diff options
-rw-r--r-- | SOURCES/filter-aarch64.sh | 18 | ||||
-rw-r--r-- | SOURCES/filter-armv7hl.sh | 18 | ||||
-rw-r--r-- | SOURCES/filter-i686.sh | 14 | ||||
-rwxr-xr-x | SOURCES/filter-modules.sh | 170 | ||||
-rw-r--r-- | SOURCES/filter-ppc64le.sh | 14 | ||||
-rw-r--r-- | SOURCES/filter-s390x.sh | 12 | ||||
-rw-r--r-- | SOURCES/filter-x86_64.sh | 12 | ||||
-rw-r--r-- | SOURCES/iwlwifi-make-some-killer-wireless-ac-1550-cards-work-again.patch | 46 | ||||
-rw-r--r-- | SOURCES/mod-extra.list | 196 | ||||
-rw-r--r-- | SOURCES/redhatsecureboot301.cer | bin | 0 -> 899 bytes | |||
-rw-r--r-- | SOURCES/redhatsecureboot501.cer | bin | 0 -> 964 bytes | |||
-rw-r--r-- | SOURCES/redhatsecurebootca1.cer | bin | 0 -> 977 bytes | |||
-rw-r--r-- | SOURCES/redhatsecurebootca5.cer | bin | 0 -> 920 bytes | |||
-rw-r--r-- | SOURCES/selinux_allow_reading_labels_before_policy_is_loaded.patch | 48 | ||||
-rw-r--r-- | SOURCES/x509.genkey | 16 | ||||
-rw-r--r-- | SPECS/kernel.spec | 104 |
16 files changed, 631 insertions, 37 deletions
diff --git a/SOURCES/filter-aarch64.sh b/SOURCES/filter-aarch64.sh new file mode 100644 index 0000000..7c3441b --- /dev/null +++ b/SOURCES/filter-aarch64.sh @@ -0,0 +1,18 @@ +#! /bin/bash + +# This is the aarch64 override file for the core/drivers package split. The +# module directories listed here and in the generic list in filter-modules.sh +# will be moved to the resulting kernel-modules package for this arch. +# Anything not listed in those files will be in the kernel-core package. +# +# Please review the default list in filter-modules.sh before making +# modifications to the overrides below. If something should be removed across +# all arches, remove it in the default instead of per-arch. + +driverdirs="atm auxdisplay bcma bluetooth firewire fmc fpga infiniband isdn leds media memstick message mmc mtd nfc ntb pcmcia power ssb soundwire staging tty uio uwb w1" + +ethdrvs="3com adaptec arc alteon atheros broadcom cadence calxeda chelsio cisco dec dlink emulex icplus marvell micrel myricom neterion nvidia oki-semi packetengines qlogic rdc renesas sfc silan sis smsc stmicro sun tehuti ti via wiznet xircom" + +drmdrvs="amd arm bridge ast exynos hisilicon i2c imx mgag200 meson msm nouveau panel pl111 radeon rockchip tegra sun4i sun4i-drm-hdmi tinydrm vc4" + +singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qedi qla1280 9pnet_rdma rpcrdma nvmet-rdma nvme-rdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject target_core_user sbp_target cxgbit iw_cxgb3 iw_cxgb4 cxgb3i cxgb3i cxgb3i_ddp cxgb4i chcr chtls" diff --git a/SOURCES/filter-armv7hl.sh b/SOURCES/filter-armv7hl.sh new file mode 100644 index 0000000..566083c --- /dev/null +++ b/SOURCES/filter-armv7hl.sh @@ -0,0 +1,18 @@ +#! /bin/bash + +# This is the armv7hl override file for the core/drivers package split. The +# module directories listed here and in the generic list in filter-modules.sh +# will be moved to the resulting kernel-modules package for this arch. +# Anything not listed in those files will be in the kernel-core package. +# +# Please review the default list in filter-modules.sh before making +# modifications to the overrides below. If something should be removed across +# all arches, remove it in the default instead of per-arch. + +driverdirs="atm auxdisplay bcma bluetooth firewire fmc fpga infiniband isdn media memstick message nfc ntb pcmcia ssb soundwire staging tty uio uwb w1" + +ethdrvs="3com adaptec alteon altera amd atheros broadcom cadence chelsio cisco dec dlink emulex icplus mellanox micrel myricom natsemi neterion nvidia oki-semi packetengines qlogic rdc renesas sfc silan sis sun tehuti via wiznet xircom" + +drmdrvs="amd