[OS-BUILD PATCH] redhat/configs: enable IMA_ARCH_POLICY for aarch64
and s390x
by Bruno Meneguele (via Email Bridge)
From: Bruno Meneguele <bmeneg(a)redhat.com>
redhat/configs: enable IMA_ARCH_POLICY for aarch64 and s390x
IMA_ARCH_POLICY was already enabled for x86_64 and ppc64le. Recently,
the IMA code handling EFI was unified under
security/integrity/ima/ima_efi.c and aarch64 with CONFIG_EFI can use it
for the IMA_ARCH_POLICY logic.
In somewhat the same way, s390x has all the bits in upstream to enable
IMA_ARCH_POLICY, which is tied with the IMA_SECURE_AND_OR_TRUSTED_BOOT
that s390x supports with its IPL mode and also make use during KEXEC'ing
a kernel image in their secure boot. With that, I'm proactivelly
enabling IMA_ARCH_POLICY for s390x as well.
Signed-off-by: Bruno Meneguele <bmeneg(a)redhat.com>
diff --git a/redhat/configs/common/generic/CONFIG_IMA_ARCH_POLICY b/redhat/configs/common/generic/CONFIG_IMA_ARCH_POLICY
index blahblah..blahblah 100644
--- a/redhat/configs/common/generic/CONFIG_IMA_ARCH_POLICY
+++ b/redhat/configs/common/generic/CONFIG_IMA_ARCH_POLICY
@@ -1 +1 @@
-# CONFIG_IMA_ARCH_POLICY is not set
+CONFIG_IMA_ARCH_POLICY=y
diff --git a/redhat/configs/common/generic/powerpc/CONFIG_IMA_ARCH_POLICY b/redhat/configs/common/generic/powerpc/CONFIG_IMA_ARCH_POLICY
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/common/generic/powerpc/CONFIG_IMA_ARCH_POLICY
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_IMA_ARCH_POLICY=y
diff --git a/redhat/configs/common/generic/x86/CONFIG_IMA_ARCH_POLICY b/redhat/configs/common/generic/x86/CONFIG_IMA_ARCH_POLICY
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/common/generic/x86/CONFIG_IMA_ARCH_POLICY
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_IMA_ARCH_POLICY=y
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1216
2 years, 9 months
kernel 5.14 spec file problems, one solved, one unresolved, help
by stan
Hi,
I'm building the 5.14 kernel from
kernel-5.14.0-0.rc0.20210706git79160a603bdb.11.fc35.src.rpm
I've run into two issues.
The first is to do with bpftool. I see in the comments that it is
supposed to be disabled in Fedora. But, it still has a buildrequires:,
and there is a segment of code that is not protected even if bpftool is
turned off.
%ifnarch armv7hl
# Generate vmlinux.h and put it to kernel-devel path
bpftool btf dump file vmlinux format c > $RPM_BUILD_ROOT/$DevelDir/vmlinux.h
%endif
Because bpftool is turned off, this chokes.
The second is to do with a symbolic link.
# Move the devel headers out of the root file system
mkdir -p $RPM_BUILD_ROOT/usr/src/kernels
mv $RPM_BUILD_ROOT/lib/modules/$KernelVer/build $RPM_BUILD_ROOT/$DevelDir
# This is going to create a broken link during the build, but we don't use
# it after this point. We need the link to actually point to something
# when kernel-devel is installed, and a relative link doesn't work across
# the F17 UsrMove feature.
ln -sf $DevelDir $RPM_BUILD_ROOT/lib/modules/$KernelVer/build
The comment says that symbolic link should not matter, but rpmbuild
complains that files are being packaged that are not registered (?,
from memory). Building something else right now, but if you need the
exact error message, I can regenerate it later. This code is in
prior kernel spec files without problems. It seems that something
is being more assiduous now. I've tried various things to work around
this, but they haven't worked. I guess that is because I don't really
understand why this symbolic link is being created. What is your
suggestion for how to fix this?
Finally, I've built the kernel successfully several times while testing
my fixes. I've noticed that ccache is not being used; it is rebuilding
everything every time. Since I'm building a kernel customized to my
hardware, that isn't so onerous. But, how would I enable ccache so
that rebuilds are basically copy operations?
Thanks for any help.
2 years, 9 months
✅ PASS: Test report for kernel 5.13.1-300.fc34 (fedora-34)
by CKI Project
Hello,
We ran automated tests on the following kernel build:
Kernel package: kernel-5.13.1-300.fc34
COPR build ID: 2316565
The results of these automated tests are provided below.
Overall result: PASSED
Tests: OK
All kernel binaries, config files, and logs are available for download here:
https://arr-cki-prod-datawarehouse-public.s3.amazonaws.com/index.html?pre...
Please reply to this email if you have any questions about the tests that we
ran or if you have any suggestions on how to make future tests more effective.
For the full detail on our testing procedures, please scroll to the bottom of
this message.
,-. ,-.
