summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--SOURCES/filter-aarch64.sh18
-rw-r--r--SOURCES/filter-armv7hl.sh18
-rw-r--r--SOURCES/filter-i686.sh14
-rwxr-xr-xSOURCES/filter-modules.sh170
-rw-r--r--SOURCES/filter-ppc64le.sh14
-rw-r--r--SOURCES/filter-s390x.sh12
-rw-r--r--SOURCES/filter-x86_64.sh12
-rw-r--r--SOURCES/iwlwifi-make-some-killer-wireless-ac-1550-cards-work-again.patch46
-rw-r--r--SOURCES/mod-extra.list196
-rw-r--r--SOURCES/redhatsecureboot301.cerbin0 -> 899 bytes
-rw-r--r--SOURCES/redhatsecureboot501.cerbin0 -> 964 bytes
-rw-r--r--SOURCES/redhatsecurebootca1.cerbin0 -> 977 bytes
-rw-r--r--SOURCES/redhatsecurebootca5.cerbin0 -> 920 bytes
-rw-r--r--SOURCES/selinux_allow_reading_labels_before_policy_is_loaded.patch48
-rw-r--r--SOURCES/x509.genkey16
-rw-r--r--SPECS/kernel.spec104
16 files changed, 631 insertions, 37 deletions
diff --git a/SOURCES/filter-aarch64.sh b/SOURCES/filter-aarch64.sh
new file mode 100644
index 0000000..7c3441b
--- /dev/null
+++ b/SOURCES/filter-aarch64.sh
@@ -0,0 +1,18 @@
+#! /bin/bash
+
+# This is the aarch64 override file for the core/drivers package split. The
+# module directories listed here and in the generic list in filter-modules.sh
+# will be moved to the resulting kernel-modules package for this arch.
+# Anything not listed in those files will be in the kernel-core package.
+#
+# Please review the default list in filter-modules.sh before making
+# modifications to the overrides below. If something should be removed across
+# all arches, remove it in the default instead of per-arch.
+
+driverdirs="atm auxdisplay bcma bluetooth firewire fmc fpga infiniband isdn leds media memstick message mmc mtd nfc ntb pcmcia power ssb soundwire staging tty uio uwb w1"
+
+ethdrvs="3com adaptec arc alteon atheros broadcom cadence calxeda chelsio cisco dec dlink emulex icplus marvell micrel myricom neterion nvidia oki-semi packetengines qlogic rdc renesas sfc silan sis smsc stmicro sun tehuti ti via wiznet xircom"
+
+drmdrvs="amd arm bridge ast exynos hisilicon i2c imx mgag200 meson msm nouveau panel pl111 radeon rockchip tegra sun4i sun4i-drm-hdmi tinydrm vc4"
+
+singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qedi qla1280 9pnet_rdma rpcrdma nvmet-rdma nvme-rdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject target_core_user sbp_target cxgbit iw_cxgb3 iw_cxgb4 cxgb3i cxgb3i cxgb3i_ddp cxgb4i chcr chtls"
diff --git a/SOURCES/filter-armv7hl.sh b/SOURCES/filter-armv7hl.sh
new file mode 100644
index 0000000..566083c
--- /dev/null
+++ b/SOURCES/filter-armv7hl.sh
@@ -0,0 +1,18 @@
+#! /bin/bash
+
+# This is the armv7hl override file for the core/drivers package split. The
+# module directories listed here and in the generic list in filter-modules.sh
+# will be moved to the resulting kernel-modules package for this arch.
+# Anything not listed in those files will be in the kernel-core package.
+#
+# Please review the default list in filter-modules.sh before making
+# modifications to the overrides below. If something should be removed across
+# all arches, remove it in the default instead of per-arch.
+
+driverdirs="atm auxdisplay bcma bluetooth firewire fmc fpga infiniband isdn media memstick message nfc ntb pcmcia ssb soundwire staging tty uio uwb w1"
+
+ethdrvs="3com adaptec alteon altera amd atheros broadcom cadence chelsio cisco dec dlink emulex icplus mellanox micrel myricom natsemi neterion nvidia oki-semi packetengines qlogic rdc renesas sfc silan sis sun tehuti via wiznet xircom"
+
+drmdrvs="amd arm armada bridge ast exynos etnaviv hisilicon i2c imx meson mgag200 msm nouveau omapdrm panel pl111 radeon rockchip sti stm sun4i sun4i-drm-hdmi tegra tilcdc tinydrm vc4"
+
+singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qedi qla1280 9pnet_rdma rpcrdma nvmet-rdma nvme-rdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject target_core_user sbp_target cxgbit iw_cxgb3 iw_cxgb4 cxgb3i cxgb3i cxgb3i_ddp cxgb4i chcr chtls bq27xxx_battery_hdq"
diff --git a/SOURCES/filter-i686.sh b/SOURCES/filter-i686.sh
new file mode 100644
index 0000000..1a13ddf
--- /dev/null
+++ b/SOURCES/filter-i686.sh
@@ -0,0 +1,14 @@
+#! /bin/bash
+
+# This is the i686 override file for the core/drivers package split. The
+# module directories listed here and in the generic list in filter-modules.sh
+# will be moved to the resulting kernel-modules package for this arch.
