integ/kernel/kernel-rt/centos/meta_patches/Build-logic-and-sources-for-TiC.patch
Robin Lu 0656fa94dc Update kernel-rt patches for kernel upgrade to version 1062.1.2
This upgrade fixes the CVEs listed below.  We refresh the patches
against the new rt-kernel source.
rcu-Don-t-wake-rcuc-X-kthreads-on-NOCB-CPUs.patch is deleted
because upstream has fixed this bug, and it is no longer needed.

CVE bug: CVE-2019-11810:kernel: a NULL pointer dereference in
drivers/scsi/megaraid/megaraid_sas_base.c leading to DoS
CVE bug: CVE-2019-11811: kernel: use-after-free in IPMI Edit
CVE bug: CVE-2019-14835: kernel: vhost-net: guest to host kernel
escape during migration

Closes-Bug: 1849206
Closes-Bug: 1849209
Closes-Bug: 1847817

Change-Id: Iaf5eae5d64b621f44f8faad51d22f9439431911f
Depends-On: https://review.opendev.org/#/c/695355/
Signed-off-by: Robin Lu <bin1.lu@intel.com>
2019-11-27 12:52:43 +08:00

530 lines
17 KiB
Diff

From 4a2a30175a859e5a60b5a0e999c9edfde03eee7c Mon Sep 17 00:00:00 2001
From: Jim Somerville <Jim.Somerville@windriver.com>
Date: Mon, 23 Apr 2018 15:18:45 -0400
Subject: [PATCH] Build logic and sources for TiC
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
Signed-off-by: Robin Lu <bin1.lu@intel.com>
---
SPECS/kernel-rt.spec | 279 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 273 insertions(+), 6 deletions(-)
diff --git a/SPECS/kernel-rt.spec b/SPECS/kernel-rt.spec
index a922773..adffde2 100644
--- a/SPECS/kernel-rt.spec
+++ b/SPECS/kernel-rt.spec
@@ -17,23 +17,33 @@ Summary: The Linux Realtime kernel
# The Build ID
# %%define buildid .local
+%define buildid .tis.%{tis_patch_ver}
# For a kernel released for public testing, released_kernel should be 1.
# For internal testing builds during development, it should be 0.
%global released_kernel 1
+# If we want to sign the kernel and modules, do_sign should be 1.
+# To speed up builds (don't sign) use 0.