( C ) ( K ) Continuous
`-',-.`-' Kernel
( I ) Integration
`-'
______________________________________________________________________________
Hardware testing
----------------
We booted each kernel and ran the following tests:
aarch64:
Host 1:
✅ Boot test
✅ Reboot test
✅ ACPI table test
✅ ACPI enabled test
✅ LTP
✅ CIFS Connectathon
✅ POSIX pjd-fstest suites
✅ Loopdev Sanity
✅ jvm - jcstress tests
✅ Memory: fork_mem
✅ Memory function: memfd_create
✅ AMTU (Abstract Machine Test Utility)
✅ Networking bridge: sanity
✅ Ethernet drivers sanity
✅ Networking socket: fuzz
✅ Networking: igmp conformance test
✅ Networking route: pmtu
✅ Networking route_func - local
✅ Networking route_func - forward
✅ Networking TCP: keepalive test
✅ Networking UDP: socket
✅ Networking cki netfilter test
✅ Networking tunnel: geneve basic test
✅ Networking tunnel: gre basic
✅ L2TP basic test
✅ Networking tunnel: vxlan basic
✅ Networking ipsec: basic netns - transport
✅ Networking ipsec: basic netns - tunnel
✅ Libkcapi AF_ALG test
✅ pciutils: update pci ids test
✅ ALSA PCM loopback test
✅ ALSA Control (mixer) Userspace Element test
✅ storage: SCSI VPD
✅ trace: ftrace/tracer
🚧 ✅ xarray-idr-radixtree-test
🚧 ✅ i2c: i2cdetect sanity
🚧 ✅ Firmware test suite
🚧 ✅ Memory function: kaslr
🚧 ✅ audit: audit testsuite test
Host 2:
✅ Boot test
✅ Reboot test
✅ xfstests - ext4
✅ xfstests - xfs
✅ selinux-policy: serge-testsuite
✅ storage: software RAID testing
✅ Storage: swraid mdadm raid_module test
🚧 ❌ Podman system integration test - as root
🚧 ❌ Podman system integration test - as user
🚧 ✅ xfstests - btrfs
🚧 ✅ IPMI driver test
🚧 ✅ IPMItool loop stress test
🚧 ❌ Storage blktests
🚧 ✅ Storage block - filesystem fio test
🚧 ✅ Storage block - queue scheduler test
🚧 ❌ Storage nvme - tcp
🚧 ✅ stress: stress-ng
Test sources: https://gitlab.com/cki-project/kernel-tests
💚 Pull requests are welcome for new tests or improvements to existing tests!
Aborted tests
-------------
Tests that didn't complete running successfully are marked with ⚡⚡⚡.
If this was caused by an infrastructure issue, we try to mark that
explicitly in the report.
Waived tests
------------
If the test run included waived tests, they are marked with 🚧. Such tests are
executed but their results are not taken into account. Tests are waived when
their results are not reliable enough, e.g. when they're just introduced or are
being fixed.
Testing timeout
---------------
We aim to provide a report within reasonable timeframe. Tests that haven't
finished running yet are marked with ⏱.
2 years, 9 months
[OS-BUILD PATCH] rpmspec: do not BuildRequires bpftool on noarch
by Herton R. Krzesinski (via Email Bridge)
From: Herton R. Krzesinski <herton(a)redhat.com>
rpmspec: do not BuildRequires bpftool on noarch
Turns out we also need to keep bpftool BuildRequires out of noarch as
well, at least on a recent centos koji build I bumped into it:
BuildError: error building package (arch noarch), mock exited with status (...)
Executing command: ['/usr/bin/dnf', 'builddep', '--installroot', (...)
(...)
DEBUG util.py:444: No matching package to install: 'bpftool'
(...)
DEBUG util.py:444: Not all dependencies satisfied
DEBUG util.py:444: Error: Some packages could not be found.
DEBUG util.py:598: Child return code was: 1
DEBUG util.py:169: kill orphans
noarch doesn't build any kernel of course so just keep it out too.
Signed-off-by: Herton R. Krzesinski <herton(a)redhat.com>
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
index blahblah..blahblah 100755
--- a/redhat/kernel.spec.template
+++ b/redhat/kernel.spec.template
@@ -556,7 +556,7 @@ BuildRequires: net-tools, hostname, bc, elfutils-devel
BuildRequires: dwarves
BuildRequires: python3-devel
BuildRequires: gcc-plugin-devel
-%ifnarch %{nobuildarches}
+%ifnarch %{nobuildarches} noarch
BuildRequires: bpftool
%endif
%if %{with_headers}
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1239
2 years, 9 months
[OS-BUILD PATCH] redhat/configs: disable {IMA,EVM}_LOAD_X509
by Bruno Meneguele (via Email Bridge)
From: Bruno Meneguele <bmeneg(a)redhat.com>
redhat/configs: disable {IMA,EVM}_LOAD_X509
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1977529
This option was enabled by mistake (from my own part): this is only used for
allowing the option {IMA,EVM}_X509_PATH to be set with a specific path in
the system pointing to a valid X509 certificate, specific built for the
integrity subsystem. It turns out that we don't have such certificate and am
not sure it's going to be used anytime soon. In RHEL-8 we've allowed trusted
certificates to the integrity subsystem using the secure boot CA and the
certs used for the kernel build.
With these options set we have the following two error lines in dmesg:
integrity: Unable to open file: /etc/keys/x509_ima.der (-2)
integrity: Unable to open file: /etc/keys/x509_evm.der (-2)
Signed-off-by: Bruno Meneguele <bmeneg(a)redhat.com>
diff --git a/redhat/configs/ark/generic/CONFIG_EVM_LOAD_X509 b/redhat/configs/ark/generic/CONFIG_EVM_LOAD_X509
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_EVM_LOAD_X509
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_EVM_LOAD_X509=y
diff --git a/redhat/configs/ark/generic/CONFIG_IMA_LOAD_X509 b/redhat/configs/ark/generic/CONFIG_IMA_LOAD_X509
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_IMA_LOAD_X509
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_IMA_LOAD_X509=y
diff --git a/redhat/configs/ark/generic/CONFIG_IMA_X509_PATH b/redhat/configs/ark/generic/CONFIG_IMA_X509_PATH
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_IMA_X509_PATH
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1234
2 years, 9 months
✅ PASS: Test report for kernel 5.13.1-300.fc34 (fedora-34)
by CKI Project
Hello,
We ran automated tests on the following kernel build:
Kernel package: kernel-5.13.1-300.fc34
COPR build ID: 2316565
The results of these automated tests are provided below.
