From bc4f18bce9f62a16827a61f6e237d231177ecd1a Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Tue, 13 Aug 2024 17:22:36 -0600 Subject: [PATCH] kernel-6.11.0-0.rc3.20240813gitd74da846046a.31 * Tue Aug 13 2024 Fedora Kernel Team [6.11.0-0.rc3.d74da846046a.31] - fedora: disable CONFIG_DRM_WERROR (Patrick Talbert) Resolves: Signed-off-by: Justin M. Forbes --- Makefile.rhelver | 2 +- Patchlist.changelog | 3 +++ kernel.changelog | 9 ++++++++- kernel.spec | 22 +++++++++++++++++----- patch-6.11-redhat.patch | 40 +++++++++++++++++++++++++++------------- sources | 6 +++--- 6 files changed, 59 insertions(+), 23 deletions(-) diff --git a/Makefile.rhelver b/Makefile.rhelver index 64f1f44ac..1232f7a10 100644 --- a/Makefile.rhelver +++ b/Makefile.rhelver @@ -12,7 +12,7 @@ RHEL_MINOR = 99 # # Use this spot to avoid future merge conflicts. # Do not trim this comment. -RHEL_RELEASE = 30 +RHEL_RELEASE = 31 # # RHEL_REBASE_NUM diff --git a/Patchlist.changelog b/Patchlist.changelog index b169aff89..8b5846284 100644 --- a/Patchlist.changelog +++ b/Patchlist.changelog @@ -1,3 +1,6 @@ +https://gitlab.com/cki-project/kernel-ark/-/commit/6425c2e128af3870617dd29da8110e7fa17b9ba9 + 6425c2e128af3870617dd29da8110e7fa17b9ba9 not upstream: Disable vdso getrandom when FIPS is enabled + https://gitlab.com/cki-project/kernel-ark/-/commit/6ae23a2899f457adcbd4e081dec7a49a62b5ec87 6ae23a2899f457adcbd4e081dec7a49a62b5ec87 Add support to rh_waived cmdline boot parameter diff --git a/kernel.changelog b/kernel.changelog index a586d475a..470324ea0 100644 --- a/kernel.changelog +++ b/kernel.changelog @@ -1,7 +1,14 @@ -* Mon Aug 12 2024 Fedora Kernel Team [6.11.0-0.rc3.30] +* Tue Aug 13 2024 Fedora Kernel Team [6.11.0-0.rc3.d74da846046a.31] - fedora: disable CONFIG_DRM_WERROR (Patrick Talbert) Resolves: +* Tue Aug 13 2024 Fedora Kernel Team [6.11.0-0.rc3.d74da846046a.30] +- redhat: spec: add cachestat kselftest (Eric Chanudet) +- redhat: hmac sign the UKI for FIPS (Vitaly Kuznetsov) +- not upstream: Disable vdso getrandom when FIPS is enabled (Herbert Xu) +- Linux v6.11.0-0.rc3.d74da846046a +Resolves: + * Mon Aug 12 2024 Fedora Kernel Team [6.11.0-0.rc3.29] - Linux v6.11.0-0.rc3 Resolves: diff --git a/kernel.spec b/kernel.spec index 9ac458d7a..0fd0900b8 100644 --- a/kernel.spec +++ b/kernel.spec @@ -163,13 +163,13 @@ Summary: The Linux kernel %define specrpmversion 6.11.0 %define specversion 6.11.0 %define patchversion 6.11 -%define pkgrelease 0.rc3.30 +%define pkgrelease 0.rc3.20240813gitd74da846046a.31 %define kversion 6 -%define tarfile_release 6.11-rc3 +%define tarfile_release 6.11-rc3-7-gd74da846046a # This is needed to do merge window version magic %define patchlevel 11 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 0.rc3.30%{?buildid}%{?dist} +%define specrelease 0.rc3.20240813gitd74da846046a.31%{?buildid}%{?dist} # This defines the kabi tarball version %define kabiversion 6.11.0 @@ -2676,6 +2676,11 @@ BuildKernel() { # signkernel %endif + # hmac sign the UKI for FIPS + KernelUnifiedImageHMAC="$KernelUnifiedImageDir/.$InstallName-virt.efi.hmac" + %{log_msg "hmac sign the UKI for FIPS"} + %{log_msg "Creating hmac file: $KernelUnifiedImageHMAC"} + (cd $KernelUnifiedImageDir && sha512hmac $InstallName-virt.efi) > $KernelUnifiedImageHMAC; # with_efiuki %endif @@ -3069,7 +3074,7 @@ pushd tools/testing/selftests %endif %{log_msg "main selftests compile"} -%{make} %{?_smp_mflags} ARCH=$Arch V=1 TARGETS="bpf cgroup mm net net/forwarding net/mptcp netfilter tc-testing memfd drivers/net/bonding iommu" SKIP_TARGETS="" $force_targets INSTALL_PATH=%{buildroot}%{_libexecdir}/kselftests VMLINUX_H="${RPM_VMLINUX_H}" install +%{make} %{?