+%global do_sign 1
+
# conditional with/without variables
# Note that the logic here is inverted; a bcond_without implies
# that the variable is on by default (since you use --without to turn it off)
# Likewise a bcond_with implies the variable is off by default (turned on by --with)
%bcond_without rt
%bcond_without doc
-%bcond_without debug
-%bcond_with headers
+%bcond_with debug
+%bcond_without headers
%bcond_with vanilla
-%bcond_without trace
+%bcond_with trace
%bcond_with perf
-%bcond_without debuginfo
+%bcond_with debuginfo
+%bcond_without tools
+
+# Architectures we build tools/cpupower on
+%define cpupowerarchs x86_64 ppc64 ppc64le
+
# What parts do we want to build? We must build at least one kernel.
# These are the kernels that are built IF the architecture allows it.
@@ -53,7 +63,11 @@ Summary: The Linux Realtime kernel
# Verbose output?
# %%global verbose V=1
+%if %{do_sign}
%global signmodules 1
+%else
+%global signmodules 0
+%endif
# if patch fuzzy patch applying will be forbidden
%global with_fuzzy_patches 0
@@ -84,7 +98,7 @@ Summary: The Linux Realtime kernel
%global with_sparse %{?_with_sparse: 1} %{?!_with_sparse: 0}
%global pkg_release_simple %{rhel_build}.%{rttag}.%{rtbuild}
-%global pkg_release %{rhel_build}.%{rttag}.%{rtbuild}%{?buildid}%{?dist}
+%global pkg_release %{pkg_release_simple}%{?dist}%{?buildid}
%global KVERREL %{rpmversion}-%{pkg_release}.%{_target_cpu}
@@ -290,9 +304,14 @@ BuildRequires: xmlto, asciidoc
BuildRequires: openssl
BuildRequires: hmaccalc
BuildRequires: elfutils-libelf-devel
+%if %{do_sign}
%ifarch x86_64
BuildRequires: pesign >= 0.109-4
%endif
+%endif
+%if %{with_tools}
+BuildRequires: pciutils-devel gettext ncurses-devel
+%endif
%if %{with_sparse}
BuildRequires: sparse >= 0.4.1
%endif
@@ -340,6 +359,13 @@ Source25: merge.pl
Source27: sanity_check.py
Source29: extrakeys.pub
+Source37: centos.cer
+Source38: ima_signing_key.pub
+%if %{?released_kernel}
+%define pesign_name redhatsecureboot301
+%else
+%define pesign_name redhatsecureboot003
+%endif
### Configuration files
Source50: kernel-%{version}-x86_64-rt.config
@@ -352,6 +378,14 @@ Source81: find-debuginfo.sh
# Sources for kernel modprobe config files
Source1000: modprobe-dccp-blacklist.conf
+# Sources for kernel-rt-tools
+Source2000: cpupower.service
+Source2001: cpupower.config
+
+Source30000: kernel-3.10.0-x86_64-rt.config.tis_extra
+Source30001: kernel-3.10.0-x86_64-rt-debug.config.tis_extra
+Source30002: kernel-3.10.0-x86_64-rt-trace.config.tis_extra
+
# Empty final patch file to facilitate testing of kernel patches
Patch999999: linux-kernel-test.patch
@@ -374,6 +408,7 @@ This kernel has been compiled with the RT patch applied and is intended
for use in deterministic response-time situations
+%if %{builddoc}
%package doc
Summary: Various documentation bits found in the kernel source
Group: Documentation
@@ -386,6 +421,7 @@ device drivers shipped with it are documented in these files.
You will want to install this package if you need a reference to the
options that can be passed to Linux kernel modules at load time.
+%endif
%package headers
Summary: Header files for the Linux kernel for use by glibc
@@ -393,6 +429,7 @@ Group: Development/System
Obsoletes: glibc-kernheaders < 3.0-46
Provides: glibc-kernheaders = 3.0-46
Provides: kernel-rt-extras = %{version}-%{release}
+Provides: kernel-headers
%description headers
Kernel-headers includes the C header files that specify the interface
between the Linux kernel and userspace libraries and programs. The
@@ -442,6 +479,7 @@ AutoReq: no\
This package provides KVM modules for package %{name}%{?1:-%{1}}.\
%{nil}
+%if %{builddebuginfo}
#
# This macro creates a kernel-rt-<subpackage>-kvm-debuginfo package.
# %%kernel_kvm_debuginfo_package <subpackage>
@@ -458,7 +496,9 @@ This package provides debug information for package %{name}%{?1:-%{1}}.\
This is required to use SystemTap with %{name}%{?1:-%{1}}-%{KVERREL}.\
%{expand:%%global debuginfo_args %{?debuginfo_args} -p '/.*/%%{KVERREL}%{?1:\.%{1}}/.*|/.*%%{KVERREL}%{?1:\.%{1}}(\.debug)?' -o debuginfo%{?1}-kvm.list}\
%{nil}
+%endif
+%if %{builddebuginfo}
#
# This macro creates a kernel-<subpackage>-debuginfo package.
# %%kernel_debuginfo_package <subpackage>
@@ -476,6 +516,7 @@ This package provides debug information for package %{name}%{?1:-%{1}}.\
This is required to use SystemTap with %{name}%{?1:-%{1}}-%{KVERREL}.\
%{expand:%%global debuginfo_args %{?debuginfo_args} -p '/.*/%%{KVERREL}%{?1:\.%{1}}/.*|/.*%%{KVERREL}%{?1:\.%{1}}(\.debug)?' -o debuginfo%{?1}.list}\