+# Anything not listed in those files will be in the kernel-core package.
+#
+# Please review the default list in filter-modules.sh before making
+# modifications to the overrides below. If something should be removed across
+# all arches, remove it in the default instead of per-arch.
+
+driverdirs="atm auxdisplay bcma bluetooth firewire fmc fpga infiniband isdn leds media memstick mfd mmc mtd nfc ntb pcmcia platform power ssb soundwire staging tty uio uwb w1"
+
+singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qedi qla1280 9pnet_rdma rpcrdma nvmet-rdma nvme-rdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject hid-sensor-hub hid-sensor-magn-3d hid-sensor-incl-3d hid-sensor-gyro-3d hid-sensor-iio-common hid-sensor-accel-3d hid-sensor-trigger hid-sensor-als hid-sensor-rotation hid-sensor-temperature hid-sensor-humidity target_core_user sbp_target cxgbit iw_cxgb3 iw_cxgb4 cxgb3i cxgb3i cxgb3i_ddp cxgb4i chcr chtls parport_serial regmap-sdw hid-asus"
diff --git a/SOURCES/filter-modules.sh b/SOURCES/filter-modules.sh
new file mode 100755
index 0000000..436dcc5
--- /dev/null
+++ b/SOURCES/filter-modules.sh
@@ -0,0 +1,170 @@
+#! /bin/bash
+#
+# Called as filter-modules.sh list-of-modules Arch
+
+# This script filters the modules into the kernel-core and kernel-modules
+# subpackages. We list out subsystems/subdirs to prune from the installed
+# module directory. What is left is put into the kernel-core package. What is
+# pruned is contained in the kernel-modules package.
+#
+# This file contains the default subsys/subdirs to prune from all architectures.
+# If an architecture needs to differ, we source a per-arch filter-<arch>.sh file
+# that contains the set of override lists to be used instead. If a module or
+# subsys should be in kernel-modules on all arches, please change the defaults
+# listed here.
+
+# Overrides is individual modules which need to remain in kernel-core due to deps.
+overrides="cec"
+
+# Set the default dirs/modules to filter out
+driverdirs="atm auxdisplay bcma bluetooth firewire fmc fpga infiniband isdn leds media memstick mfd mmc mtd nfc ntb pcmcia platform power ssb soundwire staging tty uio uwb w1"
+
+chardrvs="mwave pcmcia"
+
+netdrvs="appletalk can dsa hamradio ieee802154 irda ppp slip usb wireless"
+
+ethdrvs="3com adaptec alteon amd aquantia atheros broadcom cadence calxeda chelsio cisco dec dlink emulex icplus marvell mellanox neterion nvidia oki-semi packetengines qlogic rdc renesas sfc silan sis smsc stmicro sun tehuti ti wiznet xircom"
+
+inputdrvs="gameport tablet touchscreen"
+
+scsidrvs="aacraid advansys aic7xxx aic94xx be2iscsi bfa bnx2i bnx2fc csiostor cxgbi esas2r fcoe fnic isci libsas lpfc megaraid mpt2sas mpt3sas mvsas pm8001 qla2xxx qla4xxx sym53c8xx_2 ufs qedf wd719x"
+
+usbdrvs="atm image misc serial wusbcore"
+
+fsdrvs="affs befs coda cramfs dlm ecryptfs hfs hfsplus jfs jffs2 minix ncpfs nilfs2 ocfs2 reiserfs romfs squashfs sysv ubifs ufs"
+
+netprots="6lowpan appletalk atm ax25 batman-adv bluetooth can dccp dsa ieee802154 irda l2tp mac80211 mac802154 mpls netrom nfc rds rfkill rose sctp smc wireless"
+
+drmdrvs="amd ast bridge gma500 i2c i915 mgag200 nouveau panel radeon"
+
+iiodrvs="accel adc afe common dac gyro health humidity light magnetometer multiplexer orientation potentiometer potentiostat pressure temperature"
+
+singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qedi qla1280 9pnet_rdma rpcrdma nvmet-rdma nvme-rdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject target_core_user sbp_target cxgbit iw_cxgb3 iw_cxgb4 cxgb3i cxgb3i cxgb3i_ddp cxgb4i chcr chtls parport_serial regmap-sdw hid-asus"
+
+# Grab the arch-specific filter list overrides
+source ./filter-$2.sh
+
+filter_dir() {
+ filelist=$1
+ dir=$2
+
+ grep -v -e "${dir}/" ${filelist} > ${filelist}.tmp
+
+ if [ $? -ne 0 ]
+ then
+ echo "Couldn't remove ${dir}. Skipping."
