From 395525c94e48d15d254e001fbf020e20f3f0d17f Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Tue, 6 Aug 2024 12:13:43 -0600 Subject: [PATCH] kernel-6.11.0-0.rc2.20240806gitb446a2dae984.24 * Tue Aug 06 2024 Fedora Kernel Team [6.11.0-0.rc2.b446a2dae984.24] - fedora: disable CONFIG_DRM_WERROR (Patrick Talbert) Resolves: Signed-off-by: Justin M. Forbes --- Makefile.rhelver | 2 +- kernel-ppc64le-debug-rhel.config | 3 +- kernel-ppc64le-rhel.config | 3 +- kernel-s390x-debug-rhel.config | 3 +- kernel-s390x-rhel.config | 3 +- kernel-s390x-zfcpdump-rhel.config | 1 - kernel-x86_64-debug-rhel.config | 3 +- kernel-x86_64-rhel.config | 3 +- kernel-x86_64-rt-debug-rhel.config | 3 +- kernel-x86_64-rt-rhel.config | 3 +- kernel.changelog | 9 +- kernel.spec | 55 ++++++++++- sources | 6 +- uki_addons.json | 12 +++ uki_create_addons.py | 151 +++++++++++++++++++++++++++++ 15 files changed, 234 insertions(+), 26 deletions(-) create mode 100644 uki_addons.json create mode 100755 uki_create_addons.py diff --git a/Makefile.rhelver b/Makefile.rhelver index c9670fb00..47598f6b1 100644 --- a/Makefile.rhelver +++ b/Makefile.rhelver @@ -12,7 +12,7 @@ RHEL_MINOR = 99 # # Use this spot to avoid future merge conflicts. # Do not trim this comment. -RHEL_RELEASE = 23 +RHEL_RELEASE = 24 # # RHEL_REBASE_NUM diff --git a/kernel-ppc64le-debug-rhel.config b/kernel-ppc64le-debug-rhel.config index dd59173f0..4d2b95f86 100644 --- a/kernel-ppc64le-debug-rhel.config +++ b/kernel-ppc64le-debug-rhel.config @@ -1960,8 +1960,7 @@ CONFIG_GENEVE=m # CONFIG_GEN_RTC is not set CONFIG_GENWQE=m CONFIG_GENWQE_PLATFORM_ERROR_RECOVERY=1 -CONFIG_GFS2_FS_LOCKING_DLM=y -CONFIG_GFS2_FS=m +# CONFIG_GFS2_FS is not set # CONFIG_GIGABYTE_WMI is not set # CONFIG_GLOB_SELFTEST is not set CONFIG_GLOB=y diff --git a/kernel-ppc64le-rhel.config b/kernel-ppc64le-rhel.config index d72354ef2..14de8096a 100644 --- a/kernel-ppc64le-rhel.config +++ b/kernel-ppc64le-rhel.config @@ -1944,8 +1944,7 @@ CONFIG_GENEVE=m # CONFIG_GEN_RTC is not set CONFIG_GENWQE=m CONFIG_GENWQE_PLATFORM_ERROR_RECOVERY=1 -CONFIG_GFS2_FS_LOCKING_DLM=y -CONFIG_GFS2_FS=m +# CONFIG_GFS2_FS is not set # CONFIG_GIGABYTE_WMI is not set # CONFIG_GLOB_SELFTEST is not set CONFIG_GLOB=y diff --git a/kernel-s390x-debug-rhel.config b/kernel-s390x-debug-rhel.config index 99ee642d2..efb6d582c 100644 --- a/kernel-s390x-debug-rhel.config +++ b/kernel-s390x-debug-rhel.config @@ -1960,8 +1960,7 @@ CONFIG_GENEVE=m # CONFIG_GEN_RTC is not set CONFIG_GENWQE=m CONFIG_GENWQE_PLATFORM_ERROR_RECOVERY=0 -CONFIG_GFS2_FS_LOCKING_DLM=y -CONFIG_GFS2_FS=m +# CONFIG_GFS2_FS is not set # CONFIG_GIGABYTE_WMI is not set # CONFIG_GLOB_SELFTEST is not set CONFIG_GLOB=y diff --git a/kernel-s390x-rhel.config b/kernel-s390x-rhel.config index 39df26cae..af0f96f59 100644 --- a/kernel-s390x-rhel.config +++ b/kernel-s390x-rhel.config @@ -1944,8 +1944,7 @@ CONFIG_GENEVE=m # CONFIG_GEN_RTC is not set CONFIG_GENWQE=m CONFIG_GENWQE_PLATFORM_ERROR_RECOVERY=0 -CONFIG_GFS2_FS_LOCKING_DLM=y -CONFIG_GFS2_FS=m +# CONFIG_GFS2_FS is not set # CONFIG_GIGABYTE_WMI is not set # CONFIG_GLOB_SELFTEST is not set CONFIG_GLOB=y diff --git a/kernel-s390x-zfcpdump-rhel.config b/kernel-s390x-zfcpdump-rhel.config index 42982f031..a42ce9424 100644 --- a/kernel-s390x-zfcpdump-rhel.config +++ b/kernel-s390x-zfcpdump-rhel.config @@ -1950,7 +1950,6 @@ CONFIG_GENEVE=m CONFIG_GENWQE=m CONFIG_GENWQE_PLATFORM_ERROR_RECOVERY=0 # CONFIG_GFS2_FS is not set -CONFIG_GFS2_FS_LOCKING_DLM=y # CONFIG_GIGABYTE_WMI is not set # CONFIG_GLOB_SELFTEST is not set CONFIG_GLOB=y diff --git a/kernel-x86_64-debug-rhel.config b/kernel-x86_64-debug-rhel.config index ebf76d86a..7e232144e 100644 --- a/kernel-x86_64-debug-rhel.config +++ b/kernel-x86_64-debug-rhel.config @@ -2093,8 +2093,7 @@ CONFIG_GENERIC_ISA_DMA=y CONFIG_GENEVE=m # CONFIG_GEN_RTC is not set # CONFIG_GENWQE is not set -CONFIG_GFS2_FS_LOCKING_DLM=y -CONFIG_GFS2_FS=m +# CONFIG_GFS2_FS is not set # CONFIG_GIGABYTE_WMI is not set # CONFIG_GLOB_SELFTEST is not set CONFIG_GLOB=y diff --git a/kernel-x86_64-rhel.config b/kernel-x86_64-rhel.config index 8f3b6065f..eb4738f35 100644 --- a/kernel-x86_64-rhel.config +++ b/kernel-x86_64-rhel.config @@ -2077,8 +2077,7 @@ CONFIG_GENERIC_ISA_DMA=y CONFIG_GENEVE=m # CONFIG_GEN_RTC is not set # CONFIG_GENWQE is not set -CONFIG_GFS2_FS_LOCKING_DLM=y -CONFIG_GFS2_FS=m +# CONFIG_GFS2_FS is not set # CONFIG_GIGABYTE_WMI is not set # CONFIG_GLOB_SELFTEST is not set CONFIG_GLOB=y diff --git a/kernel-x86_64-rt-debug-rhel.config b/kernel-x86_64-rt-debug-rhel.config index ac334b5b4..17aa14cab 100644 --- a/kernel-x86_64-rt-debug-rhel.config +++ b/kernel-x86_64-rt-debug-rhel.config @@ -2132,8 +2132,7 @@ CONFIG_GENERIC_ISA_DMA=y CONFIG_GENEVE=m # CONFIG_GEN_RTC is not set # CONFIG_GENWQE is not set -CONFIG_GFS2_FS_LOCKING_DLM=y -CONFIG_GFS2_FS=m +# CONFIG_GFS2_FS is not set # CONFIG_GIGABYTE_WMI is not set # CONFIG_GLOB_SELFTEST is not set CONFIG_GLOB=y diff --git a/kernel-x86_64-rt-rhel.config b/kernel-x86_64-rt-rhel.config index 8145bf5a8..80fb00d52 100644 --- a/kernel-x86_64-rt-rhel.config +++ b/kernel-x86_64-rt-rhel.config @@ -2116,8 +2116,7 @@ CONFIG_GENERIC_ISA_DMA=y CONFIG_GENEVE=m # CONFIG_GEN_RTC is not set # CONFIG_GENWQE is not set -CONFIG_GFS2_FS_LOCKING_DLM=y -CONFIG_GFS2_FS=m +# CONFIG_GFS2_FS is not set # CONFIG_GIGABYTE_WMI is not set # CONFIG_GLOB_SELFTEST is not set CONFIG_GLOB=y diff --git a/kernel.changelog b/kernel.changelog index cab8407c1..1c131ee6d 100644 --- a/kernel.changelog +++ b/kernel.changelog @@ -1,7 +1,14 @@ -* Mon Aug 05 2024 Fedora Kernel Team [6.11.0-0.rc2.23] +* Tue Aug 06 2024 Fedora Kernel Team [6.11.0-0.rc2.b446a2dae984.24] - fedora: disable CONFIG_DRM_WERROR (Patrick Talbert) Resolves: +* Tue Aug 06 2024 Fedora Kernel Team [6.11.0-0.rc2.b446a2dae984.23] +- redhat/configs: Disable gfs2 in rhel configs (Andrew Price) +- redhat/uki_addons/virt: add common FIPS addon (Emanuele Giuseppe Esposito) +- redhat/kernel.spec: add uki_addons to create