_smp_mflags} ARCH=$Arch V=1 TARGETS="bpf cgroup mm net net/forwarding net/mptcp netfilter tc-testing memfd drivers/net/bonding iommu cachestat" SKIP_TARGETS="" $force_targets INSTALL_PATH=%{buildroot}%{_libexecdir}/kselftests VMLINUX_H="${RPM_VMLINUX_H}" install %ifarch %{klptestarches} # kernel livepatching selftest test_modules will build against @@ -4013,6 +4018,7 @@ fi\ /lib/modules/%{KVERREL}%{?3:+%{3}}/config\ /lib/modules/%{KVERREL}%{?3:+%{3}}/modules.builtin*\ %attr(0644, root, root) /lib/modules/%{KVERREL}%{?3:+%{3}}/%{?-k:%{-k*}}%{!?-k:vmlinuz}-virt.efi\ +%attr(0644, root, root) /lib/modules/%{KVERREL}%{?3:+%{3}}/.%{?-k:%{-k*}}%{!?-k:vmlinuz}-virt.efi.hmac\ %ghost /%{image_install_path}/efi/EFI/Linux/%{?-k:%{-k*}}%{!?-k:*}-%{KVERREL}%{?3:+%{3}}.efi\ %{expand:%%files %{?3:%{3}-}uki-virt-addons}\ /lib/modules/%{KVERREL}%{?3:+%{3}}/%{?-k:%{-k*}}%{!?-k:vmlinuz}-virt.efi.extra.d/ \ @@ -4091,9 +4097,15 @@ fi\ # # %changelog -* Mon Aug 12 2024 Fedora Kernel Team [6.11.0-0.rc3.30] +* Tue Aug 13 2024 Fedora Kernel Team [6.11.0-0.rc3.d74da846046a.31] - fedora: disable CONFIG_DRM_WERROR (Patrick Talbert) +* Tue Aug 13 2024 Fedora Kernel Team [6.11.0-0.rc3.d74da846046a.30] +- redhat: spec: add cachestat kselftest (Eric Chanudet) +- redhat: hmac sign the UKI for FIPS (Vitaly Kuznetsov) +- not upstream: Disable vdso getrandom when FIPS is enabled (Herbert Xu) +- Linux v6.11.0-0.rc3.d74da846046a + * Mon Aug 12 2024 Fedora Kernel Team [6.11.0-0.rc3.29] - Linux v6.11.0-0.rc3 diff --git a/patch-6.11-redhat.patch b/patch-6.11-redhat.patch index 41cc1e770..8a8d7d8d9 100644 --- a/patch-6.11-redhat.patch +++ b/patch-6.11-redhat.patch @@ -19,7 +19,7 @@ drivers/ata/libahci.c | 18 + drivers/char/ipmi/ipmi_dmi.c | 15 + drivers/char/ipmi/ipmi_msghandler.c | 16 +- - drivers/char/random.c | 122 +++++ + drivers/char/random.c | 126 ++++- drivers/firmware/efi/Makefile | 1 + drivers/firmware/efi/efi.c | 124 +++-- drivers/firmware/efi/secureboot.c | 38 ++ @@ -78,7 +78,7 @@ security/lockdown/Kconfig | 13 + security/lockdown/lockdown.c | 1 + security/security.c | 12 + - 80 files changed, 2682 insertions(+), 257 deletions(-) + 80 files changed, 2685 insertions(+), 258 deletions(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 09126bb8cc9f..ee2984e46c06 100644 @@ -947,10 +947,10 @@ index e12b531f5c2f..082707f8dff8 100644 rv = ipmi_register_driver(); mutex_unlock(&ipmi_interfaces_mutex); diff --git a/drivers/char/random.c b/drivers/char/random.c -index 87fe61295ea1..707f271e7728 100644 +index 87fe61295ea1..bc84784b9ecb 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c -@@ -51,6 +51,7 @@ +@@ -51,9 +51,11 @@ #include #include #include @@ -958,7 +958,11 @@ index 87fe61295ea1..707f271e7728 100644 #include #include #include -@@ -322,6 +323,11 @@ static void crng_fast_key_erasure(u8 key[CHACHA_KEY_SIZE], ++#include + #include + #include + #ifdef CONFIG_VDSO_GETRANDOM +@@ -322,6 +324,11 @@ static void crng_fast_key_erasure(u8 key[CHACHA_KEY_SIZE], memzero_explicit(first_block, sizeof(first_block)); } @@ -970,7 +974,17 @@ index 87fe61295ea1..707f271e7728 100644 /* * This function returns a ChaCha state that you may use for generating * random data. It also returns up to 32 bytes on its own of random data -@@ -755,6 +761,9 @@ static void __cold _credit_init_bits(size_t bits) +@@ -735,7 +742,8 @@ static void __cold _credit_init_bits(size_t bits) + queue_work(system_unbound_wq, &set_ready); + atomic_notifier_call_chain(&random_ready_notifier, 0, NULL); + #ifdef CONFIG_VDSO_GETRANDOM +- WRITE_ONCE(_vdso_rng_data.is_ready, true); ++ if (!fips_enabled) ++ WRITE_ONCE(_vdso_rng_data.is_ready, true); + #endif + wake_up_interruptible(&crng_init_wait); + kill_fasync(&fasync, SIGIO, POLL_IN); +@@ -755,6 +763,9 @@ static void __cold _credit_init_bits(size_t bits) } @@ -980,7 +994,7 @@ index 