefile.rhelver
index 514937abf..1bec7bd85 100644
--- a/Makefile.rhelver
+++ b/Makefile.rhelver
@@ -12,7 +12,7 @@ RHEL_MINOR = 99
#
# Use this spot to avoid future merge conflicts.
# Do not trim this comment.
-RHEL_RELEASE = 50
+RHEL_RELEASE = 54
#
# Early y+1 numbering
diff --git a/kernel.spec b/kernel.spec
index 59e26b836..6e81ce8ab 100755
--- a/kernel.spec
+++ b/kernel.spec
@@ -78,9 +78,9 @@ Summary: The Linux kernel
# Set debugbuildsenabled to 0 to not build a separate debug kernel, but
# to build the base kernel using the debug configuration. (Specifying
# the --with-release option overrides this setting.)
-%define debugbuildsenabled 0
+%define debugbuildsenabled 1
-%global distro_build 0.rc6.20210820gitd992fe5318d8.50
+%global distro_build 0.rc7.54
%if 0%{?fedora}
%define secure_boot_arch x86_64
@@ -124,13 +124,13 @@ Summary: The Linux kernel
%define kversion 5.14
%define rpmversion 5.14.0
-%define pkgrelease 0.rc6.20210820gitd992fe5318d8.50
+%define pkgrelease 0.rc7.54
# This is needed to do merge window version magic
%define patchlevel 14
# allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 0.rc6.20210820gitd992fe5318d8.50%{?buildid}%{?dist}
+%define specrelease 0.rc7.54%{?buildid}%{?dist}
%define pkg_release %{specrelease}
@@ -671,7 +671,7 @@ BuildRequires: lld
# exact git commit you can run
#
# xzcat -qq ${TARBALL} | git get-tar-commit-id
-Source0: linux-5.14-rc6-125-gd992fe5318d8.tar.xz
+Source0: linux-5.14-rc7.tar.xz
Source1: Makefile.rhelver
@@ -690,26 +690,21 @@ Source9: x509.genkey.fedora
%if %{?released_kernel}
Source10: redhatsecurebootca5.cer
-Source11: redhatsecurebootca1.cer
-Source12: redhatsecureboot501.cer
-Source13: redhatsecureboot301.cer
-Source14: secureboot_s390.cer
-Source15: secureboot_ppc.cer
-
-%define secureboot_ca_1 %{SOURCE10}
-%define secureboot_ca_0 %{SOURCE11}
+Source11: redhatsecureboot501.cer
+Source12: secureboot_s390.cer
+Source13: secureboot_ppc.cer
+
+%define secureboot_ca_0 %{SOURCE10}
%ifarch x86_64 aarch64
-%define secureboot_key_1 %{SOURCE12}
-%define pesign_name_1 redhatsecureboot501
-%define secureboot_key_0 %{SOURCE13}
-%define pesign_name_0 redhatsecureboot301
+%define secureboot_key_0 %{SOURCE11}
+%define pesign_name_0 redhatsecureboot501
%endif
%ifarch s390x
-%define secureboot_key_0 %{SOURCE14}
+%define secureboot_key_0 %{SOURCE12}
%define pesign_name_0 redhatsecureboot302
%endif
%ifarch ppc64le
-%define secureboot_key_0 %{SOURCE15}
+%define secureboot_key_0 %{SOURCE13}
%define pesign_name_0 redhatsecureboot303
%endif
@@ -717,16 +712,11 @@ Source15: secureboot_ppc.cer
%else
Source10: redhatsecurebootca4.cer
-Source11: redhatsecurebootca2.cer
-Source12: redhatsecureboot401.cer
-Source13: redhatsecureboot003.cer
-
-%define secureboot_ca_1 %{SOURCE10}
-%define secureboot_ca_0 %{SOURCE11}
-%define secureboot_key_1 %{SOURCE12}
-%define pesign_name_1 redhatsecureboot401
-%define secureboot_key_0 %{SOURCE13}
-%define pesign_name_0 redhatsecureboot003
+Source11: redhatsecureboot401.cer
+
+%define secureboot_ca_0 %{SOURCE10}
+%define secureboot_key_0 %{SOURCE11}
+%define pesign_name_0 redhatsecureboot401
# released_kernel
%endif
@@ -1357,8 +1347,8 @@ ApplyOptionalPatch()
fi
}
-%setup -q -n kernel-5.14-rc6-125-gd992fe5318d8 -c
-mv linux-5.14-rc6-125-gd992fe5318d8 linux-%{KVERREL}
+%setup -q -n kernel-5.14-rc7 -c
+mv linux-5.14-rc7 linux-%{KVERREL}
cd linux-%{KVERREL}
cp -a %{SOURCE1} .