UKI kernel cmdline addons (Emanuele Giuseppe Esposito) +- Linux v6.11.0-0.rc2.b446a2dae984 +Resolves: + * Mon Aug 05 2024 Fedora Kernel Team [6.11.0-0.rc2.22] - rh_flags: fix failed when register_sysctl_sz rh_flags_table to kernel (Ricardo Robaina) [RHEL-52629] - Linux v6.11.0-0.rc2 diff --git a/kernel.spec b/kernel.spec index 72182325c..aafb2a6c7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -163,13 +163,13 @@ Summary: The Linux kernel %define specrpmversion 6.11.0 %define specversion 6.11.0 %define patchversion 6.11 -%define pkgrelease 0.rc2.23 +%define pkgrelease 0.rc2.20240806gitb446a2dae984.24 %define kversion 6 -%define tarfile_release 6.11-rc2 +%define tarfile_release 6.11-rc2-4-gb446a2dae984 # This is needed to do merge window version magic %define patchlevel 11 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 0.rc2.23%{?buildid}%{?dist} +%define specrelease 0.rc2.20240806gitb446a2dae984.24%{?buildid}%{?dist} # This defines the kabi tarball version %define kabiversion 6.11.0 @@ -795,6 +795,8 @@ BuildRequires: lvm2 BuildRequires: systemd-boot-unsigned # For systemd-stub and systemd-pcrphase BuildRequires: systemd-udev >= 252-1 +# For UKI kernel cmdline addons +BuildRequires: systemd-ukify # For TPM operations in UKI initramfs BuildRequires: tpm2-tools # For UKI sb cert @@ -923,6 +925,9 @@ Source86: dracut-virt.conf Source87: flavors +Source151: uki_create_addons.py +Source152: uki_addons.json + Source100: rheldup3.x509 Source101: rhelkpatch1.x509 Source102: nvidiagpuoot001.x509 @@ -1564,6 +1569,11 @@ Provides: kernel-%{?1:%{1}-}uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\ Requires(pre): %{kernel_prereq}\ Requires(pre): systemd >= 254-1\ +%package %{?1:%{1}-}uki-virt-addons\ +Summary: %{variant_summary} unified kernel image addons for virtual machines\ +Provides: installonlypkg(kernel)\ +Requires: kernel%{?1:-%{1}}-uki-virt = %{specrpmversion}-%{release}\ +Requires(pre): systemd >= 254-1\ %endif\ %endif\ %if %{with_gcov}\ @@ -1703,31 +1713,49 @@ input and output, etc. %if %{with_up} && %{with_debug} && %{with_efiuki} %description debug-uki-virt Prebuilt debug unified kernel image for virtual machines. + +%description debug-uki-virt-addons +Prebuilt debug unified kernel image addons for virtual machines. %endif %if %{with_up_base} && %{with_efiuki} %description uki-virt Prebuilt default unified kernel image for virtual machines. + +%description uki-virt-addons +Prebuilt default unified kernel image addons for virtual machines. %endif %if %{with_arm64_16k} && %{with_debug} && %{with_efiuki} %description 16k-debug-uki-virt Prebuilt 16k debug unified kernel image for virtual machines. + +%description 16k-debug-uki-virt-addons +Prebuilt 16k debug unified kernel image addons for virtual machines. %endif %if %{with_arm64_16k_base} && %{with_efiuki} %description 16k-uki-virt Prebuilt 16k unified kernel image for virtual machines. + +%description 16k-uki-virt-addons +Prebuilt 16k unified kernel image addons for virtual