Compare commits
No commits in common. 'c9' and 'c8-beta' have entirely different histories.
@ -1,9 +1,12 @@
|
||||
SOURCES/kernel-abi-stablelists-5.14.0-503.19.1.el9_5.tar.bz2
|
||||
SOURCES/kernel-kabi-dw-5.14.0-503.19.1.el9_5.tar.bz2
|
||||
SOURCES/linux-5.14.0-503.19.1.el9_5.tar.xz
|
||||
SOURCES/nvidiagpuoot001.x509
|
||||
SOURCES/centossecureboot201.cer
|
||||
SOURCES/centossecurebootca2.cer
|
||||
SOURCES/kernel-abi-stablelists-4.18.0-544.tar.bz2
|
||||
SOURCES/kernel-kabi-dw-4.18.0-544.tar.bz2
|
||||
SOURCES/linux-4.18.0-544.el8.tar.xz
|
||||
SOURCES/redhatsecureboot302.cer
|
||||
SOURCES/redhatsecureboot303.cer
|
||||
SOURCES/redhatsecureboot501.cer
|
||||
SOURCES/redhatsecurebootca3.cer
|
||||
SOURCES/redhatsecurebootca7.cer
|
||||
SOURCES/rheldup3.x509
|
||||
SOURCES/rhelima.x509
|
||||
SOURCES/rhelima_centos.x509
|
||||
SOURCES/rhelimaca1.x509
|
||||
SOURCES/rhelkpatch1.x509
|
||||
|
@ -1,9 +1,12 @@
|
||||
a614816812a77eadc37c3e71e3b794d58ee62596 SOURCES/kernel-abi-stablelists-5.14.0-503.19.1.el9_5.tar.bz2
|
||||
3125e053f6237338119f6f6c32eb3144b0fcbff3 SOURCES/kernel-kabi-dw-5.14.0-503.19.1.el9_5.tar.bz2
|
||||
cb25584103dd0b8aa392bac6d1dbf713dc975219 SOURCES/linux-5.14.0-503.19.1.el9_5.tar.xz
|
||||
4fff8080e88afffc06d8ef5004db8d53bb21237f SOURCES/nvidiagpuoot001.x509
|
||||
2ba40bf9138b48311e5aa1b737b7f0a8ad66066f SOURCES/centossecureboot201.cer
|
||||
bfdb3d7cffc43f579655af5155d50c08671d95e5 SOURCES/centossecurebootca2.cer
|
||||
ea4ae4d04a859057c2e9404179d49ebc2851a8d5 SOURCES/kernel-abi-stablelists-4.18.0-544.tar.bz2
|
||||
618f2302d26295e300718d59e8551a0cdfc98022 SOURCES/kernel-kabi-dw-4.18.0-544.tar.bz2
