starlingx/integ
Code Issues Proposed changes
bf0360e696
integ/kernel/kernel-std/centos/meta_patches/Build-logic-and-sources-for-TiC.patch
Robin Lu 38c184f1b4 Update kernel-std patches for kernel upgrade to version 1062.1.2 
This upgrade fixes the CVEs listed below. We refresh the patches
against the new kernel source.
The patch 15 is now included in new version, so I drop it
in the new patch.

CVE bug: CVE-2019-11810:kernel: a NULL pointer dereference in
drivers/scsi/megaraid/megaraid_sas_base.c leading to DoS
CVE bug: CVE-2019-11811: kernel: use-after-free in IPMI Edit
CVE bug: CVE-2019-14835: kernel: vhost-net: guest to host kernel
escape during migration

Closes-Bug: 1849206
Closes-Bug: 1849209
Closes-Bug: 1847817

Change-Id: I217cf8684e31dacea627c33462e5e4b6e089c38f
Depends-On: https://review.opendev.org/#/c/695355/
Signed-off-by: Robin Lu <bin1.lu@intel.com>
2020-01-02 06:27:12 +00:00

234 lines
8.5 KiB
Diff
Raw Blame History

From 32af2a0ea3905e23d85a65fd9326dbc6db0a21c4 Mon Sep 17 00:00:00 2001
From: Jim Somerville <Jim.Somerville@windriver.com>
Date: Fri, 20 Apr 2018 14:51:56 -0400
Subject: [PATCH] Build logic and sources for TiC
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
Signed-off-by: zhao.shuai <zhaos@neusoft.com>
Signed-off-by: Robin Lu <bin1.lu@intel.com>
---
SPECS/kernel.spec | 73 ++++++++++++++++++++++++++++++++++++++---------
1 file changed, 60 insertions(+), 13 deletions(-)
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index 852fd10..e42177e 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -5,7 +5,8 @@ Summary: The Linux kernel
%define dist .el7
-# % define buildid .local
+# This is the STX patch release
+%define buildid .%{tis_patch_ver}.tis
# For a kernel released for public testing, released_kernel should be 1.
# For internal testing builds during development, it should be 0.
@@ -14,12 +15,14 @@ Summary: The Linux kernel
%global distro_build 1062
%define rpmversion 3.10.0
-%define pkgrelease 1062.1.2.el7
+%define _pkgrelease 1062.1.2
+%define pkgrelease %{_pkgrelease}.el7
+
# allow pkg_release to have configurable %%{?dist} tag
%define specrelease 1062.1.2%{?dist}
-%define pkg_release %{specrelease}%{?buildid}
+%define pkg_release %{specrelease}%{buildid}
# The kernel tarball/base version
%define rheltarball %{rpmversion}-%{pkgrelease}
@@ -69,7 +72,7 @@ Summary: The Linux kernel
%define with_dbgonly %{?_with_dbgonly: 1} %{?!_with_dbgonly: 0}
# Control whether we perform a compat. check against published ABI.
-%define with_kabichk %{?_without_