From fab840e687dce6f1dfab027f9f28af218cf67e63 Mon Sep 17 00:00:00 2001
From: "Justin M. Forbes" <jforbes@fedoraproject.org>
Date: Mon, 23 Aug 2021 08:33:08 -0500
Subject: [PATCH] kernel-5.14.0-0.rc7.54

* Mon Aug 23 2021 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.14.0-0.rc7.54]
- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Herton R. Krzesinski) [1994849]
Resolves: rhbz#1994849

Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
---
 Makefile.rhelver          |   2 +-
 kernel.spec               |  66 ++++++++++++++++----------------------
 patch-5.14.0-redhat.patch |  10 +++---
 redhatsecureboot003.cer   | Bin 829 -> 0 bytes
 redhatsecurebootca2.cer   | Bin 872 -> 0 bytes
 sources                   |   6 ++--
 6 files changed, 36 insertions(+), 48 deletions(-)
 delete mode 100644 redhatsecureboot003.cer
 delete mode 100644 redhatsecurebootca2.cer

diff --git a/Makefile.rhelver b/Makefile.rhelver
index 514937abf..1bec7bd85 100644
--- a/Makefile.rhelver
+++ b/Makefile.rhelver
@@ -12,7 +12,7 @@ RHEL_MINOR = 99
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 50
+RHEL_RELEASE = 54
 
 #
 # Early y+1 numbering
diff --git a/kernel.spec b/kernel.spec
index 59e26b836..6e81ce8ab 100755
--- a/kernel.spec
+++ b/kernel.spec
@@ -78,9 +78,9 @@ Summary: The Linux kernel
 # Set debugbuildsenabled to 0 to not build a separate debug kernel, but
 #  to build the base kernel using the debug configuration. (Specifying
 #  the --with-release option overrides this setting.)
-%define debugbuildsenabled 0
+%define debugbuildsenabled 1
 
-%global distro_build 0.rc6.20210820gitd992fe5318d8.50
+%global distro_build 0.rc7.54
 
 %if 0%{?fedora}
 %define secure_boot_arch x86_64
@@ -124,13 +124,13 @@ Summary: The Linux kernel
 %define kversion 5.14
 
 %define rpmversion 5.14.0
-%define pkgrelease 0.rc6.20210820gitd992fe5318d8.50
+%define pkgrelease 0.rc7.54
 
 # This is needed to do merge window version magic
 %define patchlevel 14
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 0.rc6.20210820gitd992fe5318d8.50%{?buildid}%{?dist}
+%define specrelease 0.rc7.54%{?buildid}%{?dist}
 
 %define pkg_release %{specrelease}
 
@@ -671,7 +671,7 @@ BuildRequires: lld
 # exact git commit you can run
 #
 # xzcat -qq ${TARBALL} | git get-tar-commit-id
-Source0: linux-5.14-rc6-125-gd992fe5318d8.tar.xz
+Source0: linux-5.14-rc7.tar.xz
 
 Source1: Makefile.rhelver
 
@@ -690,26 +690,21 @@ Source9: x509.genkey.fedora
 %if %{?released_kernel}
 
 Source10: redhatsecurebootca5.cer
-Source11: redhatsecurebootca1.cer
-Source12: redhatsecureboot501.cer
-Source13: redhatsecureboot301.cer
-Source14: secureboot_s390.cer
-Source15: secureboot_ppc.cer
+Source11: redhatsecureboot501.cer
+Source12: secureboot_s390.cer
+Source13: secureboot_ppc.cer
 
-%define secureboot_ca_1 %{SOURCE10}
-%define secureboot_ca_0 %{SOURCE11}
+%define secureboot_ca_0 %{SOURCE10}
 %ifarch x86_64 aarch64
-%define secureboot_key_1 %{SOURCE12}
-%define pesign_name_1 redhatsecureboot501
-%define secureboot_key_0 %{SOURCE13}
-%define pesign_name_0 redhatsecureboot301
+%define secureboot_key_0 %{SOURCE11}
+%define pesign_name_0 redhatsecureboot501
 %endif
 %ifarch s390x
-%define secureboot_key_0 %{SOURCE14}
+%define secureboot_key_0 %{SOURCE12}
 %define pesign_name_0 redhatsecureboot302
 %endif
 %ifarch ppc64le
-%define secureboot_key_0 %{SOURCE15}
+%define secureboot_key_0 %{SOURCE13}
 %define pesign_name_0 redhatsecureboot303
 %endif
 