arm armada bridge ast exynos etnaviv hisilicon i2c imx meson mgag200 msm nouveau omapdrm panel pl111 radeon rockchip sti stm sun4i sun4i-drm-hdmi tegra tilcdc tinydrm vc4" + +singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qedi qla1280 9pnet_rdma rpcrdma nvmet-rdma nvme-rdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject target_core_user sbp_target cxgbit iw_cxgb3 iw_cxgb4 cxgb3i cxgb3i cxgb3i_ddp cxgb4i chcr chtls bq27xxx_battery_hdq" diff --git a/SOURCES/filter-i686.sh b/SOURCES/filter-i686.sh new file mode 100644 index 0000000..1a13ddf --- /dev/null +++ b/SOURCES/filter-i686.sh @@ -0,0 +1,14 @@ +#! /bin/bash + +# This is the i686 override file for the core/drivers package split. The +# module directories listed here and in the generic list in filter-modules.sh +# will be moved to the resulting kernel-modules package for this arch. +# Anything not listed in those files will be in the kernel-core package. +# +# Please review the default list in filter-modules.sh before making +# modifications to the overrides below. If something should be removed across +# all arches, remove it in the default instead of per-arch. + +driverdirs="atm auxdisplay bcma bluetooth firewire fmc fpga infiniband isdn leds media memstick mfd mmc mtd nfc ntb pcmcia platform power ssb soundwire staging tty uio uwb w1" + +singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qedi qla1280 9pnet_rdma rpcrdma nvmet-rdma nvme-rdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject hid-sensor-hub hid-sensor-magn-3d hid-sensor-incl-3d hid-sensor-gyro-3d hid-sensor-iio-common hid-sensor-accel-3d hid-sensor-trigger hid-sensor-als hid-sensor-rotation hid-sensor-temperature hid-sensor-humidity target_core_user sbp_target cxgbit iw_cxgb3 iw_cxgb4 cxgb3i cxgb3i cxgb3i_ddp cxgb4i chcr chtls parport_serial regmap-sdw hid-asus" diff --git a/SOURCES/filter-modules.sh b/SOURCES/filter-modules.sh new file mode 100755 index 0000000..436dcc5 --- /dev/null +++ b/SOURCES/filter-modules.sh @@ -0,0 +1,170 @@ +#! /bin/bash +# +# Called as filter-modules.sh list-of-modules Arch + +# This script filters the modules into the kernel-core and kernel-modules +# subpackages. We list out subsystems/subdirs to prune from the installed +# module directory. What is left is put into the kernel-core package. What is +# pruned is contained in the kernel-modules package. +# +# This file contains the default subsys/subdirs to prune from all architectures. +# If an architecture needs to differ, we source a per-arch filter-<arch>.sh file +# that contains the set of override lists to be used instead. If a module or +# subsys should be in kernel-modules on all arches, please change the defaults +# listed here. + +# Overrides is individual modules which need to remain in kernel-core due to deps. +overrides="cec" + +# Set the default dirs/modules to filter out +driverdirs="atm auxdisplay bcma bluetooth firewire fmc fpga infiniband isdn leds media memstick mfd mmc mtd nfc ntb pcmcia platform power ssb soundwire staging tty uio uwb w1" + +chardrvs="mwave pcmcia" + +netdrvs="appletalk can dsa hamradio ieee802154 irda ppp slip usb wireless" + +ethdrvs="3com adaptec alteon amd aquantia atheros broadcom cadence calxeda chelsio cisco dec dlink emulex icplus marvell mellanox neterion nvidia oki-semi packetengines qlogic rdc renesas sfc silan sis smsc stmicro sun tehuti ti wiznet xircom" + +inputdrvs="gameport tablet touchscreen" + +scsidrvs="aacraid advansys aic7xxx aic94xx be2iscsi bfa bnx2i bnx2fc csiostor cxgbi esas2r fcoe fnic isci libsas lpfc megaraid mpt2sas mpt3sas mvsas pm8001 qla2xxx qla4xxx sym53c8xx_2 ufs qedf wd719x" + +usbdrvs="atm image misc serial