Overall result: PASSED
Tests: OK
All kernel binaries, config files, and logs are available for download here:
https://arr-cki-prod-datawarehouse-public.s3.amazonaws.com/index.html?pre...
Please reply to this email if you have any questions about the tests that we
ran or if you have any suggestions on how to make future tests more effective.
For the full detail on our testing procedures, please scroll to the bottom of
this message.
,-. ,-.
( C ) ( K ) Continuous
`-',-.`-' Kernel
( I ) Integration
`-'
______________________________________________________________________________
Hardware testing
----------------
We booted each kernel and ran the following tests:
aarch64:
Host 1:
✅ Boot test
✅ Reboot test
✅ xfstests - ext4
✅ xfstests - xfs
✅ selinux-policy: serge-testsuite
✅ storage: software RAID testing
✅ Storage: swraid mdadm raid_module test
🚧 ❌ Podman system integration test - as root
🚧 ❌ Podman system integration test - as user
🚧 ✅ xfstests - btrfs
🚧 ✅ IPMI driver test
🚧 ✅ IPMItool loop stress test
🚧 ✅ Storage blktests
🚧 ✅ Storage block - filesystem fio test
🚧 ✅ Storage block - queue scheduler test
🚧 ✅ Storage nvme - tcp
🚧 💥 stress: stress-ng
Host 2:
✅ Boot test
✅ Reboot test
✅ ACPI table test
✅ ACPI enabled test
✅ LTP
✅ CIFS Connectathon
✅ POSIX pjd-fstest suites
✅ Loopdev Sanity
✅ jvm - jcstress tests
✅ Memory: fork_mem
✅ Memory function: memfd_create
✅ AMTU (Abstract Machine Test Utility)
✅ Networking bridge: sanity
✅ Ethernet drivers sanity
✅ Networking socket: fuzz
✅ Networking: igmp conformance test
✅ Networking route: pmtu
✅ Networking route_func - local
✅ Networking route_func - forward
✅ Networking TCP: keepalive test
✅ Networking UDP: socket
✅ Networking cki netfilter test
✅ Networking tunnel: geneve basic test
✅ Networking tunnel: gre basic
✅ L2TP basic test
✅ Networking tunnel: vxlan basic
✅ Networking ipsec: basic netns - transport
✅ Networking ipsec: basic netns - tunnel
✅ Libkcapi AF_ALG test
✅ pciutils: update pci ids test
✅ ALSA PCM loopback test
✅ ALSA Control (mixer) Userspace Element test
✅ storage: SCSI VPD
✅ trace: ftrace/tracer
🚧 ✅ xarray-idr-radixtree-test
🚧 ✅ i2c: i2cdetect sanity
🚧 ✅ Firmware test suite
🚧 ✅ Memory function: kaslr
🚧 ✅ audit: audit testsuite test
Test sources: https://gitlab.com/cki-project/kernel-tests
💚 Pull requests are welcome for new tests or improvements to existing tests!
Aborted tests
-------------
Tests that didn't complete running successfully are marked with ⚡⚡⚡.
If this was caused by an infrastructure issue, we try to mark that
explicitly in the report.
Waived tests
------------
If the test run included waived tests, they are marked with 🚧. Such tests are
executed but their results are not taken into account. Tests are waived when
their results are not reliable enough, e.g. when they're just introduced or are
being fixed.
Testing timeout
---------------
We aim to provide a report within reasonable timeframe. Tests that haven't
finished running yet are marked with ⏱.
2 years, 9 months
[OS-BUILD PATCH] [redhat] kabi: rename legacy terminology
by Čestmír Kalina (via Email Bridge)
From: Čestmír Kalina <ckalina(a)redhat.com>
[redhat] kabi: rename legacy terminology
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1953486
Upstream Status: RHEL only
As part of Red Hat’s commitment to remove problematic language from
our code, documentation, websites, and open source projects that we
are involved with, this patch renames kABI whitelist to stablelist.
Signed-off-by: Čestmír Kalina <ckalina(a)redhat.com>
diff --git a/redhat/Makefile b/redhat/Makefile
index blahblah..blahblah 100644
--- a/redhat/Makefile
+++ b/redhat/Makefile
@@ -66,7 +66,7 @@ dist-kabi: dist-python-check
for i in {0..$(RHEL_MINOR)}; do \
mkdir -p $(REDHAT)/kabi/kabi-rhel$(RHEL_MAJOR)$$i/;\
$(REDHAT)/kabi/show-kabi -k $(REDHAT)/kabi/kabi-module/ -s -a $$KABIARCH \
- -r $(RHEL_MAJOR).$$i > $(REDHAT)/kabi/kabi-rhel$(RHEL_MAJOR)$$i/kabi_whitelist_$$KABIARCH;\
+ -r $(RHEL_MAJOR).$$i > $(REDHAT)/kabi/kabi-rhel$(RHEL_MAJOR)$$i/kabi_stablelist_$$KABIARCH;\
done;\
done;
@(cd $(REDHAT)/kabi/ && ln -Tsf kabi-rhel$(RHEL_MAJOR)$(RHEL_MINOR) kabi-current)
@@ -101,7 +101,7 @@ dist-kabi-dw-base: dist-kabi
@echo "Generating baseline dataset for KABI DWARF-based comparison..."