machines. %endif %if %{with_arm64_64k} && %{with_debug} && %{with_efiuki} %description 64k-debug-uki-virt Prebuilt 64k debug unified kernel image for virtual machines. + +%description 64k-debug-uki-virt-addons +Prebuilt 64k debug unified kernel image addons for virtual machines. %endif %if %{with_arm64_64k_base} && %{with_efiuki} %description 64k-uki-virt Prebuilt 64k unified kernel image for virtual machines. + +%description 64k-uki-virt-addons +Prebuilt 64k unified kernel image addons for virtual machines. %endif %if %{with_ipaclones} @@ -2614,6 +2642,10 @@ BuildKernel() { --kernel-cmdline 'console=tty0 console=ttyS0' \ $KernelUnifiedImage + KernelAddonsDirOut="$KernelUnifiedImage.extra.d" + mkdir -p $KernelAddonsDirOut + python3 %{SOURCE151} %{SOURCE152} $KernelAddonsDirOut virt %{primary_target} %{_target_cpu} + %if %{signkernel} %{log_msg "Sign the EFI UKI kernel"} %if 0%{?fedora}%{?eln} @@ -2635,6 +2667,12 @@ BuildKernel() { fi mv $KernelUnifiedImage.signed $KernelUnifiedImage + for addon in "$KernelAddonsDirOut"/*; do + %pesign -s -i $addon -o $addon.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} + rm -f $addon + mv $addon.signed $addon + done + # signkernel %endif @@ -3972,6 +4010,9 @@ fi\ /lib/modules/%{KVERREL}%{?3:+%{3}}/modules.builtin*\ %attr(0644, root, root) /lib/modules/%{KVERREL}%{?3:+%{3}}/%{?-k:%{-k*}}%{!?-k:vmlinuz}-virt.efi\ %ghost /%{image_install_path}/efi/EFI/Linux/%{?-k:%{-k*}}%{!?-k:*}-%{KVERREL}%{?3:+%{3}}.efi\ +%{expand:%%files %{?3:%{3}-}uki-virt-addons}\ +/lib/modules/%{KVERREL}%{?3:+%{3}}/%{?-k:%{-k*}}%{!?-k:vmlinuz}-virt.efi.extra.d/ \ +/lib/modules/%{KVERREL}%{?3:+%{3}}/%{?-k:%{-k*}}%{!?-k:vmlinuz}-virt.efi.extra.d/*.addon.efi\ %endif\ %endif\ %if %{?3:1} %{!?3:0}\ @@ -4046,9 +4087,15 @@ fi\ # # %changelog -* Mon Aug 05 2024 Fedora Kernel Team [6.11.0-0.rc2.23] +* Tue Aug 06 2024 Fedora Kernel Team [6.11.0-0.rc2.b446a2dae984.24] - fedora: disable CONFIG_DRM_WERROR (Patrick Talbert) +* Tue Aug 06 2024 Fedora Kernel Team [6.11.0-0.rc2.b446a2dae984.23] +- redhat/configs: Disable gfs2 in rhel configs (Andrew Price) +- redhat/uki_addons/virt: add common FIPS addon (Emanuele Giuseppe Esposito) +- redhat/kernel.spec: add uki_addons to create UKI kernel cmdline addons (Emanuele Giuseppe Esposito) +- Linux v6.11.0-0.rc2.b446a2dae984 + * Mon Aug 05 2024 Fedora Kernel Team [6.11.0-0.rc2.22] - rh_flags: fix failed when register_sysctl_sz rh_flags_table to kernel (Ricardo Robaina) [RHEL-52629] - Linux v6.11.0-0.rc2 diff --git a/sources b/sources index 3048dad68..f035d2626 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (linux-6.11-rc2.tar.xz) = 16361c52d4ebd0a03853df43a1cc08f11623d1f39d29e00f49a1505177b9e3900709d67c35c419fd3192f2a89a83a5c8bc284a2cb81db2c18700ff45ffdcfdaf -SHA512 (kernel-abi-stablelists-6.11.0.tar.xz) = 126ed4411de6559f069020da5433b07ee940be86c6036766034d1f8744d7293630281c08fdfe841357232b598b14d5d8938711494c6bf10f367ba846f27e1403 -SHA512 (kernel-kabi-dw-6.11.0.tar.xz) = 