+ else
+ grep -e "${dir}/" ${filelist} >> k-d.list
+ mv ${filelist}.tmp $filelist
+ fi
+
+ return 0
+}
+
+filter_ko() {
+ filelist=$1
+ mod=$2
+
+ grep -v -e "${mod}.ko" ${filelist} > ${filelist}.tmp
+
+ if [ $? -ne 0 ]
+ then
+ echo "Couldn't remove ${mod}.ko Skipping."
+ else
+ grep -e "${mod}.ko" ${filelist} >> k-d.list
+ mv ${filelist}.tmp $filelist
+ fi
+
+ return 0
+}
+
+# Filter the drivers/ subsystems
+for subsys in ${driverdirs}
+do
+ filter_dir $1 drivers/${subsys}
+done
+
+# Filter the networking drivers
+for netdrv in ${netdrvs}
+do
+ filter_dir $1 drivers/net/${netdrv}
+done
+
+# Filter the char drivers
+for char in ${chardrvs}
+do
+ filter_dir $1 drivers/char/${input}
+done
+
+# Filter the ethernet drivers
+for eth in ${ethdrvs}
+do
+ filter_dir $1 drivers/net/ethernet/${eth}
+done
+
+# SCSI
+for scsi in ${scsidrvs}
+do
+ filter_dir $1 drivers/scsi/${scsi}
+done
+
+# Input
+for input in ${inputdrvs}
+do
+ filter_dir $1 drivers/input/${input}
+done
+
+# USB
+for usb in ${usbdrvs}
+do
+ filter_dir $1 drivers/usb/${usb}
+done
+
+# Filesystems
+for fs in ${fsdrvs}
+do
+ filter_dir $1 fs/${fs}
+done
+
+# Network protocols
+for prot in ${netprots}
+do
+ filter_dir $1 kernel/net/${prot}
+done
+
+# DRM
+for drm in ${drmdrvs}
+do
+ filter_dir $1 drivers/gpu/drm/${drm}
+done
+
+# Just kill sound.
+filter_dir $1 kernel/sound
+
+# Now go through and filter any single .ko files that might have deps on the
+# things we filtered above
+for mod in ${singlemods}
+do
+ filter_ko $1 ${mod}
+done
+
+# Now process the override list to bring those modules back into core
+for mod in ${overrides}
+do
+ grep -v -e "/${mod}.ko" k-d.list > k-d.list.tmp
+ if [ $? -ne 0 ]
+ then
+ echo "Couldn't save ${mod}.ko Skipping."
+ else
+ grep -e "/${mod}.ko" k-d.list >> $filelist
+ mv k-d.list.tmp k-d.list
+ fi
+
+done
+
+# Go through our generated drivers list and remove the .ko files. We'll
+# restore them later.
+for mod in `cat k-d.list`
+do
+ rm -rf $mod
+done
diff --git a/SOURCES/filter-ppc64le.sh b/SOURCES/filter-ppc64le.sh
new file mode 100644
index 0000000..24d3f13
--- /dev/null
+++ b/SOURCES/filter-ppc64le.sh
@@ -0,0 +1,14 @@
+#! /bin/bash
+
+# This is the ppc64le override file for the core/drivers package split. The
+# module directories listed here and in the generic list in filter-modules.sh
+# will be moved to the resulting kernel-modules package for this arch.
+# Anything not listed in those files will be in the kernel-core package.
+#
+# Please review the default list in filter-modules.sh before making
+# modifications to the overrides below. If something should be removed across
+# all arches, remove it in the default instead of per-arch.
+
+driverdirs="atm auxdisplay bcma bluetooth firewire fmc fpga infiniband isdn leds media memstick message mmc mtd nfc ntb pcmcia platform power ssb staging tty uio uwb w1"
+
+singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qedi qla1280 9pnet_rdma rpcrdma nvmet-rdma nvme-rdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject target_core_user sbp_target cxgbit iw_cxgb3 iw_cxgb4 cxgb3i cxgb3i cxgb3i_ddp cxgb4i chcr chtls"
diff --git a/SOURCES/filter-s390x.sh b/SOURCES/filter-s390x.sh
new file mode 100644
index 0000000..04f7110
--- /dev/null
+++ b/SOURCES/filter-s390x.sh
@@ -0,0 +1,12 @@
+#! /bin/bash
+
+# This is the s390x override file for the core/drivers package split. The
+# module directories listed here and in the generic list in filter-modules.sh
+# will be moved to the resulting kernel-modules package for this arch.