@@ -717,16 +712,11 @@ Source15: secureboot_ppc.cer
 %else
 
 Source10: redhatsecurebootca4.cer
-Source11: redhatsecurebootca2.cer
-Source12: redhatsecureboot401.cer
-Source13: redhatsecureboot003.cer
+Source11: redhatsecureboot401.cer
 
-%define secureboot_ca_1 %{SOURCE10}
-%define secureboot_ca_0 %{SOURCE11}
-%define secureboot_key_1 %{SOURCE12}
-%define pesign_name_1 redhatsecureboot401
-%define secureboot_key_0 %{SOURCE13}
-%define pesign_name_0 redhatsecureboot003
+%define secureboot_ca_0 %{SOURCE10}
+%define secureboot_key_0 %{SOURCE11}
+%define pesign_name_0 redhatsecureboot401
 
 # released_kernel
 %endif
@@ -1357,8 +1347,8 @@ ApplyOptionalPatch()
   fi
 }
 
-%setup -q -n kernel-5.14-rc6-125-gd992fe5318d8 -c
-mv linux-5.14-rc6-125-gd992fe5318d8 linux-%{KVERREL}
+%setup -q -n kernel-5.14-rc7 -c
+mv linux-5.14-rc7 linux-%{KVERREL}
 
 cd linux-%{KVERREL}
 cp -a %{SOURCE1} .
@@ -1630,9 +1620,7 @@ BuildKernel() {
     fi
 
     %ifarch x86_64 aarch64
-    %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
-    %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
-    rm vmlinuz.tmp
+    %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
     %endif
     %ifarch s390x ppc64le
     if [ -x /usr/bin/rpm-sign ]; then
@@ -2097,13 +2085,7 @@ BuildKernel() {
 
     # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
     mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
-    %ifarch x86_64 aarch64
-       install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
-       install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
-       ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
-    %else
-       install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
-    %endif
+    install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
     %ifarch s390x ppc64le
     if [ $DoModules -eq 1 ]; then
 	if [ -x /usr/bin/rpm-sign ]; then
@@ -2952,6 +2934,12 @@ fi
 #
 #
 %changelog
+* Mon Aug 23 2021 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.14.0-0.rc7.54]
+- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Herton R. Krzesinski) [1994849]
+
+* Sat Aug 21 2021 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.14.0-0.rc6.20210821gitfa54d366a6e4.51]
+- More Fedora config updates (Justin M. Forbes)
+
 * Fri Aug 20 2021 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.14.0-0.rc6.20210820gitd992fe5318d8.50]
 - Fedora config updates for 5.14 (Justin M. Forbes)
 
diff --git a/patch-5.14.0-redhat.patch b/patch-5.14.0-redhat.patch
index c7f6e5b5e..97503f85e 100644
--- a/patch-5.14.0-redhat.patch
+++ b/patch-5.14.0-redhat.patch
@@ -139,7 +139,7 @@ index 000000000000..effb81d04bfd
 +
 +endmenu
 diff --git a/Makefile b/Makefile
-index c19d1638da25..5392d14f9646 100644
+index 80aa85170d6b..3b0fcfb382a3 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -18,6 +18,10 @@ $(if $(filter __%, $(MAKECMDGOALS)), \
@@ -1405,7 +1405,7 @@ index 258d5fe3d395..f7298e3dc8f3 100644
  	if (data->f01_container->dev.driver) {
  		/* Driver already bound, so enable ATTN now. */
 diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
-index 5419c4b9f27a..3bce0190f0cd 100644
+index 63f0af10c403..195be16dbd39 100644
 --- a/drivers/iommu/iommu.c
 +++ b/drivers/iommu/iommu.c
 @@ -7,6 +7,7 @@
@@ -1416,7 +1416,7 @@ index 5419c4b9f27a..3bce0190f0cd 100644
  #include <linux/kernel.h>
  #include <linux/bug.h>
  #include <linux/types.h>
-@@ -3036,6 +3037,27 @@ u32 iommu_sva_get_pasid(struct iommu_sva *handle)
+@@ -3039,6 +3040,27 @@ u32 iommu_sva_get_pasid(struct iommu_sva *handle)
  }
  EXPORT_SYMBOL_GPL(iommu_sva_get_pasid);
 
