kernel-6.10.0-0.rc7.20240709git4376e966ecb7.59

* Tue Jul 09 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.10.0-0.rc7.4376e966ecb7.59] - not upstream: drop openssl ENGINE API usage (Jan Stancek) Resolves: Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
2024-07-09 06:35:19 -06:00 · 2024-07-09 06:35:19 -06:00 · b4a7bbe60a
commit b4a7bbe60a
parent cbe34e350a
6 changed files with 124 additions and 13 deletions
--- a/Makefile.rhelver
+++ b/Makefile.rhelver
@ -12,7 +12,7 @@ RHEL_MINOR = 99
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 58
+RHEL_RELEASE = 59

 #
 # RHEL_REBASE_NUM
--- a/Patchlist.changelog
+++ b/Patchlist.changelog
@ -1,3 +1,6 @@
+https://gitlab.com/cki-project/kernel-ark/-/commit/7091e7aae971eb3bb57cd05575b6d47b023d7b1b
+ 7091e7aae971eb3bb57cd05575b6d47b023d7b1b not upstream: drop openssl ENGINE API usage
+
 https://gitlab.com/cki-project/kernel-ark/-/commit/eb75341619677c7f8b6de39e4742a1bcf6569587
 eb75341619677c7f8b6de39e4742a1bcf6569587 redhat: make bnx2xx drivers unmaintained in rhel-10

--- a/kernel.changelog
+++ b/kernel.changelog
@ -1,5 +1,10 @@
-* Mon Jul 08 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.10.0-0.rc7.58]
- Add openssl-devel-engine as a buildrequirement. (Justin M. Forbes)
+* Tue Jul 09 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.10.0-0.rc7.4376e966ecb7.59]
+- not upstream: drop openssl ENGINE API usage (Jan Stancek)
+Resolves: 
+
+* Mon Jul 08 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.10.0-0.rc7.4376e966ecb7.58]
+- Also remove the zfcpdump BASE_SMALL config (Justin M. Forbes)
+- Linux v6.10.0-0.rc7.4376e966ecb7
 Resolves: 

 * Mon Jul 08 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.10.0-0.rc7.57]
--- a/kernel.spec
+++ b/kernel.spec
@ -163,13 +163,13 @@ Summary: The Linux kernel
 %define specrpmversion 6.10.0
 %define specversion 6.10.0
 %define patchversion 6.10
-%define pkgrelease 0.rc7.58
+%define pkgrelease 0.rc7.20240709git4376e966ecb7.59
 %define kversion 6
-%define tarfile_release 6.10-rc7
+%define tarfile_release 6.10-rc7-3-g4376e966ecb7
 # This is needed to do merge window version magic
 %define patchlevel 10
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 0.rc7.58%{?buildid}%{?dist}
+%define specrelease 0.rc7.20240709git4376e966ecb7.59%{?buildid}%{?dist}
 # This defines the kabi tarball version
 %define kabiversion 6.10.0

@ -711,7 +711,7 @@ BuildRequires: libnl3-devel
 %endif
 %endif
 %if %{with_tools} || %{signmodules} || %{signkernel}
-BuildRequires: openssl-devel openssl-devel-engine
+BuildRequires: openssl-devel
 %endif
 %if %{with_bpftool}
 BuildRequires: python3-docutils
@ -4043,8 +4043,12 @@ fi\
 #
 #
 %changelog
-* Mon Jul 08 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.10.0-0.rc7.58]
- Add openssl-devel-engine as a buildrequirement. (Justin M. Forbes)
+* Tue Jul 09 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.10.0-0.rc7.4376e966ecb7.59]
+- not upstream: drop openssl ENGINE API usage (Jan Stancek)
+
+* Mon Jul 08 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.10.0-0.rc7.4376e966ecb7.58]
+- Also remove the zfcpdump BASE_SMALL config (Justin M. Forbes)
+- Linux v6.10.0-0.rc7.4376e966ecb7

 * Mon Jul 08 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.10.0-0.rc7.57]
 - Linux v6.10.0-0.rc7
--- a/patch-6.10-redhat.patch
+++ b/patch-6.10-redhat.patch
@ -9,6 +9,7 @@
 arch/s390/kernel/setup.c                           |   4 +
 arch/x86/kernel/cpu/common.c                       |   1 +
 arch/x86/kernel/setup.c                            |  98 +++-
+ certs/extract-cert.c                               |  25 +-
 crypto/drbg.c                                      |  18 +-
 crypto/rng.c                                       | 149 +++++-
 drivers/acpi/apei/hest.c                           |   8 +
@ -69,12 +70,13 @@
 kernel/rh_messages.c                               | 414 ++++++++++++++++
 kernel/rh_messages.h                               | 325 +++++++++++++
 scripts/mod/modpost.c                              |   8 +
+ scripts/sign-file.c                                |  29 +-
 scripts/tags.sh                                    |   2 +
 security/integrity/platform_certs/load_uefi.c      |   6 +-
 security/lockdown/Kconfig                          |  13 +
 security/lockdown/lockdown.c                       |   1 +
 security/security.c                                |  12 +
- 76 files changed, 2553 insertions(+), 218 deletions(-)
+ 78 files changed, 2557 insertions(+), 268 deletions(-)

 diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
 index 27ec49af1bf2..ac87cc84acef 100644
@ -408,6 +410,49 @@ index 05c5aa951da7..09c1ad947f46 100644
 	unwind_init();
 }
 