50513c517ba3e37c7af0381366519267e227863e3d4ab0b658632608cc02bc7286010c965d8bbe576d18dae89db39165fff8d1623a68380656ad23d0e7909492 +SHA512 (linux-6.11-rc2-4-gb446a2dae984.tar.xz) = 19724e8f14d155be3dd79a4b62ac7e7b07101a1ddf1f54b981ec4a9b6941d2d96349ab9f5e2ca67608d3709c3e180817febca95bcc3760dd250d521a7fb3d26f +SHA512 (kernel-abi-stablelists-6.11.0.tar.xz) = 4bebd9e56207e36fe3c4dc9de5df5b39cdf4f8947aeb31b69bf126c3a21cc4de27cc934656d9657572664000c6267013f5002ecff863c4fd01249e8cacb0c092 +SHA512 (kernel-kabi-dw-6.11.0.tar.xz) = 291cba60d3ff6735b96ab1b8e37e62f9f926984cd3501121b5f10e5a40fec6a051e1f74c4a291147c75783fa2ebb455a1079c573d4bf72e9f93ac758be4eec83 diff --git a/uki_addons.json b/uki_addons.json new file mode 100644 index 000000000..d82dc87d6 --- /dev/null +++ b/uki_addons.json @@ -0,0 +1,12 @@ +{ + "virt": { + "common": { + "fips-disable.addon": [ + "fips=0\n" + ], + "fips-enable.addon": [ + "fips=1\n" + ] + } + } +} \ No newline at end of file diff --git a/uki_create_addons.py b/uki_create_addons.py new file mode 100755 index 000000000..e30d43b2a --- /dev/null +++ b/uki_create_addons.py @@ -0,0 +1,151 @@ +#!/usr/bin/env python3 +# +# This script inspects a given json proving a list of addons, and +# creates an addon for each key/value pair matching the given uki, distro and +# arch provided in input. +# +# Usage: python uki_create_addons.py input_json out_dir uki distro arch +# +# This tool requires the systemd-ukify and systemd-boot packages. +# +# Addon file +#----------- +# Each addon terminates with .addon +# Each addon contains only two types of lines: +# Lines beginning with '#' are description and thus ignored +# All other lines are command line to be added. +# The name of the end resulting addon is taken from the json hierarchy. +# For example, and addon in json['virt']['rhel']['x86_64']['hello.addon'] will +# result in an UKI addon file generated in out_dir called +# hello-virt.rhel.x86_64.addon.efi +# +# The common key, present in any sub-dict in the provided json (except the leaf dict) +# is used as place for default addons when the same addon is not defined deep +# in the hierarchy. For example, if we define test.addon (text: 'test1\n') in +# json['common']['test.addon'] = ['test1\n'] and another test.addon (text: test2) in +# json['virt']['common']['test.addon'] = ['test2'], any other uki except virt +# will have a test.addon.efi with text "test1", and virt will have a +# test.addon.efi with "test2" +# +# sbat.conf +#---------- +# This dict is containing the sbat string for *all* addons being created. +# This dict is optional, but when used has to be put in a sub-dict with +# { 'sbat' : { 'sbat.conf' : ['your text here'] }} +# It follows the same syntax as the addon files, meaning '#' is comment and +# the rest is taken as sbat string and feed to ukify. + +import os +import sys +import json +import collections +import subprocess + + +UKIFY_PATH = '/usr/lib/systemd/ukify' + +def usage(err): + print(f'Usage: {os.path.basename(__file__)} input_json