|
||||
731f77831a5e9794d95976010d518e80a28afd72 SOURCES/linux-4.18.0-544.el8.tar.xz
|
||||
13e5cd3f856b472fde80a4deb75f4c18dfb5b255 SOURCES/redhatsecureboot302.cer
|
||||
e89890ca0ded2f9058651cc5fa838b78db2e6cc2 SOURCES/redhatsecureboot303.cer
|
||||
ba0b760e594ff668ee72ae348adf3e49b97f75fb SOURCES/redhatsecureboot501.cer
|
||||
cf9230e69000076727e5b784ec871d22716dc5da SOURCES/redhatsecurebootca3.cer
|
||||
905d91a282727c7f5ad433a49ac42a0772311c6a SOURCES/redhatsecurebootca7.cer
|
||||
95b9b811c7b0a6c98b2eafc4e7d6d24f2cb63289 SOURCES/rheldup3.x509
|
||||
99e571f9de4188f3b5fdf1f84ff73f6cc4bb6a0e SOURCES/rhelima.x509
|
||||
61d5a223ff0c79189505abae77e0087c4b2d2b47 SOURCES/rhelima_centos.x509
|
||||
f882610d2554fef65703e5d3c342f005af0390ad SOURCES/rhelimaca1.x509
|
||||
d90885108d225a234a5a9d054fc80893a5bd54d0 SOURCES/rhelkpatch1.x509
|
||||
|
@ -1,67 +0,0 @@
|
||||
RHEL_MAJOR = 9
|
||||
RHEL_MINOR = 5
|
||||
|
||||
#
|
||||
# RHEL_RELEASE
|
||||
# -------------
|
||||
#
|
||||
# Represents build number in 'release' part of RPM's name-version-release.
|
||||
# name is <package_name>, e.g. kernel
|
||||
# version is upstream kernel version this kernel is based on, e.g. 4.18.0
|
||||
# release is <RHEL_RELEASE>.<dist_tag>[<buildid>], e.g. 100.el8
|
||||
#
|
||||
# Use this spot to avoid future merge conflicts.
|
||||
# Do not trim this comment.
|
||||
RHEL_RELEASE = 503.19.1
|
||||
|
||||
#
|
||||
# ZSTREAM
|
||||
# -------
|
||||
#
|
||||
# This variable controls whether we use zstream numbering or not for the
|
||||
# package release. The zstream release keeps the build number of the last
|
||||
# build done for ystream for the Beta milestone, and increments a second
|
||||
# number for each build. The third number is used for branched builds
|
||||
# (eg.: for builds with security fixes or hot fixes done outside of the
|
||||
# batch release process).
|
||||
#
|
||||
# For example, with ZSTREAM unset or set to "no", all builds will contain
|
||||
# a release with only the build number, eg.: kernel-<kernel version>-X.el*,
|
||||
# where X is the build number. With ZSTREAM set to "yes", we will have
|
||||
# builds with kernel-<kernel version>-X.Y.Z.el*, where X is the last
|
||||
# RHEL_RELEASE number before ZSTREAM flag was set to yes, Y will now be the
|
||||
# build number and Z will always be 1 except if you're doing a branched build
|
||||
# (when you give RHDISTGIT_BRANCH on the command line, in which case the Z
|
||||
# number will be incremented instead of the Y).
|
||||
#
|
||||
ZSTREAM ?= yes
|
||||
|
||||
#
|
||||
# Early y+1 numbering
|
||||
# --------------------
|
||||
#
|
||||
# In early y+1 process, RHEL_RELEASE consists of 2 numbers: x.y
|
||||
# First is RHEL_RELEASE inherited/merged from y as-is, second number
|
||||
# is incremented with each build starting from 1. After merge from y,
|
||||
# it resets back to 1. This way y+1 nvr reflects status of last merge.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# rhel8.0 rhel-8.1
|
||||
# kernel-4.18.0-58.el8 --> kernel-4.18.0-58.1.el8
|
||||
# kernel-4.18.0-58.2.el8
|
||||
# kernel-4.18.0-59.el8 kernel-4.18.0-59.1.el8
|
||||
# kernel-4.18.0-60.el8
|
||||
# kernel-4.18.0-61.el8 --> kernel-4.18.0-61.1.el8
|
||||
#
|
||||
#
|
||||
# Use this spot to avoid future merge conflicts.
|
||||
# Do not trim this comment.
|
||||
EARLY_YSTREAM ?= no
|
||||
EARLY_YBUILD:=
|
||||
EARLY_YRELEASE:=
|
||||
ifneq ("$(ZSTREAM)", "yes")
|
||||
ifeq ("$(EARLY_YSTREAM)","yes")
|
||||
RHEL_RELEASE:=$(RHEL_RELEASE).$(EARLY_YRELEASE)
|
||||
endif
|
||||
endif
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,25 +0,0 @@
|
||||
===================
|
||||
The Kernel dist-git
|
||||
===================
|
||||
|
||||
The kernel is maintained in a `source tree`_ rather than directly in dist-git.
|
||||
The specfile is maintained as a `template`_ in the source tree along with a set
|
||||
of build scripts to generate configurations, (S)RPMs, and to populate the
|
||||
dist-git repository.