%{nil}
+%endif
#
# This macro creates a kernel-<subpackage>-devel package.
@@ -490,6 +531,7 @@ Provides: kernel-rt-devel = %{version}-%{release}%{?1:.%{1}}\
Provides: kernel-rt%{?1:-%{1}}-devel-%{_target_cpu} = %{version}-%{release}\
Provides: kernel-rt-devel-%{_target_cpu} = %{version}-%{release}%{?1:.%{1}}\
Provides: kernel-rt-devel-uname-r = %{KVERREL}%{?1:.%{1}}\
+Provides: kernel-devel = %{version}-%{release}%{?1:.%{1}}\
AutoReqProv: no\
Requires(pre): /usr/bin/find\
%description -n kernel-rt%{?variant}%{?1:-%{1}}-devel\
@@ -502,6 +544,7 @@ against the %{?2:%{2} }kernel package.\
# %%define variant_summary The Linux kernel compiled for <configuration>
# %%kernel_variant_package [-n <pretty-name>] <subpackage>
#
+%if %{builddebuginfo}
%define kernel_variant_package(n:) \
%package %1\
Summary: %{variant_summary}\
@@ -512,15 +555,29 @@ Group: System Environment/Kernel\
%{expand:%%kernel_kvm_package %1}\
%{expand:%%kernel_kvm_debuginfo_package %1}\
%{nil}
+%else
+%define kernel_variant_package(n:) \
+%package %1\
+Summary: %{variant_summary}\
+Group: System Environment/Kernel\
+%kernel_reqprovconf\
+%{expand:%%kernel_devel_package %1 %{!?-n:%1}%{?-n:%{-n*}}}\
+%{expand:%%kernel_kvm_package %1}\
+%{nil}
+%endif
# First the auxiliary packages of the main kernel package.
%kernel_devel_package
+%if %{builddebuginfo}
%kernel_debuginfo_package
+%endif
# create the production kvm module package
%kernel_kvm_package
+%if %{builddebuginfo}
%kernel_kvm_debuginfo_package
+%endif
# Now, each variant package.
@@ -570,6 +627,54 @@ It should only be installed when trying to gather additional information
on kernel bugs.
%endif
+%if %{with_tools}
+
+%package -n kernel-rt-tools
+Summary: Assortment of tools for the Linux kernel
+Group: Development/System
+License: GPLv2
+Provides: cpupowerutils-rt = 1:009-0.6.p1
+Obsoletes: cpupowerutils-rt < 1:009-0.6.p1
+Provides: cpufreq-utils-rt = 1:009-0.6.p1
+Provides: cpufrequtils-rt = 1:009-0.6.p1
+Obsoletes: cpufreq-utils-rt < 1:009-0.6.p1
+Obsoletes: cpufrequtils-rt < 1:009-0.6.p1
+Obsoletes: cpuspeed-rt < 1:2.0
+Requires: kernel-rt-tools-libs = %{version}-%{release}
+%description -n kernel-rt-tools
+This package contains the tools/ directory from the kernel source
+and the supporting documentation.
+
+%package -n kernel-rt-tools-libs
+Summary: Libraries for the kernels-tools
+Group: Development/System
+License: GPLv2
+%description -n kernel-rt-tools-libs
+This package contains the libraries built from the tools/ directory
+from the kernel source.
+
+%package -n kernel-rt-tools-libs-devel
+Summary: Assortment of tools for the Linux kernel
+Group: Development/System
+License: GPLv2
+Requires: kernel-rt-tools = %{version}-%{release}
+Provides: cpupowerutils-devel = 1:009-0.6.p1.1
+Obsoletes: cpupowerutils-devel <= 1:009-0.6.p1
+Requires: kernel-rt-tools-libs = %{version}-%{release}
+Provides: kernel-rt-tools-devel
+%description -n kernel-rt-tools-libs-devel
+This package contains the development files for the tools/ directory from
+the kernel source.