@@ -1743,10 +1743,10 @@ index 3a72352aa5cf..47b11f3c7fce 100644
  	struct pci_driver *drv;
  	struct pci_dev *dev;
 diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
-index 6d74386eadc2..2333c1e4ae05 100644
+index ab3de1551b50..7bc8ebb58d35 100644
 --- a/drivers/pci/quirks.c
 +++ b/drivers/pci/quirks.c
-@@ -4230,6 +4230,30 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_BROADCOM, 0x9000,
+@@ -4231,6 +4231,30 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_BROADCOM, 0x9000,
  DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_BROADCOM, 0x9084,
  				quirk_bridge_cavm_thrx2_pcie_root);
 
diff --git a/redhatsecureboot003.cer b/redhatsecureboot003.cer
deleted file mode 100644
index 439b75bf3ae770d62b82116e68f58758e21f2444..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 829
zcmXqLVzxABVp3ed%*4pV#K~~)o6?a_AKRD=c-c6$+C196^D;7WvoaWH8EP1)u`!3T
zFbm5ErKTu&B$g-yrzV#cr7Ae(=a(orJ1Q6{Xe6bUBx)MSiSrto7#bKG0!d3F<0x@n
zV{=0TBU32XK;KZ;KpSF~3O2KXGt=`j^U@WJVForaDj~avk(GhDiIJbdpox)-sfm%1
zVehSlZ+rVhV}3A}dw3;G`>Fox(Z)>vK*^xGBPM+hXU|!(G3Hw1jEa9NpK>$onv+s@
z{7litVsAnApbrYux@TJ6yZy`7_0f!K9>*s<TVp4cSWbI5efq++dS@<3`_A2Kx6-Wd
z%<=fFTFW@@-cwJSUs}hsxnJ2;J40>ZmlqSV`9Eg&JYLjbGwmbSwzLD@iQh}kUaszo
zv%ED^!FclJ5A|zJUv~7)*`NB+o#|)ITlILaRGahhd>vCu?){#pH*vPB`H9y5j~xsC
zU475jq{Ok^+Qsfpbp5XV&m!hB<(2Lacyr!<=|rwakvfN;vogQ<l&{5-G0V`XpT+d7
zyvZ5=%BY#Wb7Q_TF*7nSE{-*bHsApUtE@01<9`+=0|o<b5RadQg_()H!9W(o;bReF
z5lKC|@6@x%tiL&hN0!exrrKMb&U(Q>9we>IB4HrbAkz5boqLSk+u!Gww(PsU?)K%{
zl+9Ym5dcgOzzASuNRzXb4K}{#cl^kg`?n+{yH@^xl&rn)Q)2R?Z*SeD3Yp$$z3(i4
z{I@Ohqdo7>yr0%<)!es#;$5q}INkbm?mTAxJ(<PxuPo)y|FPQF?Bat5u?o%;j-)0|
ze#9Rb$@RUXAbcmwN~7>Oo5L--``k_#<!t#pt={`X$Itplg%7(QiG1`{W$=)xd)k|-
z`?|<~lFR334=&tqT_NoCd*&$-o#_pe)h{dj$ko))*;)Q-WAfhG;J;o;DcmzwtP}i`
z*PDDrH1wEH$=CP=J9TttRki1Rh*N$0=f)8eW23c<SG+v~53$!z$bI$I$FVTwwY=tH
a`IJR+eEAF0XZFsJ*%3U~Kz5x`*d+j8DOXGY

