Compare commits

...

No commits in common. 'i9-beta' and 'c9' have entirely different histories.
i9-beta ... c9

9
.gitignore vendored

@ -1,10 +1,9 @@
SOURCES/kernel-abi-stablelists-5.14.0-362.2.1.el9_3.tar.bz2 SOURCES/kernel-abi-stablelists-5.14.0-503.21.1.el9_5.tar.bz2
SOURCES/kernel-kabi-dw-5.14.0-362.2.1.el9_3.tar.bz2 SOURCES/kernel-kabi-dw-5.14.0-503.21.1.el9_5.tar.bz2
SOURCES/linux-5.14.0-362.2.1.el9_3.tar.xz SOURCES/linux-5.14.0-503.21.1.el9_5.tar.xz
SOURCES/nvidiagpuoot001.x509
SOURCES/rheldup3.x509 SOURCES/rheldup3.x509
SOURCES/rhelima.x509 SOURCES/rhelima.x509
SOURCES/rhelima_centos.x509 SOURCES/rhelima_centos.x509
SOURCES/rhelimaca1.x509 SOURCES/rhelimaca1.x509
SOURCES/rhelkpatch1.x509 SOURCES/rhelkpatch1.x509
SOURCES/uki-sb-cert-x86_64-centos.crt
SOURCES/uki-sb-cert-x86_64-rhel.crt

@ -1,10 +1,9 @@
bb12c72040bbf00908c3e99026dd89bad4994f3b SOURCES/kernel-abi-stablelists-5.14.0-362.2.1.el9_3.tar.bz2 023098c717c2e24de9abfb42e2ef61d0b07ae0ae SOURCES/kernel-abi-stablelists-5.14.0-503.21.1.el9_5.tar.bz2
7a088da56e2d8e73aec42fe36e1b941ab6b4cad3 SOURCES/kernel-kabi-dw-5.14.0-362.2.1.el9_3.tar.bz2 9f7d11f9441c95849aa8426b0ff55a222ea7e259 SOURCES/kernel-kabi-dw-5.14.0-503.21.1.el9_5.tar.bz2
db2da617795bb14242f55307c0dc5336e9680b78 SOURCES/linux-5.14.0-362.2.1.el9_3.tar.xz ec6499347a0f23cb3721b869947b563c40762ba2 SOURCES/linux-5.14.0-503.21.1.el9_5.tar.xz
4fff8080e88afffc06d8ef5004db8d53bb21237f SOURCES/nvidiagpuoot001.x509
95b9b811c7b0a6c98b2eafc4e7d6d24f2cb63289 SOURCES/rheldup3.x509 95b9b811c7b0a6c98b2eafc4e7d6d24f2cb63289 SOURCES/rheldup3.x509
99e571f9de4188f3b5fdf1f84ff73f6cc4bb6a0e SOURCES/rhelima.x509 99e571f9de4188f3b5fdf1f84ff73f6cc4bb6a0e SOURCES/rhelima.x509
61d5a223ff0c79189505abae77e0087c4b2d2b47 SOURCES/rhelima_centos.x509 61d5a223ff0c79189505abae77e0087c4b2d2b47 SOURCES/rhelima_centos.x509
f882610d2554fef65703e5d3c342f005af0390ad SOURCES/rhelimaca1.x509 f882610d2554fef65703e5d3c342f005af0390ad SOURCES/rhelimaca1.x509
d90885108d225a234a5a9d054fc80893a5bd54d0 SOURCES/rhelkpatch1.x509 d90885108d225a234a5a9d054fc80893a5bd54d0 SOURCES/rhelkpatch1.x509
20224d67a583b98009a1c1632bb4b639b0e8be6a SOURCES/uki-sb-cert-x86_64-centos.crt
1d51d3a037ad287095b0a13c4deeb1252d8ff0cc SOURCES/uki-sb-cert-x86_64-rhel.crt

@ -1,5 +1,5 @@
RHEL_MAJOR = 9 RHEL_MAJOR = 9
RHEL_MINOR = 3 RHEL_MINOR = 5
# #
# RHEL_RELEASE # RHEL_RELEASE
@ -12,7 +12,7 @@ RHEL_MINOR = 3
# #
# Use this spot to avoid future merge conflicts. # Use this spot to avoid future merge conflicts.
# Do not trim this comment. # Do not trim this comment.
RHEL_RELEASE = 362.2.1 RHEL_RELEASE = 503.21.1
# #
# ZSTREAM # ZSTREAM