@echo "**** GENERATING DWARF-based kABI baseline dataset ****"
@$(KABIDW)/run_kabi-dw.sh generate \
- $(REDHAT)/kabi/kabi-current/kabi_whitelist_$(CURARCH) \
+ $(REDHAT)/kabi/kabi-current/kabi_stablelist_$(CURARCH) \
$(_OUTPUT) $(KABIDW)/base/$(CURARCH)/
dist-kabi-dw-check: dist-kabi
@@ -113,7 +113,7 @@ dist-kabi-dw-check: dist-kabi
fi
@echo "**** GENERATING DWARF-based kABI dataset ****"
@$(KABIDW)/run_kabi-dw.sh generate \
- $(REDHAT)/kabi/kabi-current/kabi_whitelist_$(CURARCH) \
+ $(REDHAT)/kabi/kabi-current/kabi_stablelist_$(CURARCH) \
$(_OUTPUT) $(KABIDW)/base/$(CURARCH).tmp/
@echo "**** KABI DWARF-based comparison report ****"
@$(KABIDW)/run_kabi-dw.sh compare \
@@ -525,15 +525,15 @@ dist-full-help:
@echo ''
@echo 'kABI targets:'
- @echo ' dist-kabi - Create kABI whitelist files in redhat/kabi/kabi-rhel*/'
+ @echo ' dist-kabi - Create kABI stablelist files in redhat/kabi/kabi-rhel*/'
@echo ' and merge kABI checksums into redhat/kabi/Module.kabi_*.'
@echo ' dist-kabi-dup - Merge kABI checksums for Driver Update Program (DUP)'
@echo ' into redhat/kabi/Module.kabi_dup_*.'
- @echo ' dist-check-kabi - Check for changes in kABI whitelisted symbols.'
+ @echo ' dist-check-kabi - Check for changes in kABI stablelisted symbols.'
@echo ' Requires a pre-compiled tree: run `make dist-configs`,'
@echo ' copy the relevant config file from redhat/configs/ to'
@echo ' .config, and run `make`.'
- @echo ' dist-check-kabi-dup - Like dist-check-kabi but uses a DUP kABI whitelist.'
+ @echo ' dist-check-kabi-dup - Like dist-check-kabi but uses a DUP kABI stablelist.'
@echo ' dist-kabi-dw-base - Generate the base dataset for kABI DWARF-based check.'
@echo ' dist-kabi-dw-check - Run DWARF-based kABI comparison of current binaries'
@echo ' with the base dataset.'
diff --git a/redhat/Makefile.common b/redhat/Makefile.common
index blahblah..blahblah 100644
--- a/redhat/Makefile.common
+++ b/redhat/Makefile.common
@@ -140,7 +140,7 @@ endif
TARFILE:=linux-$(TARFILE_RELEASE).tar.xz
TARBALL:=$(REDHAT)/$(TARFILE)
DISTRO_BUILD:=$(PREBUILD)$(shell echo $(BUILD) | sed -e 's|\(^[0-9]\{1,4\}\)\..*|\1|')
-KABI_TARFILE:=kernel-abi-whitelists-$(KVERSION)-$(DISTRO_BUILD).tar.bz2
+KABI_TARFILE:=kernel-abi-stablelists-$(KVERSION)-$(DISTRO_BUILD).tar.bz2
KABI_TARBALL:=$(REDHAT)/rpm/SOURCES/$(KABI_TARFILE)
KABIDW_TARFILE:=kernel-kabi-dw-$(KVERSION)-$(DISTRO_BUILD).tar.bz2
KABIDW_TARBALL:=$(REDHAT)/rpm/SOURCES/$(KABIDW_TARFILE)
diff --git a/redhat/kabi-dwarf/run_kabi-dw.sh b/redhat/kabi-dwarf/run_kabi-dw.sh
index blahblah..blahblah 100644
--- a/redhat/kabi-dwarf/run_kabi-dw.sh
+++ b/redhat/kabi-dwarf/run_kabi-dw.sh
@@ -19,7 +19,7 @@
# same options from both the Makefile and kernel.spec file.
#
# Usage:
-# ./run_kabi-dw.sh generate whitelist module_dir kabi_dir
+# ./run_kabi-dw.sh generate stablelist module_dir kabi_dir
# ./run_kabi-dw.sh compare kabi_dir1 kabi_dir2
# shellcheck disable=SC2164
@@ -31,7 +31,7 @@ KABIDW=kabi-dw
usage() {
echo "Usage:"
- echo " $PROG generate whitelist module_dir kabi_dir"
+ echo " $PROG generate stablelist module_dir kabi_dir"
echo " $PROG compare kabi_dir1 kabi_dir2"
exit 1
}
diff --git a/redhat/kabi/make-kabi b/redhat/kabi/make-kabi
index blahblah..blahblah 100755
--- a/redhat/kabi/make-kabi
+++ b/redhat/kabi/make-kabi
@@ -49,20 +49,20 @@ def load_symvers(symvers, filename):
symvers[symbol] = in_line[0:-1]
-def load_whitelist(whitelist, order, filename):
+def load_stablelist(stablelist, order, filename):
if os.path.isfile(filename):
- load_whitelist_file(whitelist, order, filename)
+ load_stablelist_file(stablelist, order, filename)
else:
- load_whitelist_dir(whitelist, order, filename)
+ load_stablelist_dir(stablelist, order, filename)
-def load_whitelist_file(whitelist, order, filename):
- """Load a reference whitelist file."""
