diff --git a/Makefile.common b/Makefile.common index c9491f17061b2b8795b6dd5192ae8e436ab3a9ec..2ac2780fd351397e000a4107644eeced10cfa14e 100644 --- a/Makefile.common +++ b/Makefile.common @@ -9,7 +9,7 @@ RPMVERSION:=3.10.0 # marker is git tag which we base off of for exporting patches MARKER:=v3.10 PREBUILD:= -BUILD:=1160.59.1 +BUILD:=1160.62.1 DIST:=.el7 SPECFILE:=kernel.spec RPM:=$(REDHAT)/rpm diff --git a/centos-ca-secureboot.der b/centos-ca-secureboot.der new file mode 100644 index 0000000000000000000000000000000000000000..44a2563dee3f8eeecd5026306be46d2a8d89970d Binary files /dev/null and b/centos-ca-secureboot.der differ diff --git a/centos-kpatch.x509 b/centos-kpatch.x509 new file mode 100644 index 0000000000000000000000000000000000000000..ca57a43d51f543693f55519e200bca538781314d Binary files /dev/null and b/centos-kpatch.x509 differ diff --git a/centos-ldup.x509 b/centos-ldup.x509 new file mode 100644 index 0000000000000000000000000000000000000000..9c65dd3ab623d04a9333df892f540755cef603f8 Binary files /dev/null and b/centos-ldup.x509 differ diff --git a/centossecureboot001.crt b/centossecureboot001.crt new file mode 100644 index 0000000000000000000000000000000000000000..c67b0f3af88f188dccada7c0eb522e97ab88d1fc --- /dev/null +++ b/centossecureboot001.crt @@ -0,0 +1,81 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + b6:16:15:71:72:fb:31:7e + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=CentOS Secure Boot (CA key 1)/emailAddress=security@centos.org + Validity + Not Before: Aug 1 11:47:30 2018 GMT + Not After : Dec 31 11:47:30 2037 GMT + Subject: CN=CentOS Secure Boot (key 1)/emailAddress=security@centos.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:c1:a3:6a:f4:2d:71:83:6c:21:ca:0c:b7:ac:fa: + 76:80:43:03:40:87:5d:de:e9:1e:df:ad:e7:2b:51: + cb:f8:31:0f:9a:db:ab:23:25:04:11:05:57:7d:f2: + 4b:8d:1e:b3:75:78:1d:b9:57:8b:18:0b:bb:7e:e3: + 24:0f:6a:40:5f:2b:4f:03:a5:85:94:d2:f9:08:a0: + bc:db:a5:ea:4f:7f:e8:7c:d1:a9:f8:f0:9c:25:18: + 00:14:c4:c4:35:7d:1d:4c:8a:8d:95:f8:ed:65:97: + a5:a4:da:7d:cb:f0:33:3b:b7:03:94:68:47:05:57: + 6c:96:91:ac:14:f2:e3:f6:6d:4a:18:cf:68:8a:35: + 6f:8e:26:99:7f:db:c9:83:54:c2:c3:bf:ad:45:a0: + aa:a0:86:5f:20:b1:86:1b:ae:b7:28:15:11:f9:65: + 53:5d:70:33:9b:a3:c7:b5:c8:11:ff:55:3b:e7:46: + f1:6c:6b:8c:bb:f2:9f:36:23:b1:2d:23:2f:8f:4f: + 6c:a8:cc:ae:f5:56:9e:22:6c:0e:9a:4a:b1:bd:b2: + 76:15:5c:05:85:b8:5e:dc:8c:a5:c3:e0:75:51:a4: + 94:9b:03:2e:7b:f8:d3:b9:dd:7f:88:ce:2e:2f:28: + 4c:b4:92:2f:e6:e0:67:0a:d0:ff:c5:d2:79:a6:ef: + 94:0f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: + Digital Signature + X509v3 Subject Key Identifier: + F0:37:C6:EA:EC:36:D4:05:7A:52:6C:0E:C6:D5:A9:5B:32:4E:E1:29 + X509v3 Authority Key Identifier: + keyid:54:EC:81:85:89:3E:E9:1A:DB:08:F7:44:88:54:7E:8E:3F:74:3A:F3 + + Signature Algorithm: