From: Gerd Hoffmann kraxel@redhat.com

redhat: rename sub-rpm: kernel-modules -> kernel-modules-standard

Makes all module sub-rpms follow the scheme kernel-modules-<what>, which hopefully reduces naming confusion a bit.

Signed-off-by: Gerd Hoffmann kraxel@redhat.com [vitaly: add 'Provides: kernel-modules' for backwards compatibility] Signed-off-by: Vitaly Kuznetsov vkuznets@redhat.com

diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template index blahblah..blahblah 100755 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template @@ -570,7 +570,7 @@ ExclusiveArch: noarch i386 i686 x86_64 s390x %{arm} aarch64 ppc64le ExclusiveOS: Linux %ifnarch %{nobuildarches} Requires: kernel-core-uname-r = %{KVERREL} -Requires: kernel-modules-uname-r = %{KVERREL} +Requires: kernel-modules-standard-uname-r = %{KVERREL} %endif

@@ -1206,7 +1206,7 @@ Provides: kernel%{?1:-%{1}}-modules-internal = %{version}-%{release}%{?1:+%{1}}\ Provides: installonlypkg(kernel-module)\ Provides: kernel%{?1:-%{1}}-modules-internal-uname-r = %{KVERREL}%{?1:+%{1}}\ Requires: kernel-uname-r = %{KVERREL}%{?1:+%{1}}\ -Requires: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?1:+%{1}}\ +Requires: kernel%{?1:-%{1}}-modules-standard-uname-r = %{KVERREL}%{?1:+%{1}}\ AutoReq: no\ AutoProv: yes\ %description %{?1:%{1}-}modules-internal\ @@ -1226,7 +1226,7 @@ Provides: kernel%{?1:-%{1}}-modules-extra = %{version}-%{release}%{?1:+%{1}}\ Provides: installonlypkg(kernel-module)\ Provides: kernel%{?1:-%{1}}-modules-extra-uname-r = %{KVERREL}%{?1:+%{1}}\ Requires: kernel-uname-r = %{KVERREL}%{?1:+%{1}}\ -Requires: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?1:+%{1}}\ +Requires: kernel%{?1:-%{1}}-modules-standard-uname-r = %{KVERREL}%{?1:+%{1}}\ %if %{-m:1}%{!-m:0}\ Requires: kernel-modules-extra-uname-r = %{KVERREL}\ %endif\ @@ -1237,24 +1237,27 @@ This package provides less commonly used kernel modules for the %{?2:%{2} }kerne %{nil}

# -# This macro creates a kernel-<subpackage>-modules package. -# %%kernel_modules_package [-m] <subpackage> <pretty-name> +# This macro creates a kernel-<subpackage>-modules-standard package. +# %%kernel_modules_standard_package [-m] <subpackage> <pretty-name> # -%define kernel_modules_package(m) \ -%package %{?1:%{1}-}modules\ -Summary: kernel modules to match the %{?2:%{2}-}core kernel\ +%define kernel_modules_standard_package(m) \ +%package %{?1:%{1}-}modules-standard\ +Summary: Standard kernel modules to match the %{?2:%{2}-}core kernel\ +Provides: kernel%{?1:-%{1}}-modules-standard-%{_target_cpu} = %{version}-%{release}\ +Provides: kernel-modules-standard-%{_target_cpu} = %{version}-%{release}%{?1:+%{1}}\ +Provides: kernel-modules-standard = %{version}-%{release}%{?1:+%{1}}\ Provides: kernel%{?1:-%{1}}-modules-%{_target_cpu} = %{version}-%{release}\ Provides: kernel-modules-%{_target_cpu} = %{version}-%{release}%{?1:+%{1}}\ Provides: kernel-modules = %{version}-%{release}%{?1:+%{1}}\ Provides: installonlypkg(kernel-module)\ -Provides: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?1:+%{1}}\ +Provides: kernel%{?1:-%{1}}-modules-standard-uname-r = %{KVERREL}%{?1:+%{1}}\ Requires: kernel-uname-r = %{KVERREL}%{?1:+%{1}}\ %if %{-m:1}%{!-m:0}\ -Requires: kernel-modules-uname-r = %{KVERREL}\ +Requires: kernel-modules-standard-uname-r = %{KVERREL}\ %endif\ AutoReq: no\ AutoProv: yes\ -%description %{?1:%{1}-}modules\ +%description %{?1:%{1}-}modules-standard\ This package provides commonly used kernel modules for the %{?2:%{2}-}core kernel package.\ %{nil}