+def load_stablelist_file(stablelist, order, filename):
+ """Load a reference stablelist file."""
- whitelist_file = open(filename, "r")
+ stablelist_file = open(filename, "r")
while true:
- in_line = whitelist_file.readline()
+ in_line = stablelist_file.readline()
if in_line == "":
break
if in_line == "\n":
@@ -72,14 +72,14 @@ def load_whitelist_file(whitelist, order, filename):
continue
symbol = in_line[1:-1]
- whitelist[symbol] = []
+ stablelist[symbol] = []
order.append(symbol)
order.sort()
-def load_whitelist_dir(whitelist, order, dirname):
- """Load a reference whitelist directory."""
+def load_stablelist_dir(stablelist, order, dirname):
+ """Load a reference stablelist directory."""
for symbol in os.listdir(dirname):
kabi_file = open(dirname + "/" + symbol, "r")
@@ -92,14 +92,14 @@ def load_whitelist_dir(whitelist, order, dirname):
if re.match("#[0-9]+-[0-9]+", line[0]):
print("Symbol {} is currently removed, ignoring".format(symbol))
continue
- whitelist[symbol] = line
+ stablelist[symbol] = line
order.append(symbol)
order.sort()
def make_kabi_file(filename, symvers, order):
- """Munge together whitelist and Module.symvers file."""
+ """Munge together stablelist and Module.symvers file."""
if os.path.isfile(filename):
print("{} already exists".format(filename))
@@ -114,16 +114,16 @@ def make_kabi_file(filename, symvers, order):
kabi_file.close()
-def make_kabi_dir(dirname, symvers, whitelist):
- """Munge together whitelist and Module.symvers file."""
+def make_kabi_dir(dirname, symvers, stablelist):
+ """Munge together stablelist and Module.symvers file."""
current_dir = os.getcwd()
os.chdir(dirname)
- for symbol in whitelist:
+ for symbol in stablelist:
if symbol in symvers:
kabi_file = open(symbol, "w")
- kabi_file.write(whitelist[symbol][0])
+ kabi_file.write(stablelist[symbol][0])
kabi_file.write(symvers[symbol] + "\n")
kabi_file.close()
@@ -132,9 +132,9 @@ def make_kabi_dir(dirname, symvers, whitelist):
def usage():
print("""make-kabi: process Module.symvers into reference Module.kabi output file/directory using
- the kabi whitelist provided as a set of symbols to filer on.
+ the kabi stablelist provided as a set of symbols to filer on.
- make-kabi [ -k Module.kabi or -d (kabi-module dir) ] [ -s Module.symvers ] [ -w kabi_whitelist ]
+ make-kabi [ -k Module.kabi or -d (kabi-module dir) ] [ -s Module.symvers ] [ -w kabi_stablelist ]
examples:
add checksums to files into kabi-module/kabi_x86_64/
@@ -146,7 +146,7 @@ def usage():
if __name__ == "__main__":
- whitelist_source = ""
+ stablelist_source = ""
symvers_file = ""
kabi_output = ""
kabi_file = true
@@ -165,19 +165,19 @@ if __name__ == "__main__":
if o == "-d":
kabi_file = false
if o == "-w":
- whitelist_source = v
+ stablelist_source = v
- if (whitelist_source == "") or (symvers_file == "") or (kabi_output == "" and kabi_file):
+ if (stablelist_source == "") or (symvers_file == "") or (kabi_output == "" and kabi_file):
usage()
sys.exit(1)
symvers = {}
- whitelist = {}
- whitelist_order = []
+ stablelist = {}
+ stablelist_order = []
load_symvers(symvers, symvers_file)
- load_whitelist(whitelist, whitelist_order, whitelist_source)
+ load_stablelist(stablelist, stablelist_order, stablelist_source)
if kabi_file:
- make_kabi_file(kabi_output, symvers, whitelist_order)
+ make_kabi_file(kabi_output, symvers, stablelist_order)
else:
- make_kabi_dir(whitelist_source, symvers, whitelist)
+ make_kabi_dir(stablelist_source, symvers, stablelist)
diff --git a/redhat/kabi/show-kabi b/redhat/kabi/show-kabi
index blahblah..blahblah 100755
--- a/redhat/kabi/show-kabi
+++ b/redhat/kabi/show-kabi
@@ -26,7 +26,7 @@ import sys
def load_kabi(dirname, kabi, order, arch):
- """Load a reference whitelist content."""