wusbcore" + +fsdrvs="affs befs coda cramfs dlm ecryptfs hfs hfsplus jfs jffs2 minix ncpfs nilfs2 ocfs2 reiserfs romfs squashfs sysv ubifs ufs" + +netprots="6lowpan appletalk atm ax25 batman-adv bluetooth can dccp dsa ieee802154 irda l2tp mac80211 mac802154 mpls netrom nfc rds rfkill rose sctp smc wireless" + +drmdrvs="amd ast bridge gma500 i2c i915 mgag200 nouveau panel radeon" + +iiodrvs="accel adc afe common dac gyro health humidity light magnetometer multiplexer orientation potentiometer potentiostat pressure temperature" + +singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qedi qla1280 9pnet_rdma rpcrdma nvmet-rdma nvme-rdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject target_core_user sbp_target cxgbit iw_cxgb3 iw_cxgb4 cxgb3i cxgb3i cxgb3i_ddp cxgb4i chcr chtls parport_serial regmap-sdw hid-asus" + +# Grab the arch-specific filter list overrides +source ./filter-$2.sh + +filter_dir() { + filelist=$1 + dir=$2 + + grep -v -e "${dir}/" ${filelist} > ${filelist}.tmp + + if [ $? -ne 0 ] + then + echo "Couldn't remove ${dir}. Skipping." + else + grep -e "${dir}/" ${filelist} >> k-d.list + mv ${filelist}.tmp $filelist + fi + + return 0 +} + +filter_ko() { + filelist=$1 + mod=$2 + + grep -v -e "${mod}.ko" ${filelist} > ${filelist}.tmp + + if [ $? -ne 0 ] + then + echo "Couldn't remove ${mod}.ko Skipping." + else + grep -e "${mod}.ko" ${filelist} >> k-d.list + mv ${filelist}.tmp $filelist + fi + + return 0 +} + +# Filter the drivers/ subsystems +for subsys in ${driverdirs} +do + filter_dir $1 drivers/${subsys} +done + +# Filter the networking drivers +for netdrv in ${netdrvs} +do + filter_dir $1 drivers/net/${netdrv} +done + +# Filter the char drivers +for char in ${chardrvs} +do + filter_dir $1 drivers/char/${input} +done + +# Filter the ethernet drivers +for eth in ${ethdrvs} +do + filter_dir $1 drivers/net/ethernet/${eth} +done + +# SCSI +for scsi in ${scsidrvs} +do + filter_dir $1 drivers/scsi/${scsi} +done + +# Input +for input in ${inputdrvs} +do + filter_dir $1 drivers/input/${input} +done + +# USB +for usb in ${usbdrvs} +do + filter_dir $1 drivers/usb/${usb} +done + +# Filesystems +for fs in ${fsdrvs} +do + filter_dir $1 fs/${fs} +done + +# Network protocols +for prot in ${netprots} +do + filter_dir $1 kernel/net/${prot} +done + +# DRM +for drm in ${drmdrvs} +do + filter_dir $1 drivers/gpu/drm/${drm} +done + +# Just kill sound. +filter_dir $1 kernel/sound + +# Now go through and filter any single .ko files that might have deps on the +# things we filtered above +for mod in ${singlemods} +do + filter_ko $1 ${mod} +done + +# Now process the override list to bring those modules back into core +for mod in ${overrides} +do + grep -v -e "/${mod}.ko" k-d.list > k-d.list.tmp + if [ $? -ne 0 ] + then + echo "Couldn't save ${mod}.ko Skipping." + else + grep -e "/${mod}.ko" k-d.list >> $filelist + mv k-d.list.tmp k-d.list + fi + +done + +# Go through our generated drivers list and remove the .ko files. We'll +# restore them later. +for mod in `cat k-d.list` +do + rm -rf $mod +done diff --git a/SOURCES/filter-ppc64le.sh b/SOURCES/filter-ppc64le.sh new file mode 100644 index 0000000..24d3f13 --- /dev/null +++ b/SOURCES/filter-ppc64le.sh @@ -0,0 +1,14 @@ +#! /bin/bash + +# This is the ppc64le override file for the core/drivers package split. The +# module directories listed here and in the generic list in filter-modules.sh +# will be moved to the resulting kernel-modules package for this arch. +# Anything not listed in those files will be in the kernel-core package. +# +# Please review the default list in filter-modules.sh before making +# modifications to the overrides below. If something should be removed