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

@ -17,6 +17,9 @@ dracutmodules+=" crypt crypt-loop tpm2-tss "
# WALinuxagent-cvm with CVM specific udev rules # WALinuxagent-cvm with CVM specific udev rules
dracutmodules+=" walinuxagentcvm " dracutmodules+=" walinuxagentcvm "
# modules: root disk integrity protection
dracutmodules+=" systemd-veritysetup "
# drivers: virtual buses, pci # drivers: virtual buses, pci
drivers+=" virtio-pci virtio-mmio " # qemu-kvm drivers+=" virtio-pci virtio-mmio " # qemu-kvm
drivers+=" hv-vmbus pci-hyperv " # hyperv drivers+=" hv-vmbus pci-hyperv " # hyperv
@ -31,6 +34,9 @@ drivers+=" xen-blkfront " # xen
# root encryption # root encryption
drivers+=" dm_crypt " drivers+=" dm_crypt "
# root disk integrity protection
drivers+=" dm_verity overlay "
# filesystems # filesystems
filesystems+=" vfat ext4 xfs overlay " filesystems+=" vfat ext4 xfs overlay "

@ -14,7 +14,7 @@
# listed here. # listed here.
# Overrides is individual modules which need to remain in kernel-core due to deps. # Overrides is individual modules which need to remain in kernel-core due to deps.
overrides="cec" overrides="cec isst_if_common isst_tpmi_core isst_tpmi intel_vsec intel_vsec_tpmi"
# Set the default dirs/modules to filter out # Set the default dirs/modules to filter out
driverdirs="atm auxdisplay bcma bluetooth firewire fmc iio infiniband isdn leds media memstick mfd mmc mtd nfc ntb pcmcia platform power ssb staging tty uio uwb w1" driverdirs="atm auxdisplay bcma bluetooth firewire fmc iio infiniband isdn leds media memstick mfd mmc mtd nfc ntb pcmcia platform power ssb staging tty uio uwb w1"
@ -33,7 +33,7 @@ scsidrvs="aacraid aic7xxx aic94xx be2iscsi bfa bnx2i bnx2fc csiostor cxgbi esas2
usbdrvs="atm image misc serial wusbcore" usbdrvs="atm image misc serial wusbcore"
fsdrvs="affs befs cifs coda cramfs ecryptfs hfs hfsplus jfs minix ncpfs nilfs2 ocfs2 reiserfs romfs squashfs sysv ubifs ufs" fsdrvs="affs befs smb coda cramfs ecryptfs hfs hfsplus jfs minix ncpfs nilfs2 ocfs2 reiserfs romfs squashfs sysv ubifs ufs"
netprots="6lowpan appletalk atm ax25 batman-adv bluetooth can dccp dsa ieee802154 irda l2tp mac80211 mac802154 mpls netrom nfc rds rfkill rose sctp smc wireless" netprots="6lowpan appletalk atm ax25 batman-adv bluetooth can dccp dsa ieee802154 irda l2tp mac80211 mac802154 mpls netrom nfc rds rfkill rose sctp smc wireless"

@ -7,3 +7,8 @@ rules:
- !PassingTestCaseRule {test_case_name: cki.tier1-ppc64le.functional} - !PassingTestCaseRule {test_case_name: cki.tier1-ppc64le.functional}
- !PassingTestCaseRule {test_case_name: cki.tier1-s390x.functional} - !PassingTestCaseRule {test_case_name: cki.tier1-s390x.functional}
- !PassingTestCaseRule {test_case_name: cki.tier1-x86_64.functional} - !PassingTestCaseRule {test_case_name: cki.tier1-x86_64.functional}
- !PassingTestCaseRule {test_case_name: s1-aws-ci_x86_64.brew-build.tier1.functional}
- !PassingTestCaseRule {test_case_name: s1-aws-ci_aarch64.brew-build.tier1.functional}
- !PassingTestCaseRule {test_case_name: s1-azure-ci_x86_64.brew-build.tier1.functional}
- !PassingTestCaseRule {test_case_name: s1-azure-ci_aarch64.brew-build.tier1.functional}
- !PassingTestCaseRule {test_case_name: s1-gcp-ci.brew-build.tier1.functional}

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

@ -158,6 +158,7 @@ tcp_veno.ko
tcp_westwood.ko tcp_westwood.ko
tcp_yeah.ko tcp_yeah.ko
tekram-sir.ko tekram-sir.ko
test_lockup.ko
tmdc.ko tmdc.ko
toim3232-sir.ko toim3232-sir.ko
trancevibrator.ko trancevibrator.ko
@ -188,6 +189,5 @@ wanrouter.ko
warrior.ko warrior.ko
whci.ko whci.ko
wire.ko wire.ko
wwan_hwsim.ko
yam.ko yam.ko
zhenhua.ko zhenhua.ko