+ """Load a reference stablelist content."""
try:
archlist = []
@@ -88,8 +88,8 @@ def show_kabi(kabi, order, release, fmt, show_head):
else:
rhel_minor = int(rhel_minor)
for current_arch in kabi:
- if show_head and (fmt == "whitelist"):
- print("[rhel8_{}_whitelist]".format(current_arch))
+ if show_head and (fmt == "stablelist"):
+ print("[rhel9_{}_stablelist]".format(current_arch))
for sym in order[current_arch]:
if kabi[current_arch][sym][0][0] != "#":
print("Invalid metadata format: {}".format(kabi[current_arch][sym][0]))
@@ -107,7 +107,7 @@ def show_kabi(kabi, order, release, fmt, show_head):
# format Module.kabi_$arch styled file
if fmt == "module":
print(kabi[current_arch][sym][1])
- # format kabi_whitelist_$arch styled file
+ # format kabi_stablelist_$arch styled file
else:
print("\t{}".format(sym))
@@ -117,9 +117,9 @@ def usage():
-a arch architecture, ( default all archs )
-k dir kabi-module root directory ( default ./kabi-module )
-m output Module.kabi_$(arch) styled file
- default output kabi_whitelist_$(arch) styled file
+ default output kabi_stablelist_$(arch) styled file
-r release release, for example 8.1 ( default latest )
- -s show header ( no headers like [rhel8_x86_64_whitelist] )
+ -s show header ( no headers like [rhel9_x86_64_stablelist] )
-h this help""")
@@ -131,7 +131,7 @@ if __name__ == "__main__":
kabi_dir = "kabi-module"
release = ""
kabi_head = False
- kabi_out = "whitelist"
+ kabi_out = "stablelist"
opts, args = getopt.getopt(sys.argv[1:], 'a:k:mr:sh')
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
index blahblah..blahblah 100755
--- a/redhat/kernel.spec.template
+++ b/redhat/kernel.spec.template
@@ -156,8 +156,8 @@ Summary: The Linux kernel
%define with_bpftool %{?_without_bpftool: 0} %{?!_without_bpftool: 1}
# kernel-debuginfo
%define with_debuginfo %{?_without_debuginfo: 0} %{?!_without_debuginfo: 1}
-# kernel-abi-whitelists
-%define with_kernel_abi_whitelists %{?_without_kernel_abi_whitelists: 0} %{?!_without_kernel_abi_whitelists: 1}
+# kernel-abi-stablelists
+%define with_kernel_abi_stablelists %{?_without_kernel_abi_stablelists: 0} %{?!_without_kernel_abi_stablelists: 1}
# internal samples and selftests
%define with_selftests %{?_without_selftests: 0} %{?!_without_selftests: 1}
#
@@ -217,8 +217,8 @@ Summary: The Linux kernel
%define with_cross_headers 0
# no ipa_clone for now
%define with_ipaclones 0
-# no whitelist
-%define with_kernel_abi_whitelists 0
+# no stablelist
+%define with_kernel_abi_stablelists 0
# Fedora builds these separately
%define with_perf 0
%define with_tools 0
@@ -246,7 +246,7 @@ Summary: The Linux kernel
%define with_kabidupchk 0
%define with_kabidwchk 0
%define with_kabidw_base 0
-%define with_kernel_abi_whitelists 0
+%define with_kernel_abi_stablelists 0
%endif
# turn off kABI DWARF-based check if we're generating the base dataset
@@ -305,7 +305,7 @@ Summary: The Linux kernel
%define with_perf 0
%define with_tools 0
%define with_bpftool 0
-%define with_kernel_abi_whitelists 0
+%define with_kernel_abi_stablelists 0
%define with_selftests 0
%define with_cross 0
%define with_cross_headers 0
@@ -325,7 +325,7 @@ Summary: The Linux kernel
%define with_perf 0
%define with_tools 0
%define with_bpftool 0
-%define with_kernel_abi_whitelists 0
+%define with_kernel_abi_stablelists 0
%define with_selftests 0
%define with_cross 0
%define with_cross_headers 0
@@ -348,7 +348,7 @@ Summary: The Linux kernel
%endif
%ifnarch noarch
-%define with_kernel_abi_whitelists 0
+%define with_kernel_abi_stablelists 0
%endif
# Overrides for generic default options
@@ -788,7 +788,7 @@ Source211: Module.kabi_dup_ppc64le
Source212: Module.kabi_dup_s390x
Source213: Module.kabi_dup_x86_64
-Source300: kernel-abi-whitelists-%{rpmversion}-%{distro_build}.tar.bz2
+Source300: kernel-abi-stablelists-%{rpmversion}-%{distro_build}.tar.bz2
Source301: kernel-kabi-dw-%{rpmversion}-%{distro_build}.tar.bz2
# Sources for kernel-tools
@@ -1034,10 +1034,10 @@ Summary: gcov graph and source files for coverage data collection.
kernel-gcov includes the gcov graph and source files for gcov coverage collection.
%endif
-%package -n kernel-abi-whitelists
-Summary: The Red Hat Enterprise Linux kernel ABI symbol whitelists
+%package -n kernel-abi-stablelists
+Summary: The Red Hat Enterprise Linux kernel ABI symbol stablelists
AutoReqProv: no
-%description -n kernel-abi-whitelists
+%description -n kernel-abi-stablelists
The kABI package contains information pertaining to the Red Hat Enterprise
Linux kernel ABI, including lists of kernel symbols that are needed by
external Linux kernel modules, and a yum plugin to aid enforcement.