across +# all arches, remove it in the default instead of per-arch. + +driverdirs="atm auxdisplay bcma bluetooth firewire fmc fpga infiniband isdn leds media memstick message mmc mtd nfc ntb pcmcia platform power ssb staging tty uio uwb w1" + +singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qedi qla1280 9pnet_rdma rpcrdma nvmet-rdma nvme-rdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject target_core_user sbp_target cxgbit iw_cxgb3 iw_cxgb4 cxgb3i cxgb3i cxgb3i_ddp cxgb4i chcr chtls" diff --git a/SOURCES/filter-s390x.sh b/SOURCES/filter-s390x.sh new file mode 100644 index 0000000..04f7110 --- /dev/null +++ b/SOURCES/filter-s390x.sh @@ -0,0 +1,12 @@ +#! /bin/bash + +# This is the s390x override file for the core/drivers package split. The +# module directories listed here and in the generic list in filter-modules.sh +# will be moved to the resulting kernel-modules package for this arch. +# Anything not listed in those files will be in the kernel-core package. +# +# Please review the default list in filter-modules.sh before making +# modifications to the overrides below. If something should be removed across +# all arches, remove it in the default instead of per-arch. + +# Defaults work so no need to override diff --git a/SOURCES/filter-x86_64.sh b/SOURCES/filter-x86_64.sh new file mode 100644 index 0000000..1aa80f2 --- /dev/null +++ b/SOURCES/filter-x86_64.sh @@ -0,0 +1,12 @@ +#! /bin/bash + +# This is the x86_64 override file for the core/drivers package split. The +# module directories listed here and in the generic list in filter-modules.sh +# will be moved to the resulting kernel-modules package for this arch. +# Anything not listed in those files will be in the kernel-core package. +# +# Please review the default list in filter-modules.sh before making +# modifications to the overrides below. If something should be removed across +# all arches, remove it in the default instead of per-arch. + +# Defaults work so no need to override diff --git a/SOURCES/iwlwifi-make-some-killer-wireless-ac-1550-cards-work-again.patch b/SOURCES/iwlwifi-make-some-killer-wireless-ac-1550-cards-work-again.patch new file mode 100644 index 0000000..8bbbd79 --- /dev/null +++ b/SOURCES/iwlwifi-make-some-killer-wireless-ac-1550-cards-work-again.patch @@ -0,0 +1,46 @@ +From MAILER-DAEMON Wed Jul 15 12:54:09 2020 +From: Alessio Bonfiglio <alessio.bonfiglio@mail.polimi.it> +To: linux-wireless@vger.kernel.org +Cc: Alessio Bonfiglio <alessio.bonfiglio@mail.polimi.it>, Johannes Berg <johannes.berg@intel.com>, Emmanuel Grumbach <emmanuel.grumbach@intel.com>, Luca Coelho <luciano.coelho@intel.com>, Intel Linux Wireless <linuxwifi@intel.com> +Subject: [PATCH v2] iwlwifi: Make some Killer Wireless-AC 1550 cards work again +Date: Tue, 14 Jul 2020 11:19:11 +0200 +Message-Id: <20200714091911.4442-1-alessio.bonfiglio@mail.polimi.it> +In-Reply-To: <87imeqcwbt.fsf@tynnyri.adurom.net> +References: <87imeqcwbt.fsf@tynnyri.adurom.net> +Sender: linux-wireless-owner@vger.kernel.org +List-ID: <linux-wireless.vger.kernel.org> +X-Mailing-List: linux-wireless@vger.kernel.org +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit + +Fix the regression introduced by commit c8685937d07f ("iwlwifi: move +pu devices to new table") by adding the ids and the configurations of +two missing Killer 1550 cards in order to configure and let them work +correctly again (following the new table convention). +Resolve bug 208141 ("Wireless ac 9560 not working kernel 5.7.2", +https://bugzilla.kernel.org/show_bug.cgi?id=208141). + +Fixes: c8685937d07f ("iwlwifi: move pu devices to new table") +Signed-off-by: Alessio Bonfiglio <alessio.bonfiglio@mail.polimi.it> +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +index 65d65c6baf4c..e02bafb8921f 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -582,6 +582,8 @@ static const struct iwl_dev_info iwl_dev_info_table[] = { + IWL_DEV_INFO(0x30DC, 0x1552, iwl9560_2ac_cfg_soc, iwl9560_killer_1550i_name), + IWL_DEV_INFO(0x31DC, 0x1551, iwl9560_2ac_cfg_soc, iwl9560_killer_1550s_name), + IWL_DEV_INFO(0x31DC, 0x1552, iwl9560_2ac_cfg_soc, iwl9560_killer_1550i_name), ++ IWL_DEV_INFO(0xA370, 0x1551, iwl9560_2ac_cfg_soc, iwl9560_killer_1550s_name), ++ IWL_DEV_INFO(0xA370, 0x1552, iwl9560_2ac_cfg_soc, iwl9560_killer_1550i_name), + + IWL_DEV_INFO(0x271C, 0x0214, iwl9260_2ac_cfg, iwl9260_1_name), + +-- +2.27.0 + + diff --git a/SOURCES/mod-extra.list b/SOURCES/mod-extra.list new file mode 100644 index 0000000..8140f5c --- /dev/null +++ b/SOURCES/mod-extra.list @@ -0,0 +1,196 @@ +6pack.ko +a3d.ko +act200l-sir.ko +actisys-sir.ko +adi.ko +aer_inject.ko +af_802154.ko +affs.ko +ali-ircc.ko +analog.ko +appletalk.ko +atm.ko +avma1_cs.ko +avm_cs.ko +avmfritz.ko +ax25.ko +b1.ko +bas_gigaset.ko +batman-adv.ko +baycom_par.ko +baycom_ser_fdx.ko +baycom_ser_hdx.ko +befs.ko +bpqether.ko +br2684.ko +capi.ko +c_can.ko +c_can_platform.ko +clip.ko +cobra.ko +coda.ko +cuse.ko +db9.ko +dccp_diag.ko +dccp_ipv4.ko +dccp_ipv6.ko +dccp.ko +dccp_probe.ko +diva_idi.ko +divas.ko +dlm.ko +ds1wm.ko +ds2482.ko +ds2490.ko +dss1_divert.ko +elsa_cs.ko +ems_pci.ko +ems_usb.ko +esd_usb2.ko +esi-sir.ko +floppy.ko +gamecon.ko +gf2k.ko +gfs2.ko +gigaset.ko +girbil-sir.ko +grip.ko +grip_mp.ko +guillemot.ko +hdlcdrv.ko +hfc4s8s_l1.ko +hfcmulti.ko +hfcpci.ko +hisax.ko +hwa-rc.ko +hysdn.ko +i2400m.ko +i2400m-sdio.ko +i2400m-usb.ko +ieee802154.ko +iforce.ko +interact.ko +ipddp.ko +ipx.ko +isdn.ko +joydump.ko +kingsun-sir.ko +ks959-sir.ko +ksdazzle-sir.ko +kvaser_pci.ko +l2tp_core.ko +l2tp_debugfs.ko +l2tp_eth.ko +l2tp_ip.ko +l2tp_netlink.ko +l2tp_ppp.ko +lec.ko +ma600-sir.ko +magellan.ko +mcp2120-sir.ko +mISDN_core.ko +mISDN_dsp.ko +mkiss.ko +mptbase.ko +mptctl.ko +mptfc.ko +nci.ko +ncpfs.ko +netjet.ko +netrom.ko +nfc.ko +nilfs2.ko +ocfs2_dlmfs.ko +ocfs2_dlm.ko +ocfs2.ko +ocfs2_nodemanager.ko +ocfs2_stackglue.ko +ocfs2_stack_o2cb.ko +ocfs2_stack_user.ko +old_belkin-sir.ko +orinoco_cs.ko +orinoco.ko +orinoco_nortel.ko +orinoco_pci.ko +orinoco_plx.ko +orinoco_usb.ko +pcspkr.ko +plx_pci.ko +pn_pep.ko +pppoatm.ko +rds.ko +rds_rdma.ko +rds_tcp.ko +rose.ko +sch_atm.ko +sch_cbq.ko +sch_choke.ko +sch_drr.ko +sch_dsmark.ko +sch_etf.ko +sch_gred.ko +sch_mqprio.ko +sch_multiq.ko +sch_netem.ko +sch_qfq.ko +sch_red.ko +sch_sfb.ko +sch_teql.ko +sctp.ko +sctp_probe.ko +sidewinder.ko +sja1000.ko +sja1000_platform.ko +slcan.ko +slip.ko +softing_cs.ko +softing.ko +spaceball.ko +spaceorb.ko +stinger.ko +sysv.ko +tcp_bic.ko +tcp_highspeed.ko +tcp_htcp.ko +tcp_hybla.ko +tcp_illinois.ko +tcp_lp.ko +tcp_scalable.ko +tcp_vegas.ko +tcp_veno.ko +tcp_westwood.ko +tcp_yeah.ko +tekram-sir.ko +tmdc.ko +toim3232-sir.ko +trancevibrator.ko +turbografx.ko +twidjoy.ko +ubifs.ko +ufs.ko +umc.ko +usbip-core.ko +usbip-host.ko +uwb.ko +vcan.ko +vhci-hcd.ko +w1_bq27000.ko +w1_ds2408.ko +w1_ds2423.ko +w1_ds2431.ko +w1_ds2433.ko +w1_ds2760.ko +w1_ds2780.ko +w1_ds2781.ko +w1_ds28e04.ko +w1_smem.ko +w1_therm.ko +w6692.ko +walkera0701.ko +wanrouter.ko +warrior.ko +whci.ko +wire.ko +xpad.ko +yam.ko +zhenhua.ko diff --git a/SOURCES/redhatsecureboot301.cer b/SOURCES/redhatsecureboot301.cer Binary files differnew file mode 100644 index 0000000..20e6604 --- /dev/null +++ b/SOURCES/redhatsecureboot301.cer diff --git a/SOURCES/redhatsecureboot501.cer b/SOURCES/redhatsecureboot501.cer Binary files differnew file mode 100644 index 