From: Eric Chanudet on gitlab.com
Merge Request: https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3055
NOTE: Truncated patchset due to missing public @redhat.com email
address on your GitLab profile at https://gitlab.com/-/profile.
Once that is fixed, close and reopen the merge request to
retrigger sending the emails.
Attend the following warning introduced by a downstream change:
```
drivers/scsi/sd.c:121:20: error: ‘sd_probe_types’ defined but not used
[-Werror=unused-variable]
121 | static const char *sd_probe_types[] = { "async", "sync" };
| ^~~~~~~~~~~~~~
```
Fixes: bc573390ad32 ("scsi: sd: Add "probe_type" module parameter to allow
synchronous probing")
Signed-off-by: Eric Chanudet <echanude(a)redhat.com>
---
drivers/scsi/sd.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
From: Jan Stancek <jstancek(a)redhat.com>
redhat/kernel.spec: _buildvars_variant
This introduces a new macro that allows to override
variant/config to use for standalone tools/tests build.
In SPEC, we support building standalone tools and selftests.
Main user are CKI pipelines, which run a native build.
Over time however, selftests introduced also kmods, so
picking a correct config now matters as well.
This patch allows CKI (or other users) to pick a variant
when doing standalone tools/tests build. Nothing is changing
for builds that include kernel build.
Signed-off-by: Jan Stancek <jstancek(a)redhat.com>
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
index blahblah..blahblah 100644
--- a/redhat/kernel.spec.template
+++ b/redhat/kernel.spec.template
@@ -217,6 +217,12 @@ Summary: The Linux kernel
# arm64_64k X X X
# realtime X X X
+# _buildvars_variant - kernel variant used to initialise build variables
+# This variable allows to set variant (and config) that is used when building
+# standalone tools and/or tests (with no kernel and no modules).
+# See variant parameter to BuildKernel() function.
+%define buildvars_variant %{?_buildvars_variant}%{nil}
+
# kernel-doc
%define with_doc %{?_without_doc: 0} %{?!_without_doc: 1}
# kernel-headers
@@ -2809,10 +2815,11 @@ BuildKernel %make_target %kernel_image %{_use_vdso}
%ifnarch noarch i686 %{nobuildarches}
%if !%{with_debug} && !%{with_zfcpdump} && !%{with_up} && !%{with_arm64_16k} && !%{with_arm64_64k} && !%{with_realtime}
-# If only building the user space tools, then initialize the build environment
-# and some variables so that the various userspace tools can be built.
+# If only building the user space tools or selftests, then initialize
+# the build environment and some variables so that the various userspace
+# tools can be built.
%{log_msg "Initialize userspace tools build environment"}
-InitBuildVars
+InitBuildVars %{buildvars_variant}
# Some tests build also modules, and need Module.symvers
if ! [[ -e Module.symvers ]] && [[ -f $DevelDir/Module.symvers ]]; then
%{log_msg "Found Module.symvers in DevelDir, copying to ."}
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3089
Hi, we tested your kernel and here are the results:
Overall result: PASSED
Merge: OK
Compile: OK
Test: OK
Tested-by: CKI Project <cki-project(a)redhat.com>
Kernel information:
Brew / Koji Task ID: 117162762
You can find all the details about the test run at
https://datawarehouse.cki-project.org/kcidb/checkouts/redhat:koji-117162762
One or more kernel tests failed:
We also see the following known issues which are not related to your changes:
Issue: NFS Connectathon: SELinux prevents rpcbind
URL: https://bugzilla.redhat.com/1758147
Affected tests:
Filesystem - NFS Connectathon [x86_64]
If you find a failure unrelated to your changes, please ask the test maintainer to review it.
This will prevent the failures from being incorrectly reported in the future.
Please reply to this email if you have any questions about the tests that we
ran or if you have any suggestions on how to make future tests more effective.
,-. ,-.
( C ) ( K ) Continuous
`-',-.`-' Kernel
( I ) Integration
`-'
______________________________________________________________________________
From: Xin Long <lxin(a)redhat.com>
redhat/rhel_files: move tipc.ko and tipc_diag.ko to modules-extra
JIRA: https://issues.redhat.com/browse/RHEL-23931
Upstream Status: RHEL Specific
There have been a few TIPC CVE bugs and we see no Red Hat customers using
TIPC so far. Per Jianwen's request, move TIPC modules to modules-extra,
and prevent auto-loading TIPC modules just because an user triggered it.
The sysadmin will have to enable it.