sha256WithRSAEncryption + 97:97:ba:a6:0b:5b:bb:84:39:2e:ef:8b:51:9a:89:bb:65:3c: + dc:15:d0:5a:88:c5:af:ce:93:f5:c1:74:98:15:59:a9:38:da: + 11:fd:46:d5:4f:23:7c:03:1f:ae:0c:70:93:94:a7:61:2f:4b: + 2f:5f:bb:cc:8a:d7:4a:24:66:73:85:b4:19:13:fc:6a:61:4a: + 28:1f:a2:38:f4:72:90:03:c4:3e:64:63:8b:fb:15:22:22:4e: + b9:43:d9:b4:3d:3a:60:c1:4d:3a:09:85:68:7a:bc:3b:f9:ef: + f3:f5:e9:c9:4f:80:8c:c6:e9:cb:ef:28:44:b0:5d:d4:9e:4f: + 0f:02:9a:65:aa:98:35:b4:6f:d2:80:e3:08:ef:12:d0:17:56: + a6:a1:42:1e:1d:ab:e5:33:c0:fd:88:0d:40:42:81:c8:27:30: + 17:07:57:3e:05:9d:aa:05:0e:5b:3a:79:b4:29:aa:7c:42:5a: + ad:43:59:fb:34:4d:dc:62:58:63:e4:fb:de:bb:fd:6c:4e:97: + 58:f4:b9:99:4a:71:fe:7f:16:50:55:25:46:39:96:9b:88:6c: + 75:19:33:9e:70:b3:04:82:fe:16:a8:8e:22:47:83:6d:16:77: + da:26:ad:31:d8:06:6d:c5:7e:46:4b:21:ab:ae:ec:2a:93:71: + da:7f:89:1d +-----BEGIN CERTIFICATE----- +MIIDdTCCAl2gAwIBAgIJALYWFXFy+zF+MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV +BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB +FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE4MDgwMTExNDczMFoXDTM3MTIzMTEx +NDczMFowSTEjMCEGA1UEAxMaQ2VudE9TIFNlY3VyZSBCb290IChrZXkgMSkxIjAg +BgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDBo2r0LXGDbCHKDLes+naAQwNAh13e6R7frecrUcv4 +MQ+a26sjJQQRBVd98kuNHrN1eB25V4sYC7t+4yQPakBfK08DpYWU0vkIoLzbpepP +f+h80an48JwlGAAUxMQ1fR1Mio2V+O1ll6Wk2n3L8DM7twOUaEcFV2yWkawU8uP2 +bUoYz2iKNW+OJpl/28mDVMLDv61FoKqghl8gsYYbrrcoFRH5ZVNdcDObo8e1yBH/ +VTvnRvFsa4y78p82I7EtIy+PT2yozK71Vp4ibA6aSrG9snYVXAWFuF7cjKXD4HVR +pJSbAy57+NO53X+Izi4vKEy0ki/m4GcK0P/F0nmm75QPAgMBAAGjXTBbMAwGA1Ud +EwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBTwN8bq7DbUBXpSbA7G1alb +Mk7hKTAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q68zANBgkqhkiG9w0B +AQsFAAOCAQEAl5e6pgtbu4Q5Lu+LUZqJu2U83BXQWojFr86T9cF0mBVZqTjaEf1G +1U8jfAMfrgxwk5SnYS9LL1+7zIrXSiRmc4W0GRP8amFKKB+iOPRykAPEPmRji/sV +IiJOuUPZtD06YMFNOgmFaHq8O/nv8/XpyU+AjMbpy+8oRLBd1J5PDwKaZaqYNbRv +0oDjCO8S0BdWpqFCHh2r5TPA/YgNQEKByCcwFwdXPgWdqgUOWzp5tCmqfEJarUNZ ++zRN3GJYY+T73rv9bE6XWPS5mUpx/n8WUFUlRjmWm4hsdRkznnCzBIL+FqiOIkeD +bRZ32iatMdgGbcV+Rkshq67sKpNx2n+JHQ== +-----END CERTIFICATE----- diff --git a/centossecureboot201.crt b/centossecureboot201.crt new file mode 100644 index 0000000000000000000000000000000000000000..f9d967555bfc80ea58f7938ae81bbed6a020cc21 --- /dev/null +++ b/centossecureboot201.crt @@ -0,0 +1,84 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 93:c2:04:d8:bd:77:6b:11 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=CentOS Secure Boot CA 2/emailAddress=security@centos.org + Validity + Not Before: Jun 9 10:04:20 2020 GMT + Not After : Jan 18 10:04:20 2038 GMT + Subject: CN=CentOS Secure Boot Signing 201/emailAddress=security@centos.