output_dir uki distro arch') + print(f'Error:{err}') + sys.exit(1) + +def check_clean_arguments(input_json, out_dir): + # Remove end '/' + if out_dir[-1:] == '/': + out_dir = out_dir[:-1] + if not os.path.isfile(input_json): + usage(f'input_json {input_json} is not a file, or does not exist!') + if not os.path.isdir(out_dir): + usage(f'out_dir_dir {out_dir} is not a dir, or does not exist!') + return out_dir + +UKICmdlineAddon = collections.namedtuple('UKICmdlineAddon', ['name', 'cmdline']) +uki_addons_list = [] +uki_addons = {} +addon_sbat_string = None + +def parse_lines(lines, rstrip=True): + cmdline = '' + for l in lines: + l = l.lstrip() + if not l: + continue + if l[0] == '#': + continue + # rstrip is used only for addons cmdline, not sbat.conf, as it replaces + # return lines with spaces. + if rstrip: + l = l.rstrip() + ' ' + cmdline += l + if cmdline == '': + return '' + return cmdline + +def parse_all_addons(in_obj): + global addon_sbat_string + + for el in in_obj.keys(): + # addon found: copy it in our global dict uki_addons + if el.endswith('.addon'): + uki_addons[el] = in_obj[el] + + if 'sbat' in in_obj and 'sbat.conf' in in_obj['sbat']: + # sbat.conf found: override sbat with the most specific one found + addon_sbat_string = parse_lines(in_obj['sbat']['sbat.conf'], rstrip=False) + +def recursively_find_addons(in_obj, folder_list): + # end of recursion, leaf directory. Search all addons here + if len(folder_list) == 0: + parse_all_addons(in_obj) + return + + # first, check for common folder + if 'common' in in_obj: + parse_all_addons(in_obj['common']) + + # second, check if there is a match with the searched folder + if folder_list[0] in in_obj: + folder_next = in_obj[folder_list[0]] + folder_list = folder_list[1:] + recursively_find_addons(folder_next, folder_list) + +def parse_in_json(in_json, uki_name, distro, arch): + with open(in_json, 'r') as f: + in_obj = json.load(f) + recursively_find_addons(in_obj, [uki_name, distro, arch]) + + for addon_name, cmdline in uki_addons.items(): + addon_name = addon_name.replace(".addon","") + addon_full_name = f'{addon_name}-{uki_name}.{distro}.{arch}.addon.efi' + cmdline = parse_lines(cmdline).rstrip() + if cmdline: + uki_addons_list.append(UKICmdlineAddon(addon_full_name, cmdline)) + +def create_addons(out_dir): + for uki_addon in uki_addons_list: + out_path = os.path.join(out_dir, uki_addon.name) + cmd = [ + f'{UKIFY_PATH}', 'build', + f'--cmdline="{uki_addon.cmdline}"', + f'--output={out_path}'] + if addon_sbat_string: + cmd.append('--sbat="' + addon_sbat_string.rstrip() +'"') + + subprocess.check_call(cmd, text=True) + +if __name__ == "__main__": + argc = len(sys.argv) - 1 + if argc != 5: + usage('too few or too many parameters!') + + input_json = sys.argv[1] + out_dir = sys.argv[2] + uki_name = sys.argv[3] + distro = sys.argv[4] + arch = sys.argv[5] + + out_dir = check_clean_arguments(input_json, out_dir) + parse_in_json(input_json, uki_name, distro, arch) + create_addons(out_dir) + +