+
+%endif # with_tools
+
+%if %{do_sign}
+%package unsigned
+Summary: Unsigned build of the Linux kernel
+%description unsigned
+Contains an unsigned version of the Linux kernel
+%endif # do_sign
+
%prep
## ApplyPatch routine
patch_command='patch -p1 -F1 -s'
@@ -614,6 +719,12 @@ cp -rl vanilla-%{kversion} linux-%{kversion}.%{_target_cpu}
cd linux-%{kversion}.%{_target_cpu}
+# Copy any TiS-specific config changes
+cp $RPM_SOURCE_DIR/kernel-%{version}-*.config.tis_extra .
+
+# Copy TiS specific IMA public key
+cp %{SOURCE38} .
+
## Apply Patches here
ApplyPatch linux-kernel-test.patch
@@ -637,6 +748,15 @@ for i in *.config
do
mv $i .config
Arch=`head -1 .config | cut -b 3-`
+
+ # Handle StarlingX Cloud customizations. Use -n to match oldnoconfig below. We want this before
+ # the make line below so that the one below removes any dependencies of ones that we
+ # turn off here. We also want it before "make listnewconfig" so that we can set the
+ # config option for new configs introduced in the StarlingX Cloud patches.
+ if [ -f ${i}.tis_extra ]; then
+ scripts/kconfig/merge_config.sh -m -n .config ${i}.tis_extra
+ fi
+
make %{?cross_opts} ARCH=$Arch listnewconfig | grep -E '^CONFIG_' >.newoptions || true
%if %{listnewconfig_fail}
if [ -s .newoptions ]; then
@@ -771,9 +891,13 @@ BuildKernel() {
cp arch/$Arch/boot/zImage.stub $RPM_BUILD_ROOT/%{image_install_path}/zImage.stub-$KernelVer || :
fi
# EFI SecureBoot signing, x86_64-only
+%if %{do_sign}
+ cp $KernelImage vmlinuz.unsigned
+ $CopyKernel vmlinuz.unsigned $RPM_BUILD_ROOT/%{image_install_path}/vmlinuz.unsigned
%ifarch x86_64
- %pesign -s -i $KernelImage -o $KernelImage.signed -a %{SOURCE13} -c %{SOURCE14} -n %{pesign_name}
+ %pesign -s -i $KernelImage -o $KernelImage.signed -a %{SOURCE37} -c %{SOURCE37} -n %{pesign_name}
mv $KernelImage.signed $KernelImage
+%endif
%endif
$CopyKernel $KernelImage $RPM_BUILD_ROOT/%{image_install_path}/$InstallName-$KernelVer
chmod 755 $RPM_BUILD_ROOT/%{image_install_path}/$InstallName-$KernelVer
@@ -919,6 +1043,12 @@ BuildKernel() {
cp signing_key.priv signing_key.priv.sign${Flavour:+.${Flavour}}
cp signing_key.x509 signing_key.x509.sign${Flavour:+.${Flavour}}
+ # STX: Copy these keys as part of the devel package
+ # The Module signing keys are to ensure that only Out-of-tree
+ # built against the StarlingX Kernel get signed and loaded sans warnings
+ cp signing_key.priv ${RPM_BUILD_ROOT}/lib/modules/${KernelVer}/build/
+ cp signing_key.x509 ${RPM_BUILD_ROOT}/lib/modules/${KernelVer}/build/
+
# remove files that will be auto generated by depmod at rpm -i time
for i in alias alias.bin builtin.bin ccwmap dep dep.bin ieee1394map inputmap isapnpmap ofmap pcimap seriomap symbols symbols.bin usbmap softdep devname
do
@@ -934,6 +1064,15 @@ BuildKernel() {
install -Dm644 %{SOURCE1000} $RPM_BUILD_ROOT%{_sysconfdir}/modprobe.d/dccp-blacklist.conf
+ # create the kABI metadata for use in packaging
+ # NOTENOTE: the name symvers is used by the rpm backend
+ # NOTENOTE: to discover and run the /usr/lib/rpm/fileattrs/kabi.attr
+ # NOTENOTE: script which dynamically adds exported kernel symbol
+ # NOTENOTE: checksums to the rpm metadata provides list.