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:9e:ef:fe:76:1c:9f:9b:3e:f2:e4:c5:29:bd:19: + 32:01:59:f3:e6:99:fa:eb:b5:f8:94:0c:95:3a:65: + 5e:b1:72:d0:50:3e:70:64:8a:1a:d1:f6:4d:af:6d: + 57:ee:40:71:40:09:dd:30:0c:81:a1:8b:26:63:12: + 07:bf:e1:d1:45:9f:9b:09:a6:57:98:9e:ef:97:e9: + bd:68:38:ea:aa:63:92:2e:0d:2f:8e:fb:be:88:40: + 9b:59:e3:bc:b7:6f:e3:bb:6b:1e:6e:9e:ee:57:b8: + 28:c6:d5:d6:bf:47:a6:e9:38:a9:8f:08:73:98:49: + a8:58:d2:62:73:f1:1e:44:d4:88:3d:f9:aa:43:e2: + 72:2e:d7:43:3e:1d:b6:65:f6:d1:2e:ef:31:cb:9f: + 5e:e3:d4:ea:3c:23:9a:07:af:f9:4a:ee:43:9a:75: + 06:ed:9a:54:2c:ed:5b:ca:85:a5:10:16:cd:30:64: + ea:d5:27:7e:23:f6:fc:ec:69:a9:43:2f:78:73:6b: + 33:78:8b:f8:54:db:3f:ce:95:a4:5a:04:9a:15:49: + 98:cd:34:7c:c7:8c:a9:8a:32:82:ae:c0:d6:34:93: + e7:d2:54:82:45:ee:eb:54:9a:96:d4:da:4b:24:f8: + 09:56:d8:cd:7f:ec:7b:f3:bd:db:9b:8c:b6:18:87: + fa:07 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: critical + Digital Signature + X509v3 Extended Key Usage: critical + Code Signing + X509v3 Subject Key Identifier: + 5D:4B:64:F2:FA:63:1E:5E:5F:DB:AA:DC:14:67:C6:6C:99:21:7A:22 + X509v3 Authority Key Identifier: + keyid:70:00:7F:99:20:9C:12:6B:E1:47:74:EA:EC:7B:6D:96:31:F3:4D:CA + + Signature Algorithm: sha256WithRSAEncryption + 39:4b:b5:cc:37:3f:cd:db:84:0f:63:7c:c4:e4:53:fb:5e:fd: + db:12:19:23:6f:0a:50:14:fd:4f:7c:f9:87:3d:f9:6d:5b:af: + 07:a5:94:34:1b:84:07:f4:f1:a0:de:cc:73:87:99:31:c3:93: + 66:c0:bc:f2:0f:b2:69:65:8e:da:b9:1a:8e:ae:38:56:f3:7c: + 5a:8d:29:0d:3d:ad:84:e7:86:31:a2:8e:2a:a8:f8:f8:f7:87: + 32:65:5d:81:47:53:b8:40:c5:1b:a7:46:1f:b0:60:a7:b4:97: + 89:51:26:3c:de:46:b9:14:d5:a0:7d:99:cc:a7:7e:ed:89:18: + 02:ce:e6:07:45:49:e2:04:7d:5b:03:65:ec:e6:c3:86:0d:82: + 31:24:45:51:ec:15:ad:31:83:a8:1c:6e:52:4d:b8:0f:5d:0b: + e4:7b:51:49:39:46:8a:0b:fd:0c:46:af:b4:19:65:0f:12:f1: + fc:ee:fd:6b:4f:df:9a:73:7c:e0:c8:3d:c3:d5:b5:ab:4a:86: + 36:97:e8:89:fb:af:f4:f1:c2:05:5d:17:fb:b6:df:a5:0e:45: + 89:db:89:99:93:ce:f0:4e:e9:9c:f4:4a:03:b0:6e:be:a2:69: + ab:b1:f3:3b:ed:c7:97:f4:0e:0a:53:27:5a:7e:70:9a:35:ea: + 7a:76:d1:bc +-----BEGIN CERTIFICATE----- +MIIDjjCCAnagAwIBAgIJAJPCBNi9d2sRMA0GCSqGSIb3DQEBCwUAMEYxIDAeBgNV +BAMMF0NlbnRPUyBTZWN1cmUgQm9vdCBDQSAyMSIwIAYJKoZIhvcNAQkBFhNzZWN1 +cml0eUBjZW50b3Mub3JnMB4XDTIwMDYwOTEwMDQyMFoXDTM4MDExODEwMDQyMFow +TTEnMCUGA1UEAwweQ2VudE9TIFNlY3VyZSBCb290IFNpZ25pbmcgMjAxMSIwIAYJ +KoZIhvcNAQkBFhNzZWN1cml0eUBjZW50b3Mub3JnMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAnu/+dhyfmz7y5MUpvRkyAVnz5pn667X4lAyVOmVesXLQ +UD5wZIoa0fZNr21X7kBxQAndMAyBoYsmYxIHv+HRRZ+bCaZXmJ7vl+m9aDjqqmOS +Lg0vjvu+iECbWeO8t2/ju2sebp7uV7goxtXWv0em6TipjwhzmEmoWNJic/EeRNSI +PfmqQ+JyLtdDPh22ZfbRLu8xy59e49TqPCOaB6/5Su5DmnUG7ZpULO1byoWlEBbN +MGTq1Sd+I/b87GmpQy94c2szeIv4VNs/zpWkWgSaFUmYzTR8x4ypijKCrsDWNJPn +0lSCRe7rVJqW1NpLJPgJVtjNf+x7873bm4y2GIf6BwIDAQABo3gwdjAMBgNVHRMB +Af8EAjAAMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzAd +BgNVHQ4EFgQUXUtk8vpjHl5f26rcFGfGbJkheiIwHwYDVR0jBBgwFoAUcAB/mSCc +EmvhR3Tq7HttljHzTcowDQYJKoZIhvcNAQELBQADggEBADlLtcw3P83bhA9jfMTk +U/te/dsSGSNvClAU/U98+Yc9+W1brwellDQbhAf08aDezHOHmTHDk2bAvPIPsmll +jtq5Go6uOFbzfFqNKQ09rYTnhjGijiqo+Pj3hzJlXYFHU7hAxRunRh+wYKe0l4lR +JjzeRrkU1aB9mcynfu2JGALO5gdFSeIEfVsDZezmw4YNgjEkRVHsFa0xg6gcblJN +uA9dC+R7UUk5RooL/QxGr7QZZQ8S8fzu/WtP35pzfODIPcPVtatKhjaX6In7r/Tx +wgVdF/u236UORYnbiZmTzvBO6Zz0SgOwbr6iaaux8zvtx5f0DgpTJ1p+cJo16np2 +0bw= +-----END CERTIFICATE----- diff --git a/centossecurebootca2.der b/centossecurebootca2.der new file mode 100644 index 0000000000000000000000000000000000000000..42bdfcfbcda649796099fdc87bbe9dc58e2348d5 Binary files /dev/null and b/centossecurebootca2.der differ diff --git a/debrand-rh-i686-cpu.patch b/debrand-rh-i686-cpu.patch new file mode 100644 index 0000000000000000000000000000000000000000..739855c26fe8cdca5d230d7b134336a77c73d41a --- /dev/null +++ b/debrand-rh-i686-cpu.patch @@ -0,0 +1,11 @@ +--- a/arch/x86/boot/main.c 2014-06-04 10:05:04.000000000 -0700 ++++ b/arch/x86/boot/main.c 2014-07-09 12:54:40.000000000 -0700 +@@ -146,7 +146,7 @@ void main(void) + + /* Make sure we have all the proper CPU support */ + if (validate_cpu()) { +- puts("This processor is unsupported in RHEL7.\n"); ++ puts("This processor is unsupported in CentOS 7.\n"); + die(); + } + diff --git a/debrand-rh_taint.patch b/debrand-rh_taint.patch new file mode 100644 index 0000000000000000000000000000000000000000..8ef4557ac4f856ebadce40598be47712d73f626c --- /dev/null +++ b/debrand-rh_taint.patch @@ -0,0 +1,25 @@ +From 69c0d42cfa26515196896dea086857c2caccb6eb Mon Sep 17 00:00:00 2001 +From: Jim Perrin +Date: Thu, 19 Jun 2014 10:05:12 -0500 +Subject: [PATCH] branding patch for rh_taint + +--- + kernel/rh_taint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/rh_taint.c b/kernel/rh_taint.c +index 59a74b0..0708e15 100644 +--- a/kernel/rh_taint.c ++++ b/kernel/rh_taint.c +@@ -8,7 +8,7 @@ + void mark_hardware_unsupported(const char *msg) + { + /* Print one single message */ +- pr_crit("Warning: %s - this hardware has not undergone testing by Red Hat and might not be certified. Please consult https://hardware.redhat.com for certified hardware.\n", msg); ++ pr_crit("Warning: %s - this hardware has not undergone upstream testing. Please consult http://wiki.centos.org/FAQ for more information\n", msg); + } + EXPORT_SYMBOL(mark_hardware_unsupported); + +-- +1.8.3.1 + diff --git a/debrand-single-cpu.patch b/debrand-single-cpu.patch new file mode 100644 index 0000000000000000000000000000000000000000..afd0e0ca4c19e4ebec13c4b6cf1e157d4ec7496e --- /dev/null +++ b/debrand-single-cpu.patch @@ -0,0 +1,12 @@ +diff -uNrp linux-3.10.0-957.27.2.el7.x86_64.orig/arch/x86/kernel/setup.c linux-3.10.0-957.27.2.el7.x86_64/arch/x86/kernel/setup.c +--- linux-3.10.0-957.27.2.el7.x86_64.orig/arch/x86/kernel/setup.c 2019-07-09 16:13:02.000000000 +0000 ++++ linux-3.10.0-957.27.2.el7.x86_64/arch/x86/kernel/setup.c 2019-07-29 17:32:40.018405430 +0000 +@@ -963,7 +963,7 @@ static void rh_check_supported(void) + if (((boot_cpu_data.x86_max_cores * smp_num_siblings) == 1) && + !guest && !is_kdump_kernel()) { + pr_crit("Detected single cpu native boot.