0000000..dfa7afb --- /dev/null +++ b/SOURCES/redhatsecureboot501.cer diff --git a/SOURCES/redhatsecurebootca1.cer b/SOURCES/redhatsecurebootca1.cer Binary files differnew file mode 100644 index 0000000..b235400 --- /dev/null +++ b/SOURCES/redhatsecurebootca1.cer diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer Binary files differnew file mode 100644 index 0000000..dfb0284 --- /dev/null +++ b/SOURCES/redhatsecurebootca5.cer diff --git a/SOURCES/selinux_allow_reading_labels_before_policy_is_loaded.patch b/SOURCES/selinux_allow_reading_labels_before_policy_is_loaded.patch new file mode 100644 index 0000000..5335915 --- /dev/null +++ b/SOURCES/selinux_allow_reading_labels_before_policy_is_loaded.patch @@ -0,0 +1,48 @@ +From c8e222616c7e98305bdc861db3ccac520bc29921 Mon Sep 17 00:00:00 2001 +From: Jonathan Lebon <jlebon@redhat.com> +Date: Thu, 28 May 2020 10:39:40 -0400 +Subject: selinux: allow reading labels before policy is loaded + +This patch does for `getxattr` what commit 3e3e24b42043 ("selinux: allow +labeling before policy is loaded") did for `setxattr`; it allows +querying the current SELinux label on disk before the policy is loaded. + +One of the motivations described in that commit message also drives this +patch: for Fedora CoreOS (and eventually RHEL CoreOS), we want to be +able to move the root filesystem for example, from xfs to ext4 on RAID, +on first boot, at initrd time.[1] + +Because such an operation works at the filesystem level, we need to be +able to read the SELinux labels first from the original root, and apply +them to the files of the new root. The previous commit enabled the +second part of this process; this commit enables the first part. + +[1] https://github.com/coreos/fedora-coreos-tracker/issues/94 + +Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> +Signed-off-by: Jonathan Lebon <jlebon@redhat.com> +Signed-off-by: Paul Moore <paul@paul-moore.com> +--- + security/selinux/hooks.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index efa6108b1ce9..ca901025802a 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -3332,7 +3332,12 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void + char *context = NULL; + struct inode_security_struct *isec; + +- if (strcmp(name, XATTR_SELINUX_SUFFIX)) ++ /* ++ * If we're not initialized yet, then we can't validate contexts, so ++ * just let vfs_getxattr fall back to using the on-disk xattr. ++ */ ++ if (!selinux_initialized(&selinux_state) || ++ strcmp(name, XATTR_SELINUX_SUFFIX)) + return -EOPNOTSUPP; + + /* +-- +cgit 1.2.3-1.el7 diff --git a/SOURCES/x509.genkey b/SOURCES/x509.genkey new file mode 100644 index 0000000..2f90e1b --- /dev/null +++ b/SOURCES/x509.genkey @@ -0,0 +1,16 @@ +[ req ] +default_bits = 4096 +distinguished_name = req_distinguished_name +prompt = no +x509_extensions = myexts + +[ req_distinguished_name ] +O = Fedora +CN = Fedora kernel signing key +emailAddress = kernel-team@fedoraproject.org + +[ myexts ] +basicConstraints=critical,CA:FALSE +keyUsage=digitalSignature +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 9edde19..74fd8e4 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -56,7 +56,7 @@ Summary: The Linux kernel %global zipsed -e 's/\.ko$/\.ko.xz/' %endif -# define buildid .local +%define buildid .fsync %if 0%{?fedora} %define primary_target fedora @@ -80,7 +80,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 202 +%global baserelease 201 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -92,7 +92,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 8 +%define stable_update 9 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -203,8 +203,8 @@ Summary: The Linux kernel %define debugbuildsenabled 1 %if 0%{?fedora} -# Kernel headers are being normally split out into a separate package but I am lazy -%define with_headers 0 +# Kernel headers are being split out into a separate package +%define with_headers 1 %define with_cross_headers 0 # no selftests for now %define with_selftests 0 @@ -227,7 +227,7 @@ Summary: The Linux kernel # pkg_release is what we'll fill in for the rpm Release: field %if 0%{?released_kernel} -%define pkg_release fsync.