+ # NOTENOTE: if you change the symvers name, update the backend too
+ echo "**** GENERATING kernel ABI metadata ****"
+ gzip -c9 < Module.symvers > $RPM_BUILD_ROOT/boot/symvers-$KernelVer.gz
+
# prune junk from kernel-devel
find $RPM_BUILD_ROOT/usr/src/kernels -name ".*.cmd" -exec rm -f {} \;
}
@@ -981,6 +1120,31 @@ BuildKernel %make_target %kernel_image vanilla
BuildKernel %make_target %kernel_image
%endif
+%if %{with_tools}
+%ifarch %{cpupowerarchs}
+# cpupower
+# make sure version-gen.sh is executable.
+chmod +x tools/power/cpupower/utils/version-gen.sh
+make %{?cross_opts} %{?_smp_mflags} -C tools/power/cpupower CPUFREQ_BENCH=false
+%ifarch x86_64
+ pushd tools/power/cpupower/debug/x86_64
+ make %{?_smp_mflags} centrino-decode powernow-k8-decode
+ popd
+%endif
+%ifarch x86_64
+ pushd tools/power/x86/x86_energy_perf_policy/
+ make
+ popd
+ pushd tools/power/x86/turbostat
+ make
+ popd
+%endif #turbostat/x86_energy_perf_policy
+%endif
+pushd tools
+make tmon
+popd
+%endif
+
%if %{builddoc}
# Make the HTML and man pages.
make -j1 htmldocs mandocs || %{doc_build_fail}
@@ -1013,6 +1177,7 @@ popd
# if it isn't.
%ifnarch noarch
+%if %{do_sign}
%define __modsign_install_post \
if [ "%{with_rt}" -ne "0" ]; then \
Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-rt.config | cut -b 3-` \
@@ -1031,6 +1196,24 @@ popd
%{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.${AAA} || exit 1 \
done \
%{nil}
+%else
+%define __modsign_install_post \
+ if [ "%{with_rt}" -ne "0" ]; then \
+ Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-rt.config | cut -b 3-` \
+ rm -rf .tmp_versions \
+ mv .tmp_versions.sign .tmp_versions \
+ mv signing_key.priv.sign signing_key.priv \
+ mv signing_key.x509.sign signing_key.x509 \
+ fi\
+ for AAA in %{?with_trace:trace} %{?with_debug:debug} %{?with_vanilla:vanilla}; do \
+ Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-rt-${AAA}.config | cut -b 3-` \
+ rm -rf .tmp_versions \
+ mv .tmp_versions.sign.${AAA} .tmp_versions \
+ mv signing_key.priv.sign.${AAA} signing_key.priv \
+ mv signing_key.x509.sign.${AAA} signing_key.x509 \
+ done \
+%{nil}
+%endif
%endif
###
@@ -1120,6 +1303,39 @@ mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/perf
%endif # buildperf
%endif
+%if %{with_tools}
+%ifarch %{cpupowerarchs}
+make -C tools/power/cpupower DESTDIR=$RPM_BUILD_ROOT libdir=%{_libdir} mandir=%{_mandir} CPUFREQ_BENCH=false install