|
||||
|
||||
The `documentation`_ for the source tree covers how to contribute and maintain
|
||||
the tree.
|
||||
|
||||
If you're looking for the downstream patch set it's available in the source
|
||||
tree with "git log master..ark-patches" or
|
||||
`online`_.
|
||||
|
||||
Each release in dist-git is tagged in the source repository so you can easily
|
||||
check out the source tree for a build. The tags are in the format
|
||||
name-version-release, but note release doesn't contain the dist tag since the
|
||||
source can be built in different build roots (Fedora, CentOS, etc.)
|
||||
|
||||
.. _source tree: https://gitlab.com/cki-project/kernel-ark.git
|
||||
.. _template: https://gitlab.com/cki-project/kernel-ark/-/blob/os-build/redhat/kernel.spec.template
|
||||
.. _documentation: https://gitlab.com/cki-project/kernel-ark/-/wikis/home
|
||||
.. _online: https://gitlab.com/cki-project/kernel-ark/-/commits/ark-patches
|
@ -1,44 +0,0 @@
|
||||
# generic + compressed please
|
||||
hostonly="no"
|
||||
compress="xz"
|
||||
|
||||
# VMs can't update microcode anyway
|
||||
early_microcode="no"
|
||||
|
||||
# modules: basics
|
||||
dracutmodules+=" base systemd systemd-initrd dracut-systemd dbus dbus-broker usrmount shutdown "
|
||||
|
||||
# modules: storage support
|
||||
dracutmodules+=" dm lvm rootfs-block fs-lib "
|
||||
|
||||
# modules: tpm and crypto
|
||||
dracutmodules+=" crypt crypt-loop tpm2-tss "
|
||||
|
||||
# WALinuxagent-cvm with CVM specific udev rules
|
||||
dracutmodules+=" walinuxagentcvm "
|
||||
|
||||
# modules: root disk integrity protection
|
||||
dracutmodules+=" systemd-veritysetup "
|
||||
|
||||
# drivers: virtual buses, pci
|
||||
drivers+=" virtio-pci virtio-mmio " # qemu-kvm
|
||||
drivers+=" hv-vmbus pci-hyperv " # hyperv
|
||||
drivers+=" xen-pcifront " # xen
|
||||
|
||||
# drivers: storage
|
||||
drivers+=" ahci nvme sd_mod sr_mod " # generic
|
||||
drivers+=" virtio-blk virtio-scsi " # qemu-kvm
|
||||
drivers+=" hv-storvsc " # hyperv
|
||||
drivers+=" xen-blkfront " # xen
|
||||
|
||||
# root encryption
|
||||
drivers+=" dm_crypt "
|
||||
|
||||
# root disk integrity protection
|
||||
drivers+=" dm_verity overlay "
|
||||
|
||||
# filesystems
|
||||
filesystems+=" vfat ext4 xfs overlay "
|
||||
|
||||
# systemd-pcrphase
|
||||
install_items+=" /lib/systemd/system/systemd-pcrphase-initrd.service /usr/lib/systemd/systemd-pcrphase /usr/lib/systemd/system/initrd.target.wants/systemd-pcrphase-initrd.service "
|
@ -0,0 +1,31 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
. /etc/os-release
|
||||
|
||||
kernelver=$1 && shift
|
||||
rootfs=$1 && shift
|
||||
variant=$1 && shift
|
||||
|
||||
output="${rootfs}/lib/modules/${kernelver}/bls.conf"
|
||||
date=$(date -u +%Y%m%d%H%M%S)
|
||||
|
||||
if [ "${variant:-5}" = "debug" ]; then
|
||||
debugname=" with debugging"
|
||||
debugid="-debug"
|
||||
else
|
||||
debugname=""
|
||||
debugid=""