@ -16,7 +16,7 @@ soc-utils-test
string-stream-test string-stream-test
test_linear_ranges test_linear_ranges
test_bits test_bits
test_kasan kasan_test
time_test time_test
fat_test fat_test
lib_test lib_test
@ -68,6 +68,7 @@ drm_dp_mst_helper_test
drm_format_helper_test drm_format_helper_test
drm_format_test drm_format_test
drm_framebuffer_test drm_framebuffer_test
drm_gem_shmem_test
drm_kunit_helpers drm_kunit_helpers
drm_mm_test drm_mm_test
drm_plane_helper_test drm_plane_helper_test
@ -77,3 +78,20 @@ drm_connector_test
drm_managed_test drm_managed_test
drm_modes_test drm_modes_test
drm_probe_helper_test drm_probe_helper_test
input_test
hashtable_test
hid-uclogic-test
strcat_kunit
strscpy_kunit
siphash_kunit
handshake-test
drm_exec_test
regmap-kunit
cfg80211-tests
mac80211-tests
wwan_hwsim
checksum_kunit
arm-smmu-v3-test
iwlwifi-tests
sound_kunit
amd-pstate-ut

@ -19,7 +19,7 @@ NPROC=$(nproc)
[ -z "$NPROC" ] && NPROC=1 [ -z "$NPROC" ] && NPROC=1
# NB: this loop runs 2000+ iterations. Try to be fast. # NB: this loop runs 2000+ iterations. Try to be fast.
echo "$modules" | xargs -r -n16 -P $NPROC sh -c " echo "$modules" | xargs -r -n16 -P "$NPROC" sh -c "
for mod; do for mod; do
./scripts/sign-file sha256 $MODSECKEY $MODPUBKEY \$mod ./scripts/sign-file sha256 $MODSECKEY $MODPUBKEY \$mod
rm -f \$mod.sig \$mod.dig rm -f \$mod.sig \$mod.dig

Binary file not shown.

Binary file not shown.

@ -311,12 +311,14 @@ function process_configs()
process_config "$cfg" "$count" process_config "$cfg" "$count"
fi fi
process_config "$cfg" "$count" & process_config "$cfg" "$count" &
# shellcheck disable=SC2004
waitpids[${count}]=$! waitpids[${count}]=$!
((count++)) ((count++))
while [ "$(jobs | grep -c Running)" -ge "$RHJOBS" ]; do :; done while [ "$(jobs | grep -c Running)" -ge "$RHJOBS" ]; do :; done
done done
# shellcheck disable=SC2048
for pid in ${waitpids[*]}; do for pid in ${waitpids[*]}; do
wait ${pid} wait "${pid}"
done done
rm "$SCRIPT_DIR"/*.config*.old rm "$SCRIPT_DIR"/*.config*.old

@ -6,6 +6,9 @@ inspections:
kmidiff: off kmidiff: off
upstream: off upstream: off
subpackages: off subpackages: off
license: off
debuginfo: off
removedfiles: off
badfuncs: badfuncs:
ignore: ignore:

@ -0,0 +1,12 @@
{
"virt": {
"common": {
"fips-disable.addon": [
"fips=0\n"
],
"fips-enable.addon": [
"fips=1\n"
]
}
}
}