+rm -f %{buildroot}%{_libdir}/*.{a,la}
+%find_lang cpupower
+mv cpupower.lang ../
+%ifarch x86_64
+ pushd tools/power/cpupower/debug/x86_64
+ install -m755 centrino-decode %{buildroot}%{_bindir}/centrino-decode
+ install -m755 powernow-k8-decode %{buildroot}%{_bindir}/powernow-k8-decode
+ popd
+%endif
+chmod 0755 %{buildroot}%{_libdir}/libcpupower.so*
+mkdir -p %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig
+install -m644 %{SOURCE2000} %{buildroot}%{_unitdir}/cpupower.service
+install -m644 %{SOURCE2001} %{buildroot}%{_sysconfdir}/sysconfig/cpupower
+%ifarch %{ix86} x86_64
+ mkdir -p %{buildroot}%{_mandir}/man8
+ pushd tools/power/x86/x86_energy_perf_policy
+ make DESTDIR=%{buildroot} install
+ popd
+ pushd tools/power/x86/turbostat
+ make DESTDIR=%{buildroot} install
+ popd
+%endif #turbostat/x86_energy_perf_policy
+pushd tools/thermal/tmon
+make INSTALL_ROOT=%{buildroot} install
+popd
+%endif
+
+%endif
+
+
%if %{buildheaders}
# Install kernel headers
make ARCH=%{hdrarch} INSTALL_HDR_PATH=$RPM_BUILD_ROOT/usr headers_install
@@ -1174,6 +1390,14 @@ rm -rf $RPM_BUILD_ROOT
### scripts
###
+%if %{with_tools}
+%post -n kernel-rt-tools
+/sbin/ldconfig
+
+%postun -n kernel-rt-tools
+/sbin/ldconfig
+%endif
+
#
# This macro defines a %%post script for a kernel*-devel package.
# %%kernel_devel_post [<subpackage>]
@@ -1337,6 +1561,43 @@ fi
%endif
%endif
+
+%if %{with_tools}
+%files -n kernel-rt-tools -f cpupower.lang
+%defattr(-,root,root)
+%ifarch %{cpupowerarchs}
+%{_bindir}/cpupower
+%ifarch x86_64
+%{_bindir}/centrino-decode
+%{_bindir}/powernow-k8-decode
+%endif
+%{_unitdir}/cpupower.service
+%{_mandir}/man[1-8]/cpupower*
+%config(noreplace) %{_sysconfdir}/sysconfig/cpupower
+%ifarch %{ix86} x86_64
+%{_bindir}/x86_energy_perf_policy
+%{_mandir}/man8/x86_energy_perf_policy*
+%{_bindir}/turbostat
+%{_mandir}/man8/turbostat*
+%endif
+%endif
+%{_bindir}/tmon
+
+%ifarch %{cpupowerarchs}
+%files -n kernel-rt-tools-libs
+%defattr(-,root,root)
+%{_libdir}/libcpupower.so.0
+%{_libdir}/libcpupower.so.0.0.0
+
+%files -n kernel-rt-tools-libs-devel
+%defattr(-,root,root)
+%{_libdir}/libcpupower.so
+%{_includedir}/cpufreq.h
+%endif
+
+%endif # with_tools
+
+
# This is %{image_install_path} on an arch where that includes ELF files,
# or empty otherwise.
%global elf_image_install_path %{?kernel_image_elf:%{image_install_path}}
@@ -1353,6 +1614,7 @@ fi
/%{image_install_path}/%{?-k:%{-k*}}%{!?-k:vmlinuz}-%{KVERREL}%{?2:.%{2}}\
/%{image_install_path}/.vmlinuz-%{KVERREL}%{?2:.%{2}}.hmac\
/boot/System.map-%{KVERREL}%{?2:.%{2}}\
+/boot/symvers-%{KVERREL}%{?2:.%{2}}.gz\
/boot/config-%{KVERREL}%{?2:.%{2}}\
/boot/symvers*\
%exclude /lib/modules/%{KVERREL}%{?2:.%{2}}/kernel/arch/x86/kvm\
@@ -1432,6 +1694,11 @@ fi
%kernel_variant_files %{buildvanilla} vanilla
%endif
+%if %{do_sign}
+%files unsigned
+/boot/vmlinuz.unsigned
+%endif # do_sign
+
%changelog
* Mon Sep 16 2019 Luis Claudio R. Goncalves <lgoncalv@redhat.com> [3.10.0-1062.1.2.rt56.1025.el7]
- [rt] Update source tree to match RHEL rhel-7.7.z tree [1740918 1708718]
--
1.8.3.1