+# Anything not listed in those files will be in the kernel-core package.
+#
+# Please review the default list in filter-modules.sh before making
+# modifications to the overrides below. If something should be removed across
+# all arches, remove it in the default instead of per-arch.
+
+# Defaults work so no need to override
diff --git a/SOURCES/filter-x86_64.sh b/SOURCES/filter-x86_64.sh
new file mode 100644
index 0000000..1aa80f2
--- /dev/null
+++ b/SOURCES/filter-x86_64.sh
@@ -0,0 +1,12 @@
+#! /bin/bash
+
+# This is the x86_64 override file for the core/drivers package split. The
+# module directories listed here and in the generic list in filter-modules.sh
+# will be moved to the resulting kernel-modules package for this arch.
+# Anything not listed in those files will be in the kernel-core package.
+#
+# Please review the default list in filter-modules.sh before making
+# modifications to the overrides below. If something should be removed across
+# all arches, remove it in the default instead of per-arch.
+
+# Defaults work so no need to override
diff --git a/SOURCES/iwlwifi-make-some-killer-wireless-ac-1550-cards-work-again.patch b/SOURCES/iwlwifi-make-some-killer-wireless-ac-1550-cards-work-again.patch
new file mode 100644
index 0000000..8bbbd79
--- /dev/null
+++ b/SOURCES/iwlwifi-make-some-killer-wireless-ac-1550-cards-work-again.patch
@@ -0,0 +1,46 @@
+From MAILER-DAEMON Wed Jul 15 12:54:09 2020
+From: Alessio Bonfiglio <alessio.bonfiglio@mail.polimi.it>
+To: linux-wireless@vger.kernel.org
+Cc: Alessio Bonfiglio <alessio.bonfiglio@mail.polimi.it>, Johannes Berg <johannes.berg@intel.com>, Emmanuel Grumbach <emmanuel.grumbach@intel.com>, Luca Coelho <luciano.coelho@intel.com>, Intel Linux Wireless <linuxwifi@intel.com>
+Subject: [PATCH v2] iwlwifi: Make some Killer Wireless-AC 1550 cards work again
+Date: Tue, 14 Jul 2020 11:19:11 +0200
+Message-Id: <20200714091911.4442-1-alessio.bonfiglio@mail.polimi.it>
+In-Reply-To: <87imeqcwbt.fsf@tynnyri.adurom.net>
+References: <87imeqcwbt.fsf@tynnyri.adurom.net>
+Sender: linux-wireless-owner@vger.kernel.org
+List-ID: <linux-wireless.vger.kernel.org>
+X-Mailing-List: linux-wireless@vger.kernel.org
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 7bit
+
+Fix the regression introduced by commit c8685937d07f ("iwlwifi: move
+pu devices to new table") by adding the ids and the configurations of
+two missing Killer 1550 cards in order to configure and let them work
+correctly again (following the new table convention).
+Resolve bug 208141 ("Wireless ac 9560 not working kernel 5.7.2",
+https://bugzilla.kernel.org/show_bug.cgi?id=208141).