\n"); +- pr_crit("Important: In Red Hat Enterprise Linux 7, single threaded, single CPU 64-bit physical systems are unsupported by Red Hat. Please contact your Red Hat support representative for a list of certified and supported systems."); ++ pr_crit("Important: In CentOS Linux 7, single threaded, single CPU 64-bit physical systems are unsupported."); + } + + /* The RHEL7 kernel does not support this hardware. The kernel will diff --git a/kernel.spec b/kernel.spec index 20b6db13f14dc5fcd22d5226e3a09791b9a6bcff..ae5b2a641cd68e732d7513aadecbaa264f626eb9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -3,8 +3,8 @@ Summary: The Linux kernel -%define dist .an7 -%define anolis_release .0.1 +%define dist .el7 + # % define buildid .local # If there's no unversioned python, select version explicitly, @@ -20,10 +20,10 @@ Summary: The Linux kernel %global distro_build 1160 %define rpmversion 3.10.0 -%define pkgrelease 1160.59.1.an7 +%define pkgrelease 1160.62.1.el7 # allow pkg_release to have configurable %%{?dist} tag -%define specrelease 1160.59.1%{anolis_release}%{?dist} +%define specrelease 1160.62.1%{?dist} %define pkg_release %{specrelease}%{?buildid} @@ -402,22 +402,22 @@ Source10: sign-modules Source11: x509.genkey Source12: extra_certificates %if %{?released_kernel} -Source13: redhatsecurebootca3.cer -Source14: redhatsecureboot301.cer -Source15: redhatsecurebootca5.cer -Source16: redhatsecureboot501.cer -%define pesign_name_0 redhatsecureboot301 -%define pesign_name_1 redhatsecureboot501 +Source13: centos-ca-secureboot.der +Source14: centossecureboot001.crt +Source15: centossecurebootca2.der +Source16: centossecureboot201.crt +%define pesign_name_0 centossecureboot001 +%define pesign_name_1 centossecureboot201 %else -Source13: redhatsecurebootca2.cer -Source14: redhatsecureboot003.cer -Source15: redhatsecurebootca4.cer -Source16: redhatsecureboot401.cer -%define pesign_name_0 redhatsecureboot003 -%define pesign_name_1 redhatsecureboot401 +Source13: centos-ca-secureboot.der +Source14: centossecureboot001.crt +Source15: centossecurebootca2.der +Source16: centossecureboot201.crt +%define pesign_name_0 centossecureboot001 +%define pesign_name_1 centossecureboot201 %endif -Source17: rheldup3.x509 -Source18: rhelkpatch1.x509 +Source17: centos-ldup.x509 +Source18: centos-kpatch.x509 Source19: check-kabi @@ -461,6 +461,9 @@ Source9999: lastcommit.stat # empty final patch to facilitate testing of