@@ -1266,7 +1269,7 @@ This package provides commonly used kernel modules for the %{?2:%{2}-}core kerne %package %{1}\ summary: kernel meta-package for the %{1} kernel\ Requires: kernel-%{1}-core-uname-r = %{KVERREL}+%{1}\ -Requires: kernel-%{1}-modules-uname-r = %{KVERREL}+%{1}\ +Requires: kernel-%{1}-modules-standard-uname-r = %{KVERREL}+%{1}\ Provides: installonlypkg(kernel)\ %description %{1}\ The meta-package for the %{1} kernel\ @@ -1291,7 +1294,7 @@ Requires: kernel-core-uname-r = %{KVERREL}\ %endif\ %{expand:%%kernel_devel_package %{?1:%{1}} %{!?{-n}:%{1}}%{?{-n}:%{-n*}} %{-m:%{-m}}}\ %{expand:%%kernel_devel_matched_package %{?1:%{1}} %{!?{-n}:%{1}}%{?{-n}:%{-n*}} %{-m:%{-m}}}\ -%{expand:%%kernel_modules_package %{?1:%{1}} %{!?{-n}:%{1}}%{?{-n}:%{-n*}} %{-m:%{-m}}}\ +%{expand:%%kernel_modules_standard_package %{?1:%{1}} %{!?{-n}:%{1}}%{?{-n}:%{-n*}} %{-m:%{-m}}}\ %{expand:%%kernel_modules_extra_package %{?1:%{1}} %{!?{-n}:%{1}}%{?{-n}:%{-n*}} %{-m:%{-m}}}\ %if %{-m:0}%{!-m:1}\ %{expand:%%kernel_modules_internal_package %{?1:%{1}} %{!?{-n}:%{1}}%{?{-n}:%{-n*}}}\ @@ -1316,7 +1319,7 @@ Provides: kernel%{?1:-%{1}}-modules-partner = %{version}-%{release}%{?1:+%{1}}\ Provides: installonlypkg(kernel-module)\ Provides: kernel%{?1:-%{1}}-modules-partner-uname-r = %{KVERREL}%{?1:+%{1}}\ Requires: kernel-uname-r = %{KVERREL}%{?1:+%{1}}\ -Requires: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?1:+%{1}}\ +Requires: kernel%{?1:-%{1}}-modules-standard-uname-r = %{KVERREL}%{?1:+%{1}}\ AutoReq: no\ AutoProv: yes\ %description %{?1:%{1}-}modules-partner\ @@ -2169,7 +2172,7 @@ BuildKernel() {

# Make sure the files lists start with absolute paths or rpmbuild fails. # Also add in the dir entries - sed -e 's/^lib*//lib/' %{?zipsed} $RPM_BUILD_ROOT/k-d.list > ../kernel${Variant:+-${Variant}}-modules.list + sed -e 's/^lib*//lib/' %{?zipsed} $RPM_BUILD_ROOT/k-d.list > ../kernel${Variant:+-${Variant}}-modules-standard.list sed -e 's/^lib*/%dir /lib/' %{?zipsed} $RPM_BUILD_ROOT/module-dirs.list > ../kernel${Variant:+-${Variant}}-core.list sed -e 's/^lib*//lib/' %{?zipsed} $RPM_BUILD_ROOT/modules.list >> ../kernel${Variant:+-${Variant}}-core.list sed -e 's/^lib*//lib/' %{?zipsed} $RPM_BUILD_ROOT/mod-extra.list >> ../kernel${Variant:+-${Variant}}-modules-extra.list @@ -2817,18 +2820,18 @@ fi\ # It also defines a %%postun script that does the same thing. # %%kernel_modules_post [<subpackage>] # -%define kernel_modules_post() \ -%{expand:%%post %{?1:%{1}-}modules}\ +%define kernel_modules_standard_post() \ +%{expand:%%post %{?1:%{1}-}modules-standard}\ /sbin/depmod -a %{KVERREL}%{?1:+%{1}}\ if [ ! -f %{_localstatedir}/lib/rpm-state/%{name}/installing_core_%{KVERREL}%{?1:+%{1}} ]; then\ mkdir -p %{_localstatedir}/lib/rpm-state/%{name}\ touch %{_localstatedir}/lib/rpm-state/%{name}/need_to_run_dracut_%{KVERREL}%{?1:+%{1}}\ fi\ %{nil}\ -%{expand:%%postun %{?1:%{1}-}modules}\ +%{expand:%%postun %{?1:%{1}-}modules-standard}\ /sbin/depmod -a %{KVERREL}%{?1:+%{1}}\ %{nil}\ -%{expand:%%posttrans %{?1:%{1}-}modules}\ +%{expand:%%posttrans %{?1:%{1}-}modules-standard}\ if [ -f %{_localstatedir}/lib/rpm-state/%{name}/need_to_run_dracut_%{KVERREL}%{?1:+%{1}} ]; then\ rm -f %{_localstatedir}/lib/rpm-state/%{name}/need_to_run_dracut_%{KVERREL}%{?1:+%{1}}\ echo "Running: dracut -f --kver %{KVERREL}%{?1:+%{1}}"\ @@ -2863,7 +2866,7 @@ fi\ # %define kernel_variant_post(v:r:) \ %{expand:%%kernel_devel_post %{?-v*}}\ -%{expand:%%kernel_modules_post %{?-v*}}\ +%{expand:%%kernel_modules_standard_post %{?-v*}}\ %{expand:%%kernel_modules_extra_post %{?-v*}}\ %{expand:%%kernel_modules_internal_post %{?-v*}}\ %if 0%{!?fedora:1}\ @@ -3125,7 +3128,7 @@ fi /lib/modules/%{KVERREL}%{?3:+%{3}}/vdso\ %endif\ /lib/modules/%{KVERREL}%{?3:+%{3}}/modules.*\ -%{expand:%%files -f kernel-%{?3:%{3}-}modules.list %{?3:%{3}-}modules}\ +%{expand:%%files -f kernel-%{?3:%{3}-}modules-standard.list %{?3:%{3}-}modules-standard}\ %{expand:%%files %{?3:%{3}-}devel}\ %defverify(not mtime)\ /usr/src/kernels/%{KVERREL}%{?3:+%{3}}\ @@ -3154,7 +3157,7 @@ fi %files debug-core %files debug-devel %files debug-devel-matched -%files debug-modules +%files debug-modules-standard %files debug-modules-extra %endif %kernel_variant_files %{use_vdso} %{with_pae} lpae

-- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2175

From: Vitaly Kuznetsov vkuznets@redhat.com

redhat: Add sub-RPM with a EFI unified kernel image for virtual machines

The new 'kernel-unified-virt' sub-RPM is added on x86_64 targets.

This contains an EFI application that provides a combined vmlinux, initrd and cmdline, as a so called 'unified kernel image'. The spec for this is defined by the boot loader specification

https://uapi-group.org/specifications/specs/boot_loader_specification/

The key benefit of a unified kernel is that its secure boot signature covers the initrd and cmdline contents, allowing a trustworthy measured boot process with attestation, which is not practical with locally generated initrds/cmdlines.

Since the initrd is pre-generated its contents have to be very generic, to be usable on a wide variety of deployments. To make this problem tractable, the sub-RPM targets only usage in virtual machines. With such a restriction, the initrd only needs a very small set of block driver modules present, in order to be usable across KVM, Hyper-V and Xen hypervisors which will cover essentially all common public and private clouds.

Similarly the kernel cmdline cannot contain any host specific data, which means the root filesystem to mount needs to be able to be automatically detected. A virtual machine image intending to use this unified kernel package thus needs to comply with the discoverable partitions specification:

https://uapi-group.org/specifications/specs/discoverable_partitions_specific...

Based-on-patch-by: Daniel P. Berrangé berrange@redhat.com Signed-off-by: Vitaly Kuznetsov vkuznets@redhat.com

diff --git a/redhat/Makefile b/redhat/Makefile index blahblah..blahblah 100644 --- a/redhat/Makefile +++ b/redhat/Makefile @@ -639,6 +639,7 @@ sources-rh: $(TARBALL) generate-testpatch-tmp setup-source dist-configs-check ../Makefile.rhelver \ README.rst \ kernel-local \ + dracut-virt.conf \ $(SOURCES)/ @if [ "$(RELEASED_KERNEL)" -ne 0 ]; then \ cp keys/redhatsecureboot{301,501,ca5,ca1}.cer $(SOURCES)/; \ diff --git a/redhat/dracut-virt.conf b/redhat/dracut-virt.conf new file mode 100644 index blahblah..blahblah 100644 --- /dev/null +++ b/redhat/dracut-virt.conf @@ -0,0 +1,35 @@ +# generic + compressed please +hostonly="no" +compress="xz" + +# VMs can't update microcode anyway +early_microcode="no" + +# modules: basics +dracutmodules+=" base systemd systemd-initrd dracut-systemd dbus dbus-broker usrmount shutdown " + +# modules: storage support +dracutmodules+=" dm lvm rootfs-block fs-lib " + +# modules: tpm and crypto +dracutmodules+=" crypt crypt-loop tpm2-tss " + +# drivers: virtual buses, pci +drivers+=" virtio-pci virtio-mmio " # qemu-kvm +drivers+=" hv-vmbus pci-hyperv " # hyperv +drivers+=" xen-pcifront " # xen + +# drivers: storage +drivers+=" ahci nvme scsi-hd scsi-cd " # generic +drivers+=" virtio-blk virtio-scsi " # qemu-kvm +drivers+=" hv-storvsc " # hyperv +drivers+=" xen-blkfront " # xen + +# root encryption +drivers+=" dm_crypt " + +# filesystems +filesystems+=" vfat ext4 xfs overlay " + +# systemd-pcrphase +install_items+=" /lib/systemd/system/systemd-pcrphase-initrd.service /usr/lib/systemd/systemd-pcrphase /usr/lib/systemd/system/initrd.target.wants/systemd-pcrphase-initrd.service " diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template index blahblah..blahblah 100755 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template @@ -91,6 +91,12 @@ Summary: The Linux kernel %global zipmodules 1 %endif