+
+Fixes: c8685937d07f ("iwlwifi: move pu devices to new table")
+Signed-off-by: Alessio Bonfiglio <alessio.bonfiglio@mail.polimi.it>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+index 65d65c6baf4c..e02bafb8921f 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+@@ -582,6 +582,8 @@ static const struct iwl_dev_info iwl_dev_info_table[] = {
+ IWL_DEV_INFO(0x30DC, 0x1552, iwl9560_2ac_cfg_soc, iwl9560_killer_1550i_name),
+ IWL_DEV_INFO(0x31DC, 0x1551, iwl9560_2ac_cfg_soc, iwl9560_killer_1550s_name),
+ IWL_DEV_INFO(0x31DC, 0x1552, iwl9560_2ac_cfg_soc, iwl9560_killer_1550i_name),
++ IWL_DEV_INFO(0xA370, 0x1551, iwl9560_2ac_cfg_soc, iwl9560_killer_1550s_name),
++ IWL_DEV_INFO(0xA370, 0x1552, iwl9560_2ac_cfg_soc, iwl9560_killer_1550i_name),
+
+ IWL_DEV_INFO(0x271C, 0x0214, iwl9260_2ac_cfg, iwl9260_1_name),
+
+--
+2.27.0
+
+
diff --git a/SOURCES/mod-extra.list b/SOURCES/mod-extra.list
new file mode 100644
index 0000000..8140f5c
--- /dev/null
+++ b/SOURCES/mod-extra.list
@@ -0,0 +1,196 @@
+6pack.ko
+a3d.ko
+act200l-sir.ko
+actisys-sir.ko
+adi.ko
+aer_inject.ko
+af_802154.ko
+affs.ko
+ali-ircc.ko
+analog.ko
+appletalk.ko
+atm.ko
+avma1_cs.ko
+avm_cs.ko
+avmfritz.ko
+ax25.ko
+b1.ko
+bas_gigaset.ko
+batman-adv.ko
+baycom_par.ko
+baycom_ser_fdx.ko
+baycom_ser_hdx.ko
+befs.ko
+bpqether.ko
+br2684.ko
+capi.ko
+c_can.ko
+c_can_platform.ko
+clip.ko
+cobra.ko
+coda.ko
+cuse.ko
+db9.ko
+dccp_diag.ko
+dccp_ipv4.ko
+dccp_ipv6.ko
+dccp.ko
+dccp_probe.ko
+diva_idi.ko
+divas.ko
+dlm.ko
+ds1wm.ko
+ds2482.ko
+ds2490.ko
+dss1_divert.ko
+elsa_cs.ko
+ems_pci.ko
+ems_usb.ko
+esd_usb2.ko
+esi-sir.ko
+floppy.ko
+gamecon.ko
+gf2k.ko
+gfs2.ko
+gigaset.ko
+girbil-sir.ko
+grip.ko
+grip_mp.ko
+guillemot.ko
+hdlcdrv.ko
+hfc4s8s_l1.ko
+hfcmulti.ko
+hfcpci.ko
+hisax.ko
+hwa-rc.ko
+hysdn.ko
+i2400m.ko
+i2400m-sdio.ko
+i2400m-usb.ko
+ieee802154.ko
+iforce.ko
+interact.ko
+ipddp.ko
+ipx.ko
+isdn.ko
+joydump.ko
+kingsun-sir.ko
+ks959-sir.ko
+ksdazzle-sir.ko
+kvaser_pci.ko
+l2tp_core.ko
+l2tp_debugfs.ko
+l2tp_eth.ko
+l2tp_ip.ko
+l2tp_netlink.ko
+l2tp_ppp.ko
+lec.ko
+ma600-sir.ko
+magellan.ko
+mcp2120-sir.ko
+mISDN_core.ko
+mISDN_dsp.ko
+mkiss.ko
+mptbase.ko
+mptctl.ko
+mptfc.ko
+nci.ko
+ncpfs.ko
+netjet.ko
+netrom.ko
+nfc.ko
+nilfs2.ko
+ocfs2_dlmfs.ko
+ocfs2_dlm.ko
+ocfs2.ko
+ocfs2_nodemanager.ko
+ocfs2_stackglue.ko
+ocfs2_stack_o2cb.ko
+ocfs2_stack_user.ko
+old_belkin-sir.ko
+orinoco_cs.ko
+orinoco.ko
+orinoco_nortel.ko
+orinoco_pci.ko
+orinoco_plx.ko
+orinoco_usb.ko
+pcspkr.ko
+plx_pci.ko
+pn_pep.ko
+pppoatm.ko
+rds.ko
+rds_rdma.ko
+rds_tcp.ko
+rose.ko
+sch_atm.ko
+sch_cbq.ko
+sch_choke.ko
+sch_drr.ko
+sch_dsmark.ko
+sch_etf.ko
+sch_gred.ko
+sch_mqprio.ko
+sch_multiq.ko
+sch_netem.ko
+sch_qfq.ko
+sch_red.ko
+sch_sfb.ko
+sch_teql.ko
+sctp.ko
+sctp_probe.ko
+sidewinder.ko
+sja1000.ko
+sja1000_platform.ko
+slcan.ko
+slip.ko
+softing_cs.ko
+softing.ko
+spaceball.ko
+spaceorb.ko
+stinger.ko
+sysv.ko
+tcp_bic.ko
+tcp_highspeed.ko
+tcp_htcp.ko
+tcp_hybla.ko
+tcp_illinois.ko
+tcp_lp.ko
+tcp_scalable.ko
+tcp_vegas.ko
+tcp_veno.ko
+tcp_westwood.ko
+tcp_yeah.ko
+tekram-sir.ko
+tmdc.ko
+toim3232-sir.ko
+trancevibrator.ko
+turbografx.ko
+twidjoy.ko
+ubifs.ko
+ufs.ko
+umc.ko
+usbip-core.ko
+usbip-host.ko
+uwb.ko
+vcan.ko
+vhci-hcd.ko
+w1_bq27000.ko
+w1_ds2408.ko
+w1_ds2423.ko
+w1_ds2431.ko
+w1_ds2433.ko
+w1_ds2760.ko
+w1_ds2780.ko
+w1_ds2781.ko
+w1_ds28e04.ko
+w1_smem.ko
+w1_therm.ko
+w6692.ko
+walkera0701.ko
+wanrouter.ko
+warrior.ko
+whci.ko
+wire.ko
+xpad.ko
+yam.ko
+zhenhua.ko
diff --git a/SOURCES/redhatsecureboot301.cer b/SOURCES/redhatsecureboot301.cer
new file mode 100644
index 0000000..20e6604
--- /dev/null