kernel patches Patch999999: linux-kernel-test.patch +Patch1000: debrand-single-cpu.patch +Patch1001: debrand-rh_taint.patch +Patch1002: debrand-rh-i686-cpu.patch BuildRoot: %{_tmppath}/kernel-%{KVRA}-root @@ -644,11 +647,11 @@ kernel-gcov includes the gcov graph and source files for gcov coverage collectio %endif %package -n kernel-abi-whitelists -Summary: The Red Hat Enterprise Linux kernel ABI symbol whitelists +Summary: The CentOS Linux kernel ABI symbol whitelists Group: System Environment/Kernel AutoReqProv: no %description -n kernel-abi-whitelists -The kABI package contains information pertaining to the Red Hat Enterprise +The kABI package contains information pertaining to the CentOS Linux kernel ABI, including lists of kernel symbols that are needed by external Linux kernel modules, and a yum plugin to aid enforcement. @@ -658,8 +661,8 @@ Summary: The baseline dataset for kABI verification using DWARF data Group: System Environment/Kernel AutoReqProv: no %description kabidw-base -The kabidw-base package contains data describing the current ABI of the Red Hat -Enterprise Linux kernel, suitable for the kabi-dw tool. +The kabidw-base package contains data describing the current ABI of the CentOS +Linux kernel, suitable for the kabi-dw tool. %endif # @@ -801,6 +804,9 @@ cd linux-%{KVRA} cp $RPM_SOURCE_DIR/kernel-%{version}-*.config . ApplyOptionalPatch linux-kernel-test.patch +ApplyOptionalPatch debrand-single-cpu.patch +ApplyOptionalPatch debrand-rh_taint.patch +ApplyOptionalPatch debrand-rh-i686-cpu.patch # Any further pre-build tree manipulations happen here. @@ -1544,15 +1550,15 @@ if [ -x %{_sbindir}/weak-modules ]\ then\ %{_sbindir}/weak-modules --add-kernel %{KVRA}%{?1:.%{1}} || exit $?\ fi\ -%{_sbindir}/new-kernel-pkg --package kernel%{?-v:-%{-v*}} --mkinitrd --dracut --depmod --update %{KVRA}%{?-v:.%{-v*}} \ +%{_sbindir}/new-kernel-pkg --package kernel%{?-v:-%{-v*}} --mkinitrd --dracut --depmod --install %{KVRA}%{?-v:.%{-v*}} \ rc=$?\ if [ $rc != 0 ]; then\ %{_sbindir}/new-kernel-pkg --remove %{KVRA}%{?1:.%{1}}\ ERROR_MSG="ERROR: installing kernel-%{KVRA}%{?1:.%{1}}: no space left for creating initramfs. Clean up /boot partition and re-run '%{_sbindir}/new-kernel-pkg --package kernel%{?-v:-%{-v*}} --mkinitrd --dracut --depmod --install %{KVRA}%{?-v:.%{-v*}}'"\ if [ -e /usr/bin/logger ]; then\ /usr/bin/logger -p syslog.warn "\$ERROR_MSG"\ - elif [ -e /usr/bin/cat ]; then\ - /usr/bin/cat "\$ERROR_MSG" > /dev/kmsg\ + else\ + echo "\$ERROR_MSG" > /dev/kmsg\ fi\ echo "\$ERROR_MSG"\ exit $rc\ @@ -1574,9 +1580,6 @@ if [ `uname -i` == "x86_64" ] &&\ [ -f /etc/sysconfig/kernel ]; then\ /bin/sed -r -i -e 's/^DEFAULTKERNEL=%{-r*}$/DEFAULTKERNEL=kernel%{?-v:-%{-v*}}/' /etc/sysconfig/kernel || exit $?\ fi}\ -%{expand:\ -%{_sbindir}/new-kernel-pkg --package kernel%{?