@@ -1734,13 +1734,13 @@ BuildKernel() {
mkdir -p $RPM_BUILD_ROOT/kabi-dwarf
tar xjvf %{SOURCE301} -C $RPM_BUILD_ROOT/kabi-dwarf
- mkdir -p $RPM_BUILD_ROOT/kabi-dwarf/whitelists
- tar xjvf %{SOURCE300} -C $RPM_BUILD_ROOT/kabi-dwarf/whitelists
+ mkdir -p $RPM_BUILD_ROOT/kabi-dwarf/stablelists
+ tar xjvf %{SOURCE300} -C $RPM_BUILD_ROOT/kabi-dwarf/stablelists
echo "**** GENERATING DWARF-based kABI baseline dataset ****"
chmod 0755 $RPM_BUILD_ROOT/kabi-dwarf/run_kabi-dw.sh
$RPM_BUILD_ROOT/kabi-dwarf/run_kabi-dw.sh generate \
- "$RPM_BUILD_ROOT/kabi-dwarf/whitelists/kabi-current/kabi_whitelist_%{_target_cpu}" \
+ "$RPM_BUILD_ROOT/kabi-dwarf/stablelists/kabi-current/kabi_stablelist_%{_target_cpu}" \
"$(pwd)" \
"$RPM_BUILD_ROOT/kabidw-base/%{_target_cpu}${Variant:+.${Variant}}" || :
@@ -1753,13 +1753,13 @@ BuildKernel() {
mkdir -p $RPM_BUILD_ROOT/kabi-dwarf
tar xjvf %{SOURCE301} -C $RPM_BUILD_ROOT/kabi-dwarf
if [ -d "$RPM_BUILD_ROOT/kabi-dwarf/base/%{_target_cpu}${Variant:+.${Variant}}" ]; then
- mkdir -p $RPM_BUILD_ROOT/kabi-dwarf/whitelists
- tar xjvf %{SOURCE300} -C $RPM_BUILD_ROOT/kabi-dwarf/whitelists
+ mkdir -p $RPM_BUILD_ROOT/kabi-dwarf/stablelists
+ tar xjvf %{SOURCE300} -C $RPM_BUILD_ROOT/kabi-dwarf/stablelists
echo "**** GENERATING DWARF-based kABI dataset ****"
chmod 0755 $RPM_BUILD_ROOT/kabi-dwarf/run_kabi-dw.sh
$RPM_BUILD_ROOT/kabi-dwarf/run_kabi-dw.sh generate \
- "$RPM_BUILD_ROOT/kabi-dwarf/whitelists/kabi-current/kabi_whitelist_%{_target_cpu}" \
+ "$RPM_BUILD_ROOT/kabi-dwarf/stablelists/kabi-current/kabi_stablelist_%{_target_cpu}" \
"$(pwd)" \
"$RPM_BUILD_ROOT/kabi-dwarf/base/%{_target_cpu}${Variant:+.${Variant}}.tmp" || :
@@ -2370,14 +2370,14 @@ done
rm -rf $RPM_BUILD_ROOT/usr/tmp-headers
%endif
-%if %{with_kernel_abi_whitelists}
+%if %{with_kernel_abi_stablelists}
# kabi directory
INSTALL_KABI_PATH=$RPM_BUILD_ROOT/lib/modules/
mkdir -p $INSTALL_KABI_PATH
# install kabi releases directories
tar xjvf %{SOURCE300} -C $INSTALL_KABI_PATH
-# with_kernel_abi_whitelists
+# with_kernel_abi_stablelists
%endif
%if %{with_perf}
@@ -2689,8 +2689,8 @@ fi
/usr/*-linux-gnu/include/*
%endif
-%if %{with_kernel_abi_whitelists}
-%files -n kernel-abi-whitelists
+%if %{with_kernel_abi_stablelists}
+%files -n kernel-abi-stablelists
/lib/modules/kabi-*
%endif
diff --git a/redhat/scripts/rh-dist-git.sh b/redhat/scripts/rh-dist-git.sh
index blahblah..blahblah 100755
--- a/redhat/scripts/rh-dist-git.sh
+++ b/redhat/scripts/rh-dist-git.sh
@@ -6,7 +6,7 @@
# $3: alternate tmp directory (if you have faster storage)
# $4: alternate dist-git server
# $5: kernel source tarball
-# $6: kabi whitelists tarball
+# $6: kabi stablelists tarball
# $7: dwarf-bases kabi tarball
# $8: zstream build
# $9: package name
@@ -63,10 +63,10 @@ echo "Uploading new tarballs"
sed -i "/linux-.*.tar.xz/d" "$tmpdir/$package_name"/{sources,.gitignore};
upload_list="$rhdistgit_tarball"
-# Only upload kernel-abi-whitelists tarball if its release counter changed.
+# Only upload kernel-abi-stablelists tarball if its release counter changed.
if [ "$rhdistgit_zstream_flag" == "no" ]; then
if ! grep -q "$rhdistgit_kabi_tarball" "$tmpdir/$package_name"/sources; then
- sed -i "/kernel-abi-whitelists.*.tar.bz2/d" "$tmpdir/$package_name"/{sources,.gitignore};
+ sed -i "/kernel-abi-stablelists.*.tar.bz2/d" "$tmpdir/$package_name"/{sources,.gitignore};
upload_list="$upload_list $rhdistgit_kabi_tarball"
fi
if ! grep -q "$rhdistgit_kabidw_tarball" "$tmpdir/$package_name"/sources; then
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1240
2 years, 9 months
[OS-BUILD PATCH] redhat/configs: Enable CONFIG_MLXBF_GIGE on aarch64
by Alaa Hleihel (via Email Bridge)
From: Alaa Hleihel <ahleihel(a)redhat.com>
redhat/configs: Enable CONFIG_MLXBF_GIGE on aarch64
Bugzilla: http://bugzilla.redhat.com/1858599
Upstream: RHEL-only
Build the mlxbf_gige driver on aarch64 systems for BlueField-2 systems.