|
||||
fi
|
||||
|
||||
cat >${output} <<EOF
|
||||
title ${NAME} (${kernelver}) ${VERSION}${debugname}
|
||||
version ${kernelver}${debugid}
|
||||
linux ${bootprefix}/vmlinuz-${kernelver}
|
||||
initrd ${bootprefix}/initramfs-${kernelver}.img
|
||||
options \$kernelopts
|
||||
id ${ID}-${date}-${kernelver}${debugid}
|
||||
grub_users \$grub_users
|
||||
grub_arg --unrestricted
|
||||
grub_class kernel${variant}
|
||||
EOF
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,2 +0,0 @@
|
||||
# This file is intentionally left empty in the stock kernel. Its a nicety
|
||||
# added for those wanting to do custom rebuilds with altered config opts.
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,72 +0,0 @@
|
||||
#! /usr/bin/perl
|
||||
|
||||
my @args=@ARGV;
|
||||
my %configvalues;
|
||||
my @configoptions;
|
||||
my $configcounter = 0;
|
||||
|
||||
# optionally print out the architecture as the first line of our output
|
||||
my $arch = $args[2];
|
||||
if (defined $arch) {
|
||||
print "# $arch\n";
|
||||
}
|
||||
|
||||
# first, read the override file
|
||||
|
||||
open (FILE,"$args[0]") || die "Could not open $args[0]";
|
||||
while (<FILE>) {
|
||||
my $str = $_;
|
||||
my $configname;
|
||||
|
||||
if (/\# ([\w]+) is not set/) {
|
||||
$configname = $1;
|
||||
} elsif (/^\#/) {
|
||||
# fall through on comments like 'avoid CONFIG_FOO=y'
|
||||
;
|
||||
} elsif (/([\w]+)=/) {
|
||||
$configname = $1;
|
||||
}
|
||||
|
||||
if (defined($configname) && !exists($configvalues{$configname})) {
|
||||
$configvalues{$configname} = $str;
|
||||
$configoptions[$configcounter] = $configname;
|
||||
$configcounter ++;
|
||||
}
|
||||
};
|
||||
|
||||
# now, read and output the entire configfile, except for the overridden
|
||||
# parts... for those the new value is printed.
|
||||
|
||||
open (FILE2,"$args[1]") || die "Could not open $args[1]";
|
||||
while (<FILE2>) {
|
||||
my $configname;
|
||||
|
||||
if (/\# ([\w]+) is not set/) {
|
||||
$configname = $1;
|
||||
} elsif (/^\#/) {
|
||||
# fall through on comments like 'avoid CONFIG_FOO=y'
|
||||
;
|
||||
} elsif (/([\w]+)=/) {
|
||||
$configname = $1;
|
||||
}
|
||||
|
||||
if (defined($configname) && exists($configvalues{$configname})) {
|
||||
print "$configvalues{$configname}";
|
||||
delete($configvalues{$configname});
|
||||
} else {
|
||||
print "$_";
|
||||
}
|
||||
}
|
||||
|
||||
# now print the new values from the overridden configfile
|
||||
my $counter = 0;
|
||||
|
||||
while ($counter < $configcounter) {
|
||||
my $configname = $configoptions[$counter];
|
||||
if (exists($configvalues{$configname})) {
|
||||
print "$configvalues{$configname}";
|
||||
}
|
||||
$counter++;
|
||||
}
|
||||
|
||||
1;
|
@ -1,5 +0,0 @@
|
||||
kvm-amd
|
||||
kvm-intel
|
||||
kvm
|
||||
kvmgt
|
||||
ptp_kvm
|
@ -1,3 +0,0 @@
|
||||
afs
|
||||
rxperf
|
||||
rxrpc
|
@ -1,5 +0,0 @@
|
||||
# kgcov
|
||||
CONFIG_GCOV_KERNEL=y
|
||||
CONFIG_GCOV_PROFILE_ALL=y
|
||||
# CONFIG_GCOV_PROFILE_FTRACE is not set
|
||||
# CONFIG_OPEN_DICE is not set
|
@ -1,12 +0,0 @@
|
||||
{
|
||||
"virt": {
|
||||
"common": {
|
||||
"fips-disable.addon": [
|
||||
"fips=0\n"