diff --git a/redhatsecurebootca2.cer b/redhatsecurebootca2.cer
deleted file mode 100644
index 43502d6bce455d637e4008d57ac0a46136ed4393..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 872
zcmXqLVoot=V)9wQ%*4pV#L3V;Yf^YfR(_WOFB_*;n@8JsUPeZ4Rt5ttLk$BpHs(+k
zW?}iD)D#7e#1e(z)a25lR0XH}{1OFcM+GAVjil6)L`?%Zab81X0}De-14~0ALxU)B
zUSo40*BHtr$*d+uC1j^CvNA9?G4eAQG%<29H8C<W?024X?Bu~cpY%ofBBI>a&33Qa
z+%s9Zc=s~y8qpg(i!y`$cU^MUOcduWDY<;6Y08`RDssi2V>H&cGrfyWlDxyS_leN^
z>+#ICm5X=Z;E8&1s(tIDdtX#F9)8|!T{!hfpd!;Oqa<zt@3n!MFJ>=373Qy1yo*h@
zea8xcL&whC7h?Z^<w(Udxmf$=V<o)Xwg0`*`yFQOIMeuj*3q)x&*H7;WyLdXx1JFp
zVww18!IM3ermpI#m#TgUvt%uObBFt^r%49$+%7J~b^f=a(`+~JT|9V@>xM>;@1>t?
zGu0NFpDlU)nEkYplL5oM;>%t~j%XRUoZBF>Pe;c6R?Ef78}}F=+iK0k%*epFxUt8e
zvC}{n7(cRnEMhDojX&PG$Jo97eQs&XzU%95U#?BrtYr`dl2&F3HVACMs$iks5*<?F
zrU@yv@PNz~W??m8W@P-29AUt;1B@_62LAc8O*?Pi?{sOiDHf49!Rov1^liV^SC1q%
ztzPNJZ(*|gqi2e5$lW*ZPfm4T>Z5Mz9^I)@fAQ%22Td8dJF?m{>Wls{ZQj$kTehHK
z%NHA-;K^Gbgf|7p9bLv(XRxd0x%KP^ds-)G2LFsXwet?=tn>Zdi=Q!zy_Y??<*8xY
zqT7FD-?<)DIh*fh7@KOtl`Iq+&^g(|s<tf6#-A&l|5!@<w|`}#2hOQJ-cfbe@8zZm
zo`N58^u_jn{<7i^hlxnqlY%3UZbV(5(=1l=`)1Dc4XZoc!`Hg-vRt<Jn&xpw?pNFN
nqdSf2xz_|A=5VVFIQYQ#{*sdWm3JE&PE20>t-i4JEXQ8}?2KZ0

diff --git a/sources b/sources
index d828fd808..13497cdbf 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-5.14-rc6-125-gd992fe5318d8.tar.xz) = 381645b7843d25375bb15c670c07a7c0ae7c4c5b944ab937ce93a88b148157956e04367d38ee6569b68b31a5d94aa32d6998a8cb568f77462688d9a89ec03ac0
-SHA512 (kernel-abi-stablelists-5.14.0-0.rc6.20210820gitd992fe5318d8.50.tar.bz2) = 8771756b6eca6465cde6f69205b993ceff4be30c53263736d83e4cfdff82a662d52532e1f6ef7e253014fa0f13148161eaa60bf5dcced6995e1f2e6bf95b74bb
-SHA512 (kernel-kabi-dw-5.14.0-0.rc6.20210820gitd992fe5318d8.50.tar.bz2) = 1fb402c4172dc1912255c48bb8fe01823194bf0d0b272089b4e04deee5b2e559f81d28644dbfc1cb36e1991ac004ad207247a5eae480f6f80f06de287594e30d
+SHA512 (linux-5.14-rc7.tar.xz) = 8682d0a9b88220c3707130150591c7d471d6b2d8d2ddb0c8940c6e59d23f9a4b1a5fcc8ccc5a5a5b68f47f449521b5347d6d979688e40960fdc342b36a9fb012
+SHA512 (kernel-abi-stablelists-5.14.0-0.rc7.54.tar.bz2) = 67e2d05ce2c74e73f40bacb113630ade3be5f95207ea6c8aa1fa13ea7b875c53945458de6395d8ee7b0297f54deda8b8e61a727682cb33e7eeb0dfc1e1b7d998
+SHA512 (kernel-kabi-dw-5.14.0-0.rc7.54.tar.bz2) = fb3ae66655d42c9294899e6c8fe6b684f97c65dca527f863059f419f90a3bb84fc98c0ea69f7939e9b09e1ee54a59a12cd23304b8d55275bfdb24a9d1228f43d