-v:-%{-v*}} --install %{KVRA}%{?-v:.%{-v*}} || exit $?\ -}\ %{nil} # @@ -1807,8 +1810,42 @@ fi %kernel_variant_files %{with_kdump} kdump %changelog -* Wed Feb 23 2022 yangxiaoxuan [3.10.0-1160.59.1.0.1.an7] -- Modified dist +* Wed Mar 23 2022 Rado Vrbovsky [3.10.0-1160.62.1.el7] +- cifs: fix handling of DFS links where we can not access all components (Ronnie Sahlberg) [1937304] +- redhat: kernel.spec: install new kernel boot entry in posttrans, not post (Denys Vlasenko) [1893756] +- [s390] s390/cpumf: Support for CPU Measurement Facility CSVN 7 (Mete Durlu) [2048920] +- dm table: fix iterate_devices based device capability checks (Mike Snitzer) [2054743] +- buffer: eliminate the need to call free_more_memory() in __getblk_slow() (Carlos Maiolino) [2030609] +- buffer: grow_dev_page() should use __GFP_NOFAIL for all cases (Carlos Maiolino) [2030609] +- buffer: have alloc_page_buffers() use __GFP_NOFAIL (Carlos Maiolino) [2030609] +- mm: memcg: do not fail __GFP_NOFAIL charges (Rafael Aquini) [2054345] +- mm: filemap: do not drop action modifier flags from the gfp_mask passed to __add_to_page_cache_locked() (Rafael Aquini) [2054345] +- Added ZSTREAM=yes to makefile (Lucas Zampieri) + +* Mon Mar 07 2022 Rado Vrbovsky [3.10.0-1160.61.1.el7] +- x86/efi: reset the correct tlb_state when returning from efi_switch_mm() (Rafael Aquini) [2055587] + +* Wed Feb 23 2022 Rado Vrbovsky [3.10.0-1160.60.1.el7] +- svcrdma: Fix leak of svc_rdma_recv_ctxt objects (Benjamin Coddington) [2028740] +- sunrpc: Remove unneeded pointer dereference (Benjamin Coddington) [2028740] +- x86/platform/uv: Add more to secondary CPU kdump info (Frank Ramsay) [2042462] +- [s390] s390/AP: support new dynamic AP bus size limit (Claudio Imbrenda) [1997156] +- CI: Enable baseline realtime checks (Veronika Kabatova) +- CI: Rename pipelines to include release names (Veronika Kabatova) +- RDMA/cma: Do not change route.addr.src_addr.ss_family (Kamal Heib) [2032075] {CVE-2021-4028} +- fget: clarify and improve __fget_files() implementation (Miklos Szeredi) [2032478] {CVE-2021-4083} +- fget: check that the fd still exists after getting a ref to it (Miklos Szeredi) [2032478] {CVE-2021-4083} +- net: Set fput_needed iff FDPUT_FPUT is set (Miklos Szeredi) [2032478] {CVE-2021-4083} +- vfs, fdtable: Add fget_task helper (Miklos Szeredi) [2032478] {CVE-2021-4083} +- fs: add fget_many() and fput_many() (Miklos Szeredi) [2032478] {CVE-2021-4083} +- fs/file.c: __fget() and dup2() atomicity rules (Miklos Szeredi) [2032478] {CVE-2021-4083} +- vfs: Don't let __fdget_pos() get FMODE_PATH files (Miklos Szeredi) [2032478] {CVE-2021-4083} +- get rid of fget_light() (Miklos Szeredi) [2032478] {CVE-2021-4083} +- sockfd_lookup_light(): switch to fdget^W^Waway from fget_light (Miklos Szeredi) [2032478] {CVE-2021-4083} +- fs: __fget_light() can