Signed-off-by: Xin Long <lxin(a)redhat.com>
diff --git a/redhat/rhel_files/def_variants.yaml.rhel b/redhat/rhel_files/def_variants.yaml.rhel
index blahblah..blahblah 100644
--- a/redhat/rhel_files/def_variants.yaml.rhel
+++ b/redhat/rhel_files/def_variants.yaml.rhel
@@ -505,7 +505,7 @@ rules:
- net/sctp/.*: modules-extra
- net/sunrpc/xprtrdma/rpcrdma.*: modules
- net/sunrpc/.*: modules-core
- - net/tipc/.*: modules-core
+ - net/tipc/.*: modules-extra
- net/tls/.*: modules-core
- net/vmw_vsock/.*: modules-core
- net/xdp/.*: modules-core
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3096
From: Jan Stancek <jstancek(a)redhat.com>
redhat: add IMA certificates
Forward port c9s commit:
7ff63254426d ("redhat: add IMA certificates")
Starting with RHEL9.0, installed package files will have IMA signatures
if users choose so. The IMA subsystem will search for the certificate in
the .ima keyring to verify a file signature thus to make sure this file
hasn't been tampered with. To be able to add the IMA code-signing
certificate to the .ima keyring, this certificate needs to be signed by
a CA certificate in the system keyrings.
This patch builds the IMA CA certificate into the .builtin_trusted_keys
keyring and installs the IMA code-signing certificate to
/usr/share/doc/kernel-keys/KVERREL/ima.cer for user space tools like
dracut to add it the .ima keyring.
Signed-off-by: Coiby Xu <coxu(a)redhat.com>
Signed-off-by: Jan Stancek <jstancek(a)redhat.com>
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
index blahblah..blahblah 100644
--- a/redhat/kernel.spec.template
+++ b/redhat/kernel.spec.template
@@ -918,6 +918,17 @@ Source87: flavors
Source100: rheldup3.x509
Source101: rhelkpatch1.x509
Source102: nvidiagpuoot001.x509
+Source103: rhelimaca1.x509
+Source104: rhelima.x509
+Source105: rhelima_centos.x509
+
+%if 0%{?centos}
+%define ima_signing_cert %{SOURCE105}
+%else
+%define ima_signing_cert %{SOURCE104}
+%endif
+
+%define ima_cert_name ima.cer
Source200: check-kabi
@@ -1893,7 +1904,8 @@ done
openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
openssl x509 -inform der -in %{SOURCE102} -out nvidiagpuoot001.pem
-cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem > ../certs/rhel.pem
+openssl x509 -inform der -in %{SOURCE103} -out rhelimaca1.pem
+cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem rhelimaca1.pem > ../certs/rhel.pem
%if %{signkernel}
%ifarch s390x ppc64le
openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
@@ -2712,6 +2724,11 @@ BuildKernel() {
%endif
%endif
+%if 0%{?rhel}
+ # Red Hat IMA code-signing cert, which is used to authenticate package files
+ install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name}
+%endif
+
%if %{signmodules}
if [ $DoModules -eq 1 ]; then
# Save the signing keys so we can sign the modules in __modsign_install_post
diff --git a/redhat/keys/rhelima.x509 b/redhat/keys/rhelima.x509
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/keys/rhelima.x509
Binary files /dev/null and b/redhat/keys/rhelima.x509 differ
diff --git a/redhat/keys/rhelima_centos.x509 b/redhat/keys/rhelima_centos.x509
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/keys/rhelima_centos.x509
Binary files /dev/null and b/redhat/keys/rhelima_centos.x509 differ
diff --git a/redhat/keys/rhelimaca1.x509 b/redhat/keys/rhelimaca1.x509
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/keys/rhelimaca1.x509
Binary files /dev/null and b/redhat/keys/rhelimaca1.x509 differ
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3094
From: Michal Schmidt <mschmidt(a)redhat.com>
redhat/configs: enable CONFIG_LEDS_TRIGGER_NETDEV also for RHEL
JIRA: https://issues.redhat.com/browse/RHEL-32110
The igc NIC driver exposes sysfs-controllable LEDs since
commit ea578703b03d ("igc: Add support for LEDs on i225/i226").
It makes sense to use the netdev trigger to control them.
CONFIG_LEDS_TRIGGER_NETDEV is already enabled for Fedora. Enable it also
for RHEL.
Signed-off-by: Michal Schmidt <mschmidt(a)redhat.com>
diff --git a/redhat/configs/fedora/generic/CONFIG_LEDS_TRIGGER_NETDEV b/redhat/configs/common/generic/CONFIG_LEDS_TRIGGER_NETDEV
rename from redhat/configs/fedora/generic/CONFIG_LEDS_TRIGGER_NETDEV
rename to redhat/configs/common/generic/CONFIG_LEDS_TRIGGER_NETDEV
index blahblah..blahblah 100644
--- a/redhat/configs/fedora/generic/CONFIG_LEDS_TRIGGER_NETDEV
+++ b/redhat/configs/common/generic/CONFIG_LEDS_TRIGGER_NETDEV
diff --git a/redhat/configs/rhel/generic/CONFIG_LEDS_TRIGGER_NETDEV b/redhat/configs/rhel/generic/CONFIG_LEDS_TRIGGER_NETDEV
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/rhel/generic/CONFIG_LEDS_TRIGGER_NETDEV
+++ /dev/null
@@ -1 +0,0 @@
-# CONFIG_LEDS_TRIGGER_NETDEV is not set
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3092