+%ifarch x86_64 +%global efiunified 1 +%else +%global efiunified 0 +%endif + %if %{zipmodules} %global zipsed -e 's/.ko$/.ko.xz/' %endif @@ -698,6 +704,18 @@ BuildRequires: llvm BuildRequires: lld %endif

+%if %{efiunified} +BuildRequires: dracut +# For dracut UEFI unified binaries +BuildRequires: binutils +# For the initrd +BuildRequires: lvm2 +# For systemd-stub +BuildRequires: systemd-udev >= 250-13 +# For TPM operations in UKI initramfs +BuildRequires: tpm2-tools +%endif + # Because this is the kernel, it's hard to get a single upstream URL # to represent the base without needing to do a bunch of patching. This # tarball is generated from a src-git tree. If you want to see the @@ -825,6 +843,8 @@ Source82: update_scripts.sh Source84: mod-internal.list Source85: mod-partner.list

+Source86: dracut-virt.conf + Source100: rheldup3.x509 Source101: rhelkpatch1.x509

@@ -1333,6 +1353,13 @@ Requires: kernel-%{?1:%{1}-}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\ %endif\ %{expand:%%kernel_debuginfo_package %{?1:%{1}}}\ %endif\ +%if %{efiunified}\ +%package %{?1:%{1}-}unified-virt\ +Summary: %{variant_summary} unified kernel image for virtual machines\ +Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\ +Provides: kernel-uname-r = %{KVERREL}%{?1:+%{1}}\ +Provides: installonlypkg(kernel)\ +%endif\ %{nil}

# @@ -1402,6 +1429,14 @@ Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.

+%if %{efiunified} +%description debug-unified-virt +Prebuilt debug unified kernel image for virtual machines. + +%description unified-virt +Prebuilt default unified kernel image for virtual machines. +%endif + %if %{with_ipaclones} %kernel_ipaclones_package %endif @@ -2182,6 +2217,46 @@ BuildKernel() { touch lib/modules/$KernelVer/modules.builtin fi

+ popd + + %if %{efiunified} + + KernelUnifiedImageDir="$RPM_BUILD_ROOT/%{image_install_path}/efi/EFI/Linux" + KernelUnifiedImage="$KernelUnifiedImageDir/$InstallName-$KernelVer-virt.efi" + + mkdir -p $KernelUnifiedImageDir + + dracut --conf=%{SOURCE86} \ + --confdir=$(mktemp -d) \ + --verbose \ + --kver "$KernelVer" \ + --kmoddir "$RPM_BUILD_ROOT/lib/modules/$KernelVer/" \ + --logfile=$(mktemp) \ + --uefi \ + --kernel-image $(realpath $KernelImage) \ + --kernel-cmdline 'console=tty0 console=ttyS0 earlyprintk=ttyS0' \ + $KernelUnifiedImage + + %if %{signkernel} + + %pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} + %pesign -s -i $KernelUnifiedImage.tmp -o $KernelUnifiedImage.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1} + rm -f $KernelUnifiedImage.tmp + + if [ ! -s $KernelUnifiedImage.signed ]; then + echo "pesigning failed" + exit 1 + fi + mv $KernelUnifiedImage.signed $KernelUnifiedImage + + # signkernel + %endif + + # efiunified + %endif + + pushd $RPM_BUILD_ROOT + remove_depmod_files

# Go back and find all of the various directories in the tree. We use this @@ -3190,6 +3265,10 @@ fi %{expand:%%files -f debuginfo%{?3}.list %{?3:%{3}-}debuginfo}\ %endif\ %endif\ +%if %{efiunified}\ +%{expand:%%files %{?3:%{3}-}unified-virt}\ +/%{image_install_path}/efi/EFI/Linux/%{?-k:%{-k*}}%{!?-k:vmlinuz}-%{KVERREL}%{?3:+%{3}}-virt.efi\ +%endif\ %if %{?3:1} %{!?3:0}\ %{expand:%%files %{3}}\ %endif\

-- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2175