use __fget() in slow path (Miklos Szeredi) [2032478] {CVE-2021-4083} +- fs: factor out common code in fget_light() and fget_raw_light() (Miklos Szeredi) [2032478] {CVE-2021-4083} +- fs: factor out common code in fget() and fget_raw() (Miklos Szeredi) [2032478] {CVE-2021-4083} +- introduce __fcheck_files() to fix rcu_dereference_check_fdtable(), kill rcu_my_thread_group_empty() (Miklos Szeredi) [2032478] {CVE-2021-4083} * Wed Feb 16 2022 Rado Vrbovsky [3.10.0-1160.59.1.el7] - Revert "Merge: Fix tasks stuck in IO waiting for buffer_head lock" (Rado Vrbovsky) [2030609] diff --git a/linux-3.10.0-1160.59.1.an7.tar.xz b/linux-3.10.0-1160.62.1.el7.tar.xz similarity index 77% rename from linux-3.10.0-1160.59.1.an7.tar.xz rename to linux-3.10.0-1160.62.1.el7.tar.xz index ea3a07e49d0861bee99e9d453242618d38058d0d..d542c73b1f6e88a69e0e17e2102304ff06fa5693 100644 Binary files a/linux-3.10.0-1160.59.1.an7.tar.xz and b/linux-3.10.0-1160.62.1.el7.tar.xz differ diff --git a/redhatsecureboot301.cer b/redhatsecureboot301.cer deleted file mode 100644 index 20e660479db920c9af073ef60dfd52cfcd55ef35..0000000000000000000000000000000000000000 Binary files a/redhatsecureboot301.cer and /dev/null differ diff --git a/redhatsecureboot501.cer b/redhatsecureboot501.cer deleted file mode 100644 index dfa7afb4699f9da2610ccf889eac6269b4e368ad..0000000000000000000000000000000000000000 Binary files a/redhatsecureboot501.cer and /dev/null differ diff --git a/redhatsecurebootca3.cer b/redhatsecurebootca3.cer deleted file mode 100644 index b2354007b9668258683b99a68fa5bdd3067c31b1..0000000000000000000000000000000000000000 Binary files a/redhatsecurebootca3.cer and /dev/null differ diff --git a/redhatsecurebootca5.cer b/redhatsecurebootca5.cer deleted file mode 100644 index dfb0284954861282d1a0ce16c8c5cdc71c27659f..0000000000000000000000000000000000000000 Binary files a/redhatsecurebootca5.cer and /dev/null differ diff --git a/rheldup3.x509 b/rheldup3.x509 deleted file mode 100644 index 5df3b4f30de160efb9bd4dfbe9b831ee44a74007..0000000000000000000000000000000000000000 Binary files a/rheldup3.x509 and /dev/null differ diff --git a/rhelkpatch1.x509 b/rhelkpatch1.x509 deleted file mode 100644 index 0c774ba73bd27a421e59a2488cbf6f398fe03e2a..0000000000000000000000000000000000000000 Binary files a/rhelkpatch1.x509 and /dev/null differ diff --git a/x509.genkey b/x509.genkey index b1bbe387f11faf296e2c67d3ed001298dca3e7d8..d98f8fe6ce086031b6610d56d028ceae82b2acbd 100644 --- a/x509.genkey +++ b/x509.genkey @@ -5,9 +5,9 @@ prompt = no x509_extensions = myexts [ req_distinguished_name ] -O = Red Hat -CN = Red Hat Enterprise Linux kernel signing key -emailAddress = secalert@redhat.com +O = CentOS +CN = CentOS Linux kernel signing key +emailAddress = security@centos.org [ myexts ] basicConstraints=critical,CA:FALSE