+++ b/SOURCES/redhatsecureboot301.cer
Binary files differ
diff --git a/SOURCES/redhatsecureboot501.cer b/SOURCES/redhatsecureboot501.cer
new file mode 100644
index 0000000..dfa7afb
--- /dev/null
+++ b/SOURCES/redhatsecureboot501.cer
Binary files differ
diff --git a/SOURCES/redhatsecurebootca1.cer b/SOURCES/redhatsecurebootca1.cer
new file mode 100644
index 0000000..b235400
--- /dev/null
+++ b/SOURCES/redhatsecurebootca1.cer
Binary files differ
diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer
new file mode 100644
index 0000000..dfb0284
--- /dev/null
+++ b/SOURCES/redhatsecurebootca5.cer
Binary files differ
diff --git a/SOURCES/selinux_allow_reading_labels_before_policy_is_loaded.patch b/SOURCES/selinux_allow_reading_labels_before_policy_is_loaded.patch
new file mode 100644
index 0000000..5335915
--- /dev/null
+++ b/SOURCES/selinux_allow_reading_labels_before_policy_is_loaded.patch
@@ -0,0 +1,48 @@
+From c8e222616c7e98305bdc861db3ccac520bc29921 Mon Sep 17 00:00:00 2001
+From: Jonathan Lebon <jlebon@redhat.com>
+Date: Thu, 28 May 2020 10:39:40 -0400
+Subject: selinux: allow reading labels before policy is loaded
+
+This patch does for `getxattr` what commit 3e3e24b42043 ("selinux: allow
+labeling before policy is loaded") did for `setxattr`; it allows
+querying the current SELinux label on disk before the policy is loaded.
+
+One of the motivations described in that commit message also drives this
+patch: for Fedora CoreOS (and eventually RHEL CoreOS), we want to be
+able to move the root filesystem for example, from xfs to ext4 on RAID,
+on first boot, at initrd time.[1]
+
+Because such an operation works at the filesystem level, we need to be
+able to read the SELinux labels first from the original root, and apply
+them to the files of the new root. The previous commit enabled the
+second part of this process; this commit enables the first part.
+
+[1] https://github.com/coreos/fedora-coreos-tracker/issues/94
+
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+Signed-off-by: Jonathan Lebon <jlebon@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ security/selinux/hooks.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index efa6108b1ce9..ca901025802a 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -3332,7 +3332,12 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void
+ char *context = NULL;
+ struct inode_security_struct *isec;
+
+- if (strcmp(name, XATTR_SELINUX_SUFFIX))
++ /*
++ * If we're not initialized yet, then we can't validate contexts, so
++ * just let vfs_getxattr fall back to using the on-disk xattr.
++ */
++ if (!selinux_initialized(&selinux_state) ||
++ strcmp(name, XATTR_SELINUX_SUFFIX))
+ return -EOPNOTSUPP;
+
+ /*
+--
+cgit 1.2.3-1.el7
diff --git a/SOURCES/x509.genkey b/SOURCES/x509.genkey
new file mode 100644
index 0000000..2f90e1b
--- /dev/null
+++ b/SOURCES/x509.genkey
@@ -0,0 +1,16 @@
+[ req ]
+default_bits = 4096
+distinguished_name = req_distinguished_name
+prompt = no
+x509_extensions = myexts
+
+[ req_distinguished_name ]
+O = Fedora
+CN = Fedora kernel signing key
+emailAddress = kernel-team@fedoraproject.org
+
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index 9edde19..74fd8e4 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -56,7 +56,7 @@ Summary: The Linux kernel
%global zipsed -e 's/\.ko$/\.ko.xz/'
%endif
-# define buildid .local
+%define buildid .fsync
%if 0%{?fedora}
%define primary_target fedora
@@ -80,7 +80,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
-%global baserelease 202
+%global baserelease 201
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -92,7 +92,7 @@ Summary: The Linux kernel