The second generation BlueField SoC supports an out-of-band Gigabit
Ethernet management port to the Arm subsystem. This driver supports
TCP/IP network connectivity for that port, and provides back-end routines
to handle basic ethtool requests.
Signed-off-by: Alaa Hleihel <ahleihel(a)redhat.com>
diff --git a/redhat/configs/common/generic/CONFIG_MLXBF_GIGE b/redhat/configs/common/generic/CONFIG_MLXBF_GIGE
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/configs/common/generic/CONFIG_MLXBF_GIGE
@@ -0,0 +1 @@
+# CONFIG_MLXBF_GIGE is not set
diff --git a/redhat/configs/common/generic/arm/aarch64/CONFIG_MLXBF_GIGE b/redhat/configs/common/generic/arm/aarch64/CONFIG_MLXBF_GIGE
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/configs/common/generic/arm/aarch64/CONFIG_MLXBF_GIGE
@@ -0,0 +1 @@
+CONFIG_MLXBF_GIGE=m
diff --git a/redhat/configs/pending-common/generic/CONFIG_MLXBF_GIGE b/redhat/configs/pending-common/generic/CONFIG_MLXBF_GIGE
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/pending-common/generic/CONFIG_MLXBF_GIGE
+++ /dev/null
@@ -1,21 +0,0 @@
-# CONFIG_MLXBF_GIGE:
-#
-# The second generation BlueField SoC from Mellanox Technologies
-# supports an out-of-band Gigabit Ethernet management port to the
-# Arm subsystem.
-#
-# Symbol: MLXBF_GIGE [=n]
-# Type : tristate
-# Defined at drivers/net/ethernet/mellanox/mlxbf_gige/Kconfig:6
-# Prompt: Mellanox Technologies BlueField Gigabit Ethernet support
-# Depends on: NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_MELLANOX [=y] && (ARM64 [=y] && ACPI [=y] || COMPILE_TEST [=n])
-# Location:
-# -> Device Drivers
-# -> Network device support (NETDEVICES [=y])
-# -> Ethernet driver support (ETHERNET [=y])
-# -> Mellanox devices (NET_VENDOR_MELLANOX [=y])
-# Selects: PHYLIB [=y]
-#
-#
-#
-# CONFIG_MLXBF_GIGE is not set
diff --git a/redhat/configs/pending-fedora/generic/CONFIG_MLXBF_GIGE b/redhat/configs/pending-fedora/generic/CONFIG_MLXBF_GIGE
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/pending-fedora/generic/CONFIG_MLXBF_GIGE
+++ /dev/null
@@ -1,21 +0,0 @@
-# CONFIG_MLXBF_GIGE:
-#
-# The second generation BlueField SoC from Mellanox Technologies
-# supports an out-of-band Gigabit Ethernet management port to the
-# Arm subsystem.
-#
-# Symbol: MLXBF_GIGE [=n]
-# Type : tristate
-# Defined at drivers/net/ethernet/mellanox/mlxbf_gige/Kconfig:6
-# Prompt: Mellanox Technologies BlueField Gigabit Ethernet support
-# Depends on: NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_MELLANOX [=y] && (ARM64 [=y] && ACPI [=y] || COMPILE_TEST [=n])
-# Location:
-# -> Device Drivers
-# -> Network device support (NETDEVICES [=y])
-# -> Ethernet driver support (ETHERNET [=y])
-# -> Mellanox devices (NET_VENDOR_MELLANOX [=y])
-# Selects: PHYLIB [=y]
-#
-#
-#
-# CONFIG_MLXBF_GIGE is not set
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1222
2 years, 9 months
[OS-BUILD PATCH] redhat: add secureboot CA certificate to trusted
kernel
keyring
by Bruno Meneguele (via Email Bridge)
From: Bruno Meneguele <bmeneg(a)redhat.com>
redhat: add secureboot CA certificate to trusted kernel keyring
This patch is a forward-port from what we already have in RHEL-8 kernels and
should also be done in RHEL-9 to avoid unexpected failures on customers.
Add the secure boot key certificate to the trusted kernel keyring
(.builtin_trusted_keys) to allow the placement of the kernel signing key
(shipped with the distro) in other kernel trusted keyrings, i.e. .ima
trusted keyring.
The need for adding the secure boot CA cert in the trusted kernel keyring
exists only for arches without UEFI support which don't support adding certs
to .platform_keyring and, consequently, can't add our own kernel image
signing key to trusted keyrings.
The biggest usage of that is for loading signed kernel images during
kexec/kdump process in arches that depends on the IMA infrastructure to
check the signatures, which has the ability to verify appended signatures
instead of the UEFI PE format. Said arches are PowerPC and S390X.
Cc: Justin M. Forbes <jforbes(a)fedoraproject.org>
Cc: Herton R. Krzesinski <herton(a)redhat.com>
Cc: Patrick Talbert <ptalbert(a)redhat.com>
Signed-off-by: Bruno Meneguele <bmeneg(a)redhat.com>
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
index blahblah..blahblah 100755
--- a/redhat/kernel.spec.template
+++ b/redhat/kernel.spec.template
@@ -1422,6 +1422,10 @@ done
openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
cat rheldup3.pem rhelkpatch1.pem > ../certs/rhel.pem
+%ifarch s390x ppc64le
+openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
+cat secureboot.pem >> ../certs/rhel.pem
+%endif
for i in *.config; do
sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS=""@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i
done
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1235
2 years, 9 months