|
||||
],
|
||||
"fips-enable.addon": [
|
||||
"fips=1\n"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
@ -1,151 +0,0 @@
|
||||
#!/usr/bin/env python3
|
||||
#
|
||||
# This script inspects a given json proving a list of addons, and
|
||||
# creates an addon for each key/value pair matching the given uki, distro and
|
||||
# arch provided in input.
|
||||
#
|
||||
# Usage: python uki_create_addons.py input_json out_dir uki distro arch
|
||||
#
|
||||
# This tool requires the systemd-ukify and systemd-boot packages.
|
||||
#
|
||||
# Addon file
|
||||
#-----------
|
||||
# Each addon terminates with .addon
|
||||
# Each addon contains only two types of lines:
|
||||
# Lines beginning with '#' are description and thus ignored
|
||||
# All other lines are command line to be added.
|
||||
# The name of the end resulting addon is taken from the json hierarchy.
|
||||
# For example, and addon in json['virt']['rhel']['x86_64']['hello.addon'] will
|
||||
# result in an UKI addon file generated in out_dir called
|
||||
# hello-virt.rhel.x86_64.addon.efi
|
||||
#
|
||||
# The common key, present in any sub-dict in the provided json (except the leaf dict)
|
||||
# is used as place for default addons when the same addon is not defined deep
|
||||
# in the hierarchy. For example, if we define test.addon (text: 'test1\n') in
|
||||
# json['common']['test.addon'] = ['test1\n'] and another test.addon (text: test2) in
|
||||
# json['virt']['common']['test.addon'] = ['test2'], any other uki except virt
|
||||
# will have a test.addon.efi with text "test1", and virt will have a
|
||||
# test.addon.efi with "test2"
|
||||
#
|
||||
# sbat.conf
|
||||
#----------
|
||||
# This dict is containing the sbat string for *all* addons being created.
|
||||
# This dict is optional, but when used has to be put in a sub-dict with
|
||||
# { 'sbat' : { 'sbat.conf' : ['your text here'] }}
|
||||
# It follows the same syntax as the addon files, meaning '#' is comment and
|
||||
# the rest is taken as sbat string and feed to ukify.
|
||||
|
||||
import os
|
||||
import sys
|
||||
import json
|
||||
import collections
|
||||
import subprocess
|
||||
|
||||
|
||||
UKIFY_PATH = '/usr/lib/systemd/ukify'
|
||||
|
||||
def usage(err):
|
||||
print(f'Usage: {os.path.basename(__file__)} input_json output_dir uki distro arch')
|
||||
print(f'Error:{err}')
|
||||
sys.exit(1)
|
||||
|
||||
def check_clean_arguments(input_json, out_dir):
|
||||
# Remove end '/'
|
||||
if out_dir[-1:] == '/':
|
||||
out_dir = out_dir[:-1]
|
||||
if not os.path.isfile(input_json):
|
||||
usage(f'input_json {input_json} is not a file, or does not exist!')
|
||||
if not os.path.isdir(out_dir):
|
||||
usage(f'out_dir_dir {out_dir} is not a dir, or does not exist!')
|
||||
return out_dir
|
||||
|
||||
UKICmdlineAddon = collections.namedtuple('UKICmdlineAddon', ['name', 'cmdline'])
|
||||
uki_addons_list = []
|
||||
uki_addons = {}
|
||||
addon_sbat_string = None
|
||||
|
||||
def parse_lines(lines, rstrip=True):
|
||||
cmdline = ''
|
||||
for l in lines:
|
||||
l = l.lstrip()
|
||||
if not l:
|
||||
continue
|
||||
if l[0] == '#':