%{fedora_build}%{?buildid}%{?dist} +%define pkg_release %{fedora_build}%{?buildid}%{?dist} %else @@ -242,7 +242,7 @@ Summary: The Linux kernel %else %define gittag .git0 %endif -%define pkg_release fsync.%{?rctag}%{?gittag}.%{fedora_build}%{?buildid}%{?dist} +%define pkg_release 0%{?rctag}%{?gittag}.%{fedora_build}%{?buildid}%{?dist} %endif @@ -637,41 +637,51 @@ Source10: x509.genkey.rhel Source11: x509.genkey.fedora %if %{?released_kernel} -Source12: securebootca.cer -Source13: secureboot.cer -Source14: secureboot_s390.cer -Source15: secureboot_ppc.cer +Source12: redhatsecurebootca5.cer +Source13: redhatsecurebootca1.cer +Source14: redhatsecureboot501.cer +Source15: redhatsecureboot301.cer +Source16: secureboot_s390.cer +Source17: secureboot_ppc.cer -%define secureboot_ca %{SOURCE12} +%define secureboot_ca_1 %{SOURCE12} +%define secureboot_ca_0 %{SOURCE13} %ifarch x86_64 aarch64 -%define secureboot_key %{SOURCE13} -%define pesign_name redhatsecureboot301 +%define secureboot_key_1 %{SOURCE14} +%define pesign_name_1 redhatsecureboot501 +%define secureboot_key_0 %{SOURCE15} +%define pesign_name_0 redhatsecureboot301 %endif %ifarch s390x -%define secureboot_key %{SOURCE14} -%define pesign_name redhatsecureboot302 +%define secureboot_key_0 %{SOURCE16} +%define pesign_name_0 redhatsecureboot302 %endif %ifarch ppc64le -%define secureboot_key %{SOURCE15} -%define pesign_name redhatsecureboot303 +%define secureboot_key_0 %{SOURCE17} +%define pesign_name_0 redhatsecureboot303 %endif # released_kernel %else -Source12: redhatsecurebootca2.cer -Source13: redhatsecureboot003.cer +Source12: redhatsecurebootca4.cer +Source13: redhatsecurebootca2.cer +Source14: redhatsecureboot401.cer +Source15: redhatsecureboot003.cer -%define secureboot_ca %{SOURCE12} -%define secureboot_key %{SOURCE13} -%define pesign_name redhatsecureboot003 +%define secureboot_ca_1 %{SOURCE12} +%define secureboot_ca_0 %{SOURCE13} +%define secureboot_key_1 %{SOURCE14} +%define pesign_name_1 redhatsecureboot401 +%define secureboot_key_0 %{SOURCE15} +%define pesign_name_0 redhatsecureboot003 # released_kernel %endif Source22: mod-extra.list.rhel -Source16: mod-extra.list.fedora -Source17: mod-extra.sh +Source23: mod-extra.list.fedora +Source24: mod-extra.sh Source18: mod-sign.sh Source19: mod-extra-blacklist.sh Source79: parallel_xz.sh @@ -853,6 +863,9 @@ Patch105: 0001-virt-vbox-Log-unknown-ioctl-requests-as-error.patch # Thinkpad dual fan control Patch107: 0001-platform-x86-thinkpad_acpi-Add-support-for-dual-fan-.patch +# https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?h=next&id=c8e222616c7e98305bdc861db3ccac520bc29921 +Patch108: selinux_allow_reading_labels_before_policy_is_loaded.patch + # Latest upstream screen driver - https://patchwork.kernel.org/patch/11627069/ Patch110: 0001-dt-bindings-vendor-prefixes-Add-Xingbangda.patch Patch111: 0002-dt-bindings-panel-Convert-rocktech-jh057n00900-to-ya.patch @@ -872,6 +885,9 @@ Patch123: 0001-usb-fusb302-Convert-to-use-GPIO-descriptors.patch # Tegra194 ACPI PCI quirk - http://patchwork.ozlabs.org/patch/1221384/ Patch124: 0001-PCI-Add-MCFG-quirks-for-Tegra194-host-controllers.patch +# Killer wireless headed to stable +Patch125: iwlwifi-make-some-killer-wireless-ac-1550-cards-work-again.patch + # Linux-tkg patches - https://github.com/Frogging-Family/linux-tkg/blob/master/linux57-tkg Patch202: 0003-glitched-base.patch Patch203: 0007-v5.7-fsync.patch @@ -1537,7 +1553,7 @@ git commit -a -m "Stable update" # Note: Even in the "nopatches" path some patches (build tweaks and compile # fixes) will always get applied; see patch defition above for details -git am --ignore-space-change --ignore-whitespace --whitespace=fix %{patches} +git am %{patches} # END OF PATCH APPLICATIONS @@ -1789,11 +1805,13 @@ BuildKernel() { fi %ifarch x86_64 aarch64 - %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca} -c %{secureboot_key} -n %{pesign_name} + %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} + %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1} + rm vmlinuz.tmp %endif %ifarch s390x ppc64le if [ -x /usr/bin/rpm-sign ]; then - rpm-sign --key "%{pesign_name}" --lkmsign $SignImage --output vmlinuz.signed + rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed elif [ $DoModules -eq 1 ]; then chmod +x scripts/sign-file ./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed @@ -2083,11 +2101,11 @@ BuildKernel() { popd # Call the modules-extra script to move things around - %{SOURCE17} $RPM_BUILD_ROOT/lib/modules/$KernelVer $RPM_SOURCE_DIR/mod-extra.list + %{SOURCE24} $RPM_BUILD_ROOT/lib/modules/$KernelVer $RPM_SOURCE_DIR/mod-extra.list # Blacklist net autoloadable modules in modules-extra %{SOURCE19} $RPM_BUILD_ROOT lib/modules/$KernelVer # Call the modules-extra script for internal modules - %{SOURCE17} $RPM_BUILD_ROOT/lib/modules/$KernelVer %{SOURCE54} internal + %{SOURCE24} $RPM_BUILD_ROOT/lib/modules/$KernelVer %{SOURCE54} internal # # Generate the kernel-core and kernel-modules files lists @@ -2184,11 +2202,17 @@ BuildKernel() { # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer - install -m 0644 %{secureboot_ca} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %ifarch x86_64 aarch64 + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer + install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer + ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %else + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %endif %ifarch s390x ppc64le if [ $DoModules -eq 1 ]; then if [ -x /usr/bin/rpm-sign ]; then - install -m 0644 %{secureboot_key} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} + install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} else install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} @@ -2918,7 +2942,7 @@ fi %if 0%{!?fedora:1}\ /lib/modules/%{KVERREL}%{?3:+%{3}}/weak-updates\ %endif\ -%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca.cer\ +%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca*.cer\ %ifarch s390x ppc64le\ %if 0%{!?4:1}\ %{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/%{signing_key_filename} \ @@ -2971,11 +2995,17 @@ fi # # %changelog -* Tue Jul 14 2020 Jan Drögehoff <sentrycraft123@gmail.com> - 5.7.8-fsync.202 -- Linux v5.7.8 add zen patches +* Tue Jul 21 2020 Jan Drögehoff <sentrycraft123@gmail.com> - 5.7.9-fsync.201 +- Linux v5.7.9 zen fsync + +* Fri Jul 17 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.7.9-100 +- Linux v5.7.9 + +* Wed Jul 15 2020 Justin M. Forbes <jforbes@fedoraproject.org> +- Make some killer wireless ac 1550 cards work again -* Sun Jul 12 2020 Jan Drögehoff <sentrycraft123@gmail.com> - 5.7.8-fsync.201 -- Linux v5.7.8 fsync +* Sun Jul 12 2020 Peter Robinson <pbrobinson@fedoraproject.org> +- selinux: allow reading labels before policy is loaded (rhbz 1845210) * Thu Jul 09 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.7.8-200 - Linux v5.7.8 |