%if 0%{?released_kernel}
# Do we have a -stable update to apply?
-%define stable_update 8
+%define stable_update 9
# Set rpm version accordingly
%if 0%{?stable_update}
%define stablerev %{stable_update}
@@ -203,8 +203,8 @@ Summary: The Linux kernel
%define debugbuildsenabled 1
%if 0%{?fedora}
-# Kernel headers are being normally split out into a separate package but I am lazy
-%define with_headers 0
+# Kernel headers are being split out into a separate package
+%define with_headers 1
%define with_cross_headers 0
# no selftests for now
%define with_selftests 0
@@ -227,7 +227,7 @@ Summary: The Linux kernel
# pkg_release is what we'll fill in for the rpm Release: field
%if 0%{?released_kernel}
-%define pkg_release fsync.%{fedora_build}%{?buildid}%{?dist}
+%define pkg_release %{fedora_build}%{?buildid}%{?dist}
%else
@@ -242,7 +242,7 @@ Summary: The Linux kernel
%else
%define gittag .git0
%endif
-%define pkg_release fsync.%{?rctag}%{?gittag}.%{fedora_build}%{?buildid}%{?dist}
+%define pkg_release 0%{?rctag}%{?gittag}.%{fedora_build}%{?buildid}%{?dist}
%endif
@@ -637,41 +637,51 @@ Source10: x509.genkey.rhel
Source11: x509.genkey.fedora
%if %{?released_kernel}
-Source12: securebootca.cer
-Source13: secureboot.cer
-Source14: secureboot_s390.cer
-Source15: secureboot_ppc.cer
+Source12: redhatsecurebootca5.cer
+Source13: redhatsecurebootca1.cer
+Source14: redhatsecureboot501.cer
+Source15: redhatsecureboot301.cer
+Source16: secureboot_s390.cer
+Source17: secureboot_ppc.cer
-%define secureboot_ca %{SOURCE12}
+%define secureboot_ca_1 %{SOURCE12}
+%define secureboot_ca_0 %{SOURCE13}
%ifarch x86_64 aarch64
-%define secureboot_key %{SOURCE13}
-%define pesign_name redhatsecureboot301
+%define secureboot_key_1 %{SOURCE14}
+%define pesign_name_1 redhatsecureboot501
+%define secureboot_key_0 %{SOURCE15}
+%define pesign_name_0 redhatsecureboot301
%endif
%ifarch s390x
-%define secureboot_key %{SOURCE14}
-%define pesign_name redhatsecureboot302
+%define secureboot_key_0 %{SOURCE16}
+%define pesign_name_0 redhatsecureboot302
%endif
%ifarch ppc64le
-%define secureboot_key %{SOURCE15}
-%define pesign_name redhatsecureboot303
+%define secureboot_key_0 %{SOURCE17}
+%define pesign_name_0 redhatsecureboot303
%endif
# released_kernel
%else
-Source12: redhatsecurebootca2.cer
-Source13: redhatsecureboot003.cer
+Source12: redhatsecurebootca4.cer
+Source13: redhatsecurebootca2.cer
+Source14: redhatsecureboot401.cer
+Source15: redhatsecureboot003.cer
-%define secureboot_ca %{SOURCE12}
-%define secureboot_key %{SOURCE13}
-%define pesign_name redhatsecureboot003
+%define secureboot_ca_1 %{SOURCE12}
+%define secureboot_ca_0 %{SOURCE13}
+%define secureboot_key_1 %{SOURCE14}
+%define pesign_name_1 redhatsecureboot401
+%define secureboot_key_0 %{SOURCE15}
+%define pesign_name_0 redhatsecureboot003
# released_kernel
%endif
Source22: mod-extra.list.rhel
-Source16: mod-extra.list.fedora
-Source17: mod-extra.sh
+Source23: mod-extra.list.fedora
+Source24: mod-extra.sh
Source18: mod-sign.sh
Source19: mod-extra-blacklist.sh
Source79: parallel_xz.sh
@@ -853,6 +863,9 @@ Patch105: 0001-virt-vbox-Log-unknown-ioctl-requests-as-error.patch
# Thinkpad dual fan control
Patch107: 0001-platform-x86-thinkpad_acpi-Add-support-for-dual-fan-.patch
+# https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?h=next&id=c8e222616c7e98305bdc861db3ccac520bc29921
+Patch108: selinux_allow_reading_labels_before_policy_is_loaded.patch
+
# Latest upstream screen driver - https://patchwork.kernel.org/patch/11627069/
Patch110: 0001-dt-bindings-vendor-prefixes-Add-Xingbangda.patch
Patch111: 0002-dt-bindings-panel-Convert-rocktech-jh057n00900-to-ya.patch
@@ -872,6 +885,9 @@ Patch123: 0001-usb-fusb302-Convert-to-use-GPIO-descriptors.patch
# Tegra194 ACPI PCI quirk - http://patchwork.ozlabs.org/patch/1221384/
Patch124: 0001-PCI-Add-MCFG-quirks-for-Tegra194-host-controllers.patch