|
||||
continue
|
||||
# rstrip is used only for addons cmdline, not sbat.conf, as it replaces
|
||||
# return lines with spaces.
|
||||
if rstrip:
|
||||
l = l.rstrip() + ' '
|
||||
cmdline += l
|
||||
if cmdline == '':
|
||||
return ''
|
||||
return cmdline
|
||||
|
||||
def parse_all_addons(in_obj):
|
||||
global addon_sbat_string
|
||||
|
||||
for el in in_obj.keys():
|
||||
# addon found: copy it in our global dict uki_addons
|
||||
if el.endswith('.addon'):
|
||||
uki_addons[el] = in_obj[el]
|
||||
|
||||
if 'sbat' in in_obj and 'sbat.conf' in in_obj['sbat']:
|
||||
# sbat.conf found: override sbat with the most specific one found
|
||||
addon_sbat_string = parse_lines(in_obj['sbat']['sbat.conf'], rstrip=False)
|
||||
|
||||
def recursively_find_addons(in_obj, folder_list):
|
||||
# end of recursion, leaf directory. Search all addons here
|
||||
if len(folder_list) == 0:
|
||||
parse_all_addons(in_obj)
|
||||
return
|
||||
|
||||
# first, check for common folder
|
||||
if 'common' in in_obj:
|
||||
parse_all_addons(in_obj['common'])
|
||||
|
||||
# second, check if there is a match with the searched folder
|
||||
if folder_list[0] in in_obj:
|
||||
folder_next = in_obj[folder_list[0]]
|
||||
folder_list = folder_list[1:]
|
||||
recursively_find_addons(folder_next, folder_list)
|
||||
|
||||
def parse_in_json(in_json, uki_name, distro, arch):
|
||||
with open(in_json, 'r') as f:
|
||||
in_obj = json.load(f)
|
||||
recursively_find_addons(in_obj, [uki_name, distro, arch])
|
||||
|
||||
for addon_name, cmdline in uki_addons.items():
|
||||
addon_name = addon_name.replace(".addon","")
|
||||
addon_full_name = f'{addon_name}-{uki_name}.{distro}.{arch}.addon.efi'
|
||||
cmdline = parse_lines(cmdline).rstrip()
|
||||
if cmdline:
|
||||
uki_addons_list.append(UKICmdlineAddon(addon_full_name, cmdline))
|
||||
|
||||
def create_addons(out_dir):
|
||||
for uki_addon in uki_addons_list:
|
||||
out_path = os.path.join(out_dir, uki_addon.name)
|
||||
cmd = [
|
||||
f'{UKIFY_PATH}', 'build',
|
||||
f'--cmdline="{uki_addon.cmdline}"',
|
||||
f'--output={out_path}']
|
||||
if addon_sbat_string:
|
||||
cmd.append('--sbat="' + addon_sbat_string.rstrip() +'"')
|
||||
|
||||
subprocess.check_call(cmd, text=True)
|
||||
|
||||
if __name__ == "__main__":
|
||||
argc = len(sys.argv) - 1
|
||||
if argc != 5:
|
||||
usage('too few or too many parameters!')
|
||||
|
||||
input_json = sys.argv[1]
|
||||
out_dir = sys.argv[2]
|
||||
uki_name = sys.argv[3]
|
||||
distro = sys.argv[4]
|
||||
arch = sys.argv[5]
|
||||
|
||||
out_dir = check_clean_arguments(input_json, out_dir)
|
||||
parse_in_json(input_json, uki_name, distro, arch)
|
||||
create_addons(out_dir)
|
||||
|
||||
|
@ -1,12 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
if [ -z "$1" ]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
TARGET="$1"
|
||||
|
||||
for i in "$RPM_SOURCE_DIR"/*."$TARGET"; do
|
||||
NEW=${i%."$TARGET"}
|
||||
cp "$i" "$(basename "$NEW")"
|
||||
done
|
@ -1,16 +0,0 @@
|
||||
[ req ]
|
||||
default_bits = 3072
|
||||
distinguished_name = req_distinguished_name
|
||||
prompt = no
|
||||
x509_extensions = myexts
|
||||
|
||||
[ req_distinguished_name ]
|
||||
O = The CentOS Project
|
||||
CN = CentOS Stream kernel signing key
|
||||
emailAddress = security@centos.org
|
||||
|
||||
[ myexts ]
|
||||
basicConstraints=critical,CA:FALSE
|
||||
keyUsage=digitalSignature
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in new issue