@ -0,0 +1,151 @@
#!/usr/bin/env python3
#
# This script inspects a given json proving a list of addons, and
# creates an addon for each key/value pair matching the given uki, distro and
# arch provided in input.
#
# Usage: python uki_create_addons.py input_json out_dir uki distro arch
#
# This tool requires the systemd-ukify and systemd-boot packages.
#
# Addon file
#-----------
# Each addon terminates with .addon
# Each addon contains only two types of lines:
# Lines beginning with '#' are description and thus ignored
# All other lines are command line to be added.
# The name of the end resulting addon is taken from the json hierarchy.
# For example, and addon in json['virt']['rhel']['x86_64']['hello.addon'] will
# result in an UKI addon file generated in out_dir called
# hello-virt.rhel.x86_64.addon.efi
#
# The common key, present in any sub-dict in the provided json (except the leaf dict)
# is used as place for default addons when the same addon is not defined deep
# in the hierarchy. For example, if we define test.addon (text: 'test1\n') in
# json['common']['test.addon'] = ['test1\n'] and another test.addon (text: test2) in
# json['virt']['common']['test.addon'] = ['test2'], any other uki except virt
# will have a test.addon.efi with text "test1", and virt will have a
# test.addon.efi with "test2"
#
# sbat.conf
#----------
# This dict is containing the sbat string for *all* addons being created.
# This dict is optional, but when used has to be put in a sub-dict with
# { 'sbat' : { 'sbat.conf' : ['your text here'] }}
# It follows the same syntax as the addon files, meaning '#' is comment and
# the rest is taken as sbat string and feed to ukify.
import os
import sys
import json
import collections
import subprocess
UKIFY_PATH = '/usr/lib/systemd/ukify'
def usage(err):
print(f'Usage: {os.path.basename(__file__)} input_json output_dir uki distro arch')
print(f'Error:{err}')
sys.exit(1)
def check_clean_arguments(input_json, out_dir):
# Remove end '/'
if out_dir[-1:] == '/':
out_dir = out_dir[:-1]
if not os.path.isfile(input_json):
usage(f'input_json {input_json} is not a file, or does not exist!')
if not os.path.isdir(out_dir):
usage(f'out_dir_dir {out_dir} is not a dir, or does not exist!')
return out_dir
UKICmdlineAddon = collections.namedtuple('UKICmdlineAddon', ['name', 'cmdline'])
uki_addons_list = []
uki_addons = {}
addon_sbat_string = None
def parse_lines(lines, rstrip=True):
cmdline = ''
for l in lines:
l = l.lstrip()
if not l:
continue
if l[0] == '#':
continue
# rstrip is used only for addons cmdline, not sbat.conf, as it replaces
# return lines with spaces.
if rstrip:
l = l.rstrip() + ' '
cmdline += l
if cmdline == '':
return ''
return cmdline
def parse_all_addons(in_obj):
global addon_sbat_string
for el in in_obj.keys():
# addon found: copy it in our global dict uki_addons
if el.endswith('.addon'):
uki_addons[el] = in_obj[el]
if 'sbat' in in_obj and 'sbat.conf' in in_obj['sbat']:
# sbat.conf found: override sbat with the most specific one found
addon_sbat_string = parse_lines(in_obj['sbat']['sbat.conf'], rstrip=False)
def recursively_find_addons(in_obj, folder_list):
# end of recursion, leaf directory. Search all addons here
if len(folder_list) == 0:
parse_all_addons(in_obj)
return
# first, check for common folder
if 'common' in in_obj:
parse_all_addons(in_obj['common'])
# second, check if there is a match with the searched folder
if folder_list[0] in in_obj:
folder_next = in_obj[folder_list[0]]
folder_list = folder_list[1:]
recursively_find_addons(folder_next, folder_list)
def parse_in_json(in_json, uki_name, distro, arch):
with open(in_json, 'r') as f:
in_obj = json.load(f)
recursively_find_addons(in_obj, [uki_name, distro, arch])
for addon_name, cmdline in uki_addons.items():
addon_name = addon_name.replace(".addon","")
addon_full_name = f'{addon_name}-{uki_name}.{distro}.{arch}.addon.efi'
cmdline = parse_lines(cmdline).rstrip()
if cmdline:
uki_addons_list.append(UKICmdlineAddon(addon_full_name, cmdline))
def create_addons(out_dir):
for uki_addon in uki_addons_list:
out_path = os.path.join(out_dir, uki_addon.name)
cmd = [
f'{UKIFY_PATH}', 'build',
f'--cmdline="{uki_addon.cmdline}"',
f'--output={out_path}']
if addon_sbat_string:
cmd.append('--sbat="' + addon_sbat_string.rstrip() +'"')
subprocess.check_call(cmd, text=True)
if __name__ == "__main__":
argc = len(sys.argv) - 1
if argc != 5:
usage('too few or too many parameters!')
input_json = sys.argv[1]
out_dir = sys.argv[2]
uki_name = sys.argv[3]
distro = sys.argv[4]
arch = sys.argv[5]
out_dir = check_clean_arguments(input_json, out_dir)
parse_in_json(input_json, uki_name, distro, arch)
create_addons(out_dir)

@ -7,6 +7,6 @@ fi
TARGET="$1" TARGET="$1"
for i in "$RPM_SOURCE_DIR"/*."$TARGET"; do for i in "$RPM_SOURCE_DIR"/*."$TARGET"; do
NEW=${i%.$TARGET} NEW=${i%."$TARGET"}
cp "$i" "$(basename "$NEW")" cp "$i" "$(basename "$NEW")"
done done

@ -5,9 +5,9 @@ prompt = no
x509_extensions = myexts x509_extensions = myexts
[ req_distinguished_name ] [ req_distinguished_name ]
O = NCSD LLC O = The CentOS Project
CN = MSVSphere kernel signing key CN = CentOS Stream kernel signing key
emailAddress = security@msvsphere.ru emailAddress = security@centos.org
[ myexts ] [ myexts ]
basicConstraints=critical,CA:FALSE basicConstraints=critical,CA:FALSE

@ -5,9 +5,9 @@ prompt = no
x509_extensions = myexts x509_extensions = myexts
[ req_distinguished_name ] [ req_distinguished_name ]
O = NCSD LLC O = Red Hat
CN = MSVSphere kernel signing key CN = Red Hat Enterprise Linux kernel signing key
emailAddress = security@msvsphere.ru emailAddress = secalert@redhat.com
[ myexts ] [ myexts ]
basicConstraints=critical,CA:FALSE basicConstraints=critical,CA:FALSE

File diff suppressed because it is too large Load Diff
Loading…
Cancel
Save