+# Killer wireless headed to stable
+Patch125: iwlwifi-make-some-killer-wireless-ac-1550-cards-work-again.patch
+
# Linux-tkg patches - https://github.com/Frogging-Family/linux-tkg/blob/master/linux57-tkg
Patch202: 0003-glitched-base.patch
Patch203: 0007-v5.7-fsync.patch
@@ -1537,7 +1553,7 @@ git commit -a -m "Stable update"
# Note: Even in the "nopatches" path some patches (build tweaks and compile
# fixes) will always get applied; see patch defition above for details
-git am --ignore-space-change --ignore-whitespace --whitespace=fix %{patches}
+git am %{patches}
# END OF PATCH APPLICATIONS
@@ -1789,11 +1805,13 @@ BuildKernel() {
fi
%ifarch x86_64 aarch64
- %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca} -c %{secureboot_key} -n %{pesign_name}
+ %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
+ %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
+ rm vmlinuz.tmp
%endif
%ifarch s390x ppc64le
if [ -x /usr/bin/rpm-sign ]; then
- rpm-sign --key "%{pesign_name}" --lkmsign $SignImage --output vmlinuz.signed
+ rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed
elif [ $DoModules -eq 1 ]; then
chmod +x scripts/sign-file
./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed
@@ -2083,11 +2101,11 @@ BuildKernel() {
popd
# Call the modules-extra script to move things around
- %{SOURCE17} $RPM_BUILD_ROOT/lib/modules/$KernelVer $RPM_SOURCE_DIR/mod-extra.list
+ %{SOURCE24} $RPM_BUILD_ROOT/lib/modules/$KernelVer $RPM_SOURCE_DIR/mod-extra.list
# Blacklist net autoloadable modules in modules-extra
%{SOURCE19} $RPM_BUILD_ROOT lib/modules/$KernelVer
# Call the modules-extra script for internal modules
- %{SOURCE17} $RPM_BUILD_ROOT/lib/modules/$KernelVer %{SOURCE54} internal
+ %{SOURCE24} $RPM_BUILD_ROOT/lib/modules/$KernelVer %{SOURCE54} internal
#
# Generate the kernel-core and kernel-modules files lists
@@ -2184,11 +2202,17 @@ BuildKernel() {
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
- install -m 0644 %{secureboot_ca} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+ %ifarch x86_64 aarch64
+ install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
+ install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
+ ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+ %else
+ install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+ %endif
%ifarch s390x ppc64le
if [ $DoModules -eq 1 ]; then
if [ -x /usr/bin/rpm-sign ]; then
- install -m 0644 %{secureboot_key} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
+ install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
else
install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
@@ -2918,7 +2942,7 @@ fi
%if 0%{!?fedora:1}\
/lib/modules/%{KVERREL}%{?3:+%{3}}/weak-updates\
%endif\
-%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca.cer\
+%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca*.cer\
%ifarch s390x ppc64le\
%if 0%{!?4:1}\
%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/%{signing_key_filename} \
@@ -2971,11 +2995,17 @@ fi
#
#
%changelog
-* Tue Jul 14 2020 Jan Drögehoff <sentrycraft123@gmail.com> - 5.7.8-fsync.202
-- Linux v5.7.8 add zen patches
+* Tue Jul 21 2020 Jan Drögehoff <sentrycraft123@gmail.com> - 5.7.9-fsync.201
+- Linux v5.7.9 zen fsync
+
+* Fri Jul 17 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.7.9-100
+- Linux v5.7.9
+
+* Wed Jul 15 2020 Justin M. Forbes <jforbes@fedoraproject.org>
+- Make some killer wireless ac 1550 cards work again
-* Sun Jul 12 2020 Jan Drögehoff <sentrycraft123@gmail.com> - 5.7.8-fsync.201
-- Linux v5.7.8 fsync
+* Sun Jul 12 2020 Peter Robinson <pbrobinson@fedoraproject.org>
+- selinux: allow reading labels before policy is loaded (rhbz 1845210)
* Thu Jul 09 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.7.8-200
- Linux v5.7.8