+diff --git a/certs/extract-cert.c b/certs/extract-cert.c
+index 70e9ec89d87d..f5fb74916cee 100644
+--- a/certs/extract-cert.c
+++ b/certs/extract-cert.c
+@@ -21,7 +21,6 @@
+ #include <openssl/bio.h>
+ #include <openssl/pem.h>
+ #include <openssl/err.h>
+-#include <openssl/engine.h>
+ 
+ /*
+  * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
+@@ -122,28 +121,8 @@ int main(int argc, char **argv)
+ 		fclose(f);
+ 		exit(0);
+ 	} else if (!strncmp(cert_src, "pkcs11:", 7)) {
+-		ENGINE *e;
+-		struct {
+-			const char *cert_id;
+-			X509 *cert;
+-		} parms;
+-
+-		parms.cert_id = cert_src;
+-		parms.cert = NULL;
+-
+-		ENGINE_load_builtin_engines();
+-		drain_openssl_errors();
+-		e = ENGINE_by_id("pkcs11");
+-		ERR(!e, "Load PKCS#11 ENGINE");
+-		if (ENGINE_init(e))
+-			drain_openssl_errors();
+-		else
+-			ERR(1, "ENGINE_init");
+-		if (key_pass)
+-			ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
+-		ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
+-		ERR(!parms.cert, "Get X.509 from PKCS#11");
+-		write_cert(parms.cert);
+		fprintf(stderr, "Error: pkcs11 not implemented\n");
+		exit(1);
+ 	} else {
+ 		BIO *b;
+ 		X509 *x509;
 diff --git a/crypto/drbg.c b/crypto/drbg.c
 index 3addce90930c..730b03de596a 100644
 --- a/crypto/drbg.c
@ -4264,6 +4309,60 @@ index f48d72d22dc2..288e0dbe6463 100644
 
 	ret = snprintf(fname, sizeof(fname), "%s.mod.c", mod->name);
 	if (ret >= sizeof(fname)) {
+diff --git a/scripts/sign-file.c b/scripts/sign-file.c
+index 3edb156ae52c..0114ae1dbf7f 100644
+--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
+@@ -27,7 +27,6 @@
+ #include <openssl/evp.h>
+ #include <openssl/pem.h>
+ #include <openssl/err.h>
+-#include <openssl/engine.h>
+ 
+ /*
+  * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
+@@ -99,16 +98,6 @@ static void display_openssl_errors(int l)
+ 	}
+ }
+ 
+-static void drain_openssl_errors(void)
+-{
+-	const char *file;
+-	int line;
+-
+-	if (ERR_peek_error() == 0)
+-		return;
+-	while (ERR_get_error_line(&file, &line)) {}
+-}
+-
+ #define ERR(cond, fmt, ...)				\
+ 	do {						\
+ 		bool __cond = (cond);			\
+@@ -144,22 +133,8 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
+ 	EVP_PKEY *private_key;
+ 
+ 	if (!strncmp(private_key_name, "pkcs11:", 7)) {
+-		ENGINE *e;
+-
+-		ENGINE_load_builtin_engines();
+-		drain_openssl_errors();
+-		e = ENGINE_by_id("pkcs11");
+-		ERR(!e, "Load PKCS#11 ENGINE");
+-		if (ENGINE_init(e))
+-			drain_openssl_errors();
+-		else
+-			ERR(1, "ENGINE_init");
+-		if (key_pass)
+-			ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0),
+-			    "Set PKCS#11 PIN");
+-		private_key = ENGINE_load_private_key(e, private_key_name,
+-						      NULL, NULL);
+-		ERR(!private_key, "%s", private_key_name);
+		fprintf(stderr, "Error: pkcs11 not implemented\n");
+		exit(1);
+ 	} else {
+ 		BIO *b;
+ 
 diff --git a/scripts/tags.sh b/scripts/tags.sh
 index 191e0461d6d5..e6f418b3e948 100755
 --- a/scripts/tags.sh
--- a/6
+++ b/6
@ -1,3 +1,3 @@
-SHA512 (linux-6.10-rc7.tar.xz) = e6d977770470be4344dc06cee1f163035f6adf658f1bad491bbce2dcf45e5e3fa2d419c73c873392cb6b520ae2afa73715ee2237251235cee90235092e59e6cf
-SHA512 (kernel-abi-stablelists-6.10.0.tar.xz) = 0364a05e5b1fef92f9d1bf67b1c1b3388e0cad5e1669c6a05484c8d67cff9d8511b78a694eba906d767c327cec6c34cc1fe9faff2d38e228d1a40402fc698488
-SHA512 (kernel-kabi-dw-6.10.0.tar.xz) = 503efa109c986131ce918ea62746923718c8371501610778dfa0f0ac6b265ff07a6466cbe784e0e8168fa9ce14be4b448ed49abfef7d81c711c87b2e325dcf70
+SHA512 (linux-6.10-rc7-3-g4376e966ecb7.tar.xz) = 30c212d900ae3c714f1cb508b8dd93f99a5e142cd0958301cd1043e72348a65e31d1fbe22198431f7e763aeaff584b9024c056c535779e491acf5cb4608d0f58
+SHA512 (kernel-abi-stablelists-6.10.0.tar.xz) = 7041030c6187f3c17beffc5775857aab700696737e353ea7f620b6aca6f9743534667f1e5fbd6dc9397c47c82031e66a230a9df5ba33605d0e1c71cbaa0121c1
+SHA512 (kernel-kabi-dw-6.10.0.tar.xz) = 714adeee8e4258e14367915d851e7feb92307f5f387a99fea17f981c4ab1ab5d8ffe7b0e650ebdd0db2da8e3a4ec8e63fe5a66babaa7643a65313955a7244058