87fe61295ea1..707f271e7728 100644 /********************************************************************** * * Entropy collection routines. -@@ -972,6 +981,19 @@ void __init add_bootloader_randomness(const void *buf, size_t len) +@@ -972,6 +983,19 @@ void __init add_bootloader_randomness(const void *buf, size_t len) credit_init_bits(len * 8); } @@ -1000,7 +1014,7 @@ index 87fe61295ea1..707f271e7728 100644 #if IS_ENABLED(CONFIG_VMGENID) static BLOCKING_NOTIFIER_HEAD(vmfork_chain); -@@ -1381,6 +1403,7 @@ SYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t, len, unsigned int, flags +@@ -1381,6 +1405,7 @@ SYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t, len, unsigned int, flags { struct iov_iter iter; int ret; @@ -1008,7 +1022,7 @@ index 87fe61295ea1..707f271e7728 100644 if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE)) return -EINVAL; -@@ -1392,6 +1415,21 @@ SYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t, len, unsigned int, flags +@@ -1392,6 +1417,21 @@ SYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t, len, unsigned int, flags if ((flags & (GRND_INSECURE | GRND_RANDOM)) == (GRND_INSECURE | GRND_RANDOM)) return -EINVAL; @@ -1030,7 +1044,7 @@ index 87fe61295ea1..707f271e7728 100644 if (!crng_ready() && !(flags & GRND_INSECURE)) { if (flags & GRND_NONBLOCK) return -EAGAIN; -@@ -1412,6 +1450,12 @@ static __poll_t random_poll(struct file *file, poll_table *wait) +@@ -1412,6 +1452,12 @@ static __poll_t random_poll(struct file *file, poll_table *wait) return crng_ready() ? EPOLLIN | EPOLLRDNORM : EPOLLOUT | EPOLLWRNORM; } @@ -1043,7 +1057,7 @@ index 87fe61295ea1..707f271e7728 100644 static ssize_t write_pool_user(struct iov_iter *iter) { u8 block[BLAKE2S_BLOCK_SIZE]; -@@ -1552,7 +1596,58 @@ static int random_fasync(int fd, struct file *filp, int on) +@@ -1552,7 +1598,58 @@ static int random_fasync(int fd, struct file *filp, int on) return fasync_helper(fd, filp, on, &fasync); } @@ -1102,7 +1116,7 @@ index 87fe61295ea1..707f271e7728 100644 .read_iter = random_read_iter, .write_iter = random_write_iter, .poll = random_poll, -@@ -1565,6 +1660,7 @@ const struct file_operations random_fops = { +@@ -1565,6 +1662,7 @@ const struct file_operations random_fops = { }; const struct file_operations urandom_fops = { @@ -1110,7 +1124,7 @@ index 87fe61295ea1..707f271e7728 100644 .read_iter = urandom_read_iter, .write_iter = random_write_iter, .unlocked_ioctl = random_ioctl, -@@ -1575,6 +1671,32 @@ const struct file_operations urandom_fops = { +@@ -1575,6 +1673,32 @@ const struct file_operations urandom_fops = { .splice_write = iter_file_splice_write, }; diff --git a/sources b/sources index 9ef5ab511..ed5ecad8e 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (linux-6.11-rc3.tar.xz) = d87de5c563d9157e46b7311f131d0b897207c32e013da59634c239ed94d69b249152bb12aa33ac6a147d3645abae945b28b3d5b299f9636fd299ed1861fd8057 -SHA512 (kernel-abi-stablelists-6.11.0.tar.xz) = 091e5aacef72390008a31f74d9155d516ccf24a2d8764c6eb0ff13232d61587dd31d2c8c851a519b89916dc4d00a175dd7287ffd8735cc3e0625e006c0acd18a -SHA512 (kernel-kabi-dw-6.11.0.tar.xz) = 1a8f7b1df20a140c8237cbad506a616cc6d65c56888844566645c4f3dc49de2655a8dd74f8ee568ed38172b695aee21815495cf68a92a462e75fc53b7f02e996 +SHA512 (linux-6.11-rc3-7-gd74da846046a.tar.xz) = e97b4235025b51feab6dfa68b6fcb65c9771335c4cfbfcbe2d7f2551ff4551878a65d3c510853514f2ac65844d3c73ddd310e5ce872a390e3f3070561f6e1dc6 +SHA512 (kernel-abi-stablelists-6.11.0.tar.xz) = 47cb5d861240c448815e19af435dd101d5a2366ecca30b8dbe35066d6b3c4dcda21589d30695ed69e045593392bb3dfca9265aa236d787a5073950e3e7c89618 +SHA512 (kernel-kabi-dw-6.11.0.tar.xz) = 2451593786a6faebef58b6a03269a93e14674a1b60b56f63e86b113db2e59072e02533dfcfa18a08c3d37074830e8bdccf55fc7a77eebc93f6a7106be7b6e20f