@@ -1630,9 +1620,7 @@ BuildKernel() {
fi
%ifarch x86_64 aarch64
- %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
- %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
- rm vmlinuz.tmp
+ %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
%endif
%ifarch s390x ppc64le
if [ -x /usr/bin/rpm-sign ]; then
@@ -2097,13 +2085,7 @@ BuildKernel() {
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
- %ifarch x86_64 aarch64
- install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
- install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
- ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
- %else
- install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
- %endif
+ install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
%ifarch s390x ppc64le
if [ $DoModules -eq 1 ]; then
if [ -x /usr/bin/rpm-sign ]; then
@@ -2952,6 +2934,12 @@ fi
#
#
%changelog
+* Mon Aug 23 2021 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.14.0-0.rc7.54]
+- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Herton R. Krzesinski) [1994849]
+
+* Sat Aug 21 2021 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.14.0-0.rc6.20210821gitfa54d366a6e4.51]
+- More Fedora config updates (Justin M. Forbes)
+
* Fri Aug 20 2021 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.14.0-0.rc6.20210820gitd992fe5318d8.50]
- Fedora config updates for 5.14 (Justin M. Forbes)
diff --git a/patch-5.14.0-redhat.patch b/patch-5.14.0-redhat.patch
index c7f6e5b5e..97503f85e 100644
--- a/patch-5.14.0-redhat.patch
+++ b/patch-5.14.0-redhat.patch
@@ -139,7 +139,7 @@ index 000000000000..effb81d04bfd
+
+endmenu
diff --git a/Makefile b/Makefile
-index c19d1638da25..5392d14f9646 100644
+index 80aa85170d6b..3b0fcfb382a3 100644
--- a/Makefile
+++ b/Makefile
@@ -18,6 +18,10 @@ $(if $(filter __%, $(MAKECMDGOALS)), \
@@ -1405,7 +1405,7 @@ index 258d5fe3d395..f7298e3dc8f3 100644
if (data->f01_container->dev.driver) {
/* Driver already bound, so enable ATTN now. */
diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
-index 5419c4b9f27a..3bce0190f0cd 100644
+index 63f0af10c403..195be16dbd39 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -7,6 +7,7 @@
@@ -1416,7 +1416,7 @@ index 5419c4b9f27a..3bce0190f0cd 100644
#include <linux/kernel.h>
#include <linux/bug.h>
#include <linux/types.h>
-@@ -3036,6 +3037,27 @@ u32 iommu_sva_get_pasid(struct iommu_sva *handle)
+@@ -3039,6 +3040,27 @@ u32 iommu_sva_get_pasid(struct iommu_sva *handle)
}
EXPORT_SYMBOL_GPL(iommu_sva_get_pasid);
@@ -1743,10 +1743,10 @@ index 3a72352aa5cf..47b11f3c7fce 100644
struct pci_driver *drv;
struct pci_dev *dev;
diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
-index 6d74386eadc2..2333c1e4ae05 100644
+index ab3de1551b50..7bc8ebb58d35 100644
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
-@@ -4230,6 +4230,30 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_BROADCOM, 0x9000,
+@@ -4231,6 +4231,30 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_BROADCOM, 0x9000,
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_BROADCOM, 0x9084,
quirk_bridge_cavm_thrx2_pcie_root);
diff --git a/redhatsecureboot003.cer b/redhatsecureboot003.cer
deleted file mode 100644
index 439b75bf3..000000000
--- a/redhatsecureboot003.cer
+++ /dev/null
Binary files differ
diff --git a/redhatsecurebootca2.cer b/redhatsecurebootca2.cer
deleted file mode 100644
index 43502d6bc..000000000
--- a/redhatsecurebootca2.cer
+++ /dev/null
Binary files differ
diff --git a/sources b/sources
index d828fd808..13497cdbf 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-5.14-rc6-125-gd992fe5318d8.tar.xz) = 381645b7843d25375bb15c670c07a7c0ae7c4c5b944ab937ce93a88b148157956e04367d38ee6569b68b31a5d94aa32d6998a8cb568f77462688d9a89ec03ac0
-SHA512 (kernel-abi-stablelists-5.14.0-0.rc6.20210820gitd992fe5318d8.50.tar.bz2) = 8771756b6eca6465cde6f69205b993ceff4be30c53263736d83e4cfdff82a662d52532e1f6ef7e253014fa0f13148161eaa60bf5dcced6995e1f2e6bf95b74bb
-SHA512 (kernel-kabi-dw-5.14.0-0.rc6.20210820gitd992fe5318d8.50.tar.bz2) = 1fb402c4172dc1912255c48bb8fe01823194bf0d0b272089b4e04deee5b2e559f81d28644dbfc1cb36e1991ac004ad207247a5eae480f6f80f06de287594e30d
+SHA512 (linux-5.14-rc7.tar.xz) = 8682d0a9b88220c3707130150591c7d471d6b2d8d2ddb0c8940c6e59d23f9a4b1a5fcc8ccc5a5a5b68f47f449521b5347d6d979688e40960fdc342b36a9fb012
+SHA512 (kernel-abi-stablelists-5.14.0-0.rc7.54.tar.bz2) = 67e2d05ce2c74e73f40bacb113630ade3be5f95207ea6c8aa1fa13ea7b875c53945458de6395d8ee7b0297f54deda8b8e61a727682cb33e7eeb0dfc1e1b7d998
+SHA512 (kernel-kabi-dw-5.14.0-0.rc7.54.tar.bz2) = fb3ae66655d42c9294899e6c8fe6b684f97c65dca527f863059f419f90a3bb84fc98c0ea69f7939e9b09e1ee54a59a12cd23304b8d55275bfdb24a9d1228f43d