The "regular" definition of the with_kabichk macro does not need to
be commented out while it is temporarily (re-)defined as 0 on the
next line. This avoids a "Macro expanded in comment" warning.
Remove comments on the same line as %endif directives. Instead, make
a couple of these conditionals easier to read (and consistent with
the surrounding ones) by deleting a few blank lines.
From the original RHEL patch:
This extra '+' causes problems with the regular expression used with
/usr/lib/rpm/find-debuginfo.sh script from rpm-build, which is used to filter
the debug files to the corresponding debuginfo packages. The '+' character
in the release is interpreted as a regular expression operator and the
debuginfo filter fails, with the build failing on an empty debuginfo file list.
Which means we need to escape the extra '+' character if we want debuginfo
filter to work. I tried to use '\' to escape, but rpm "eats" that, in testing
'[+]' worked so is what I'm using to fix/workaround this problem. When RHEL 8
drops the the extra +<number> in the future, we can remove this fix/workaround.
This problem is likely to come up so just add it in now.
Fedora does some validation on config options to catch
errors. There may be cases when we want to turn off that
checking because it doesn't actually matter. Make this a
full --with option to make it easier to turn off.
Some of the downstream users want to package some modules for
internal use only. While Fedora isn't internal, it's still
useful to have packaging aligned. Add a few modules to this
package.
Other products downstream of Fedora offer kernel ABI guarantees.
Fedora doesn't offer this and have no plans to do so but it's
useful to at least have the packaging in our tree. Add support.
Fedora currently only supports x86_64 secureboot signing.
There's ongoing work to enable other arches though. For now,
just bring in the packaging support with some of it commented
out.
While Fedora doesn't officially support kpatch, there's work
being done to enable kpatch elsewhere. Add the packaging work
but don't actually build anything.
The kernel currently builds the headers in a separate repository but
rebuilds may want to build it from the same srpm. Make sure the
cross command actually works.
The gcc-plugin-devel was a noble experiment that doesn't seem to be
something we'll shipp anytime soon. Remove it.
Building the headers now requires rsync
The driver is needed for testing purposes, enable it on the architectures
where EFI is supported. Also, disallow access to the registered device if
the kernel is locked down.
Fedora has been carrying this patch for a very long time as
a workaround for MacBook Airs1,1. We've also gotten smarter
about detection (see d79e141c1c6e ("Input: i8042 - Trust
firmware a bit more when probing on X86")) so let's try
dropping this.
Upstream finally merged the lockdown patches, adjust the SysRq patch to
work with the upstreamed version.
Signed-off-by: Jeremy Cline <jcline@redhat.com>
This is a first pass at getting the secureboot patches working with the
upstream lockdown patches that got merged. The final patch from our
lockdown set is the sysrq patch which also needs work. For the present
it is not applied.
This patch from 2013 stops the i915 driver from spitting out WARNs in
some cases, but nearly the same thing can be achieved with the
``verbose_state_checks=false`` module option added in 2014. With the
module setting the issue results in a log message at error level rather
than the debug level set by this patch. However, it's not known if this
is still a common issue. It seems worth the cost of (maybe) a few more
bug reports about new error-level logs to drop the patch.
To start with, we're going to leave ``verbose_state_checks=true`` (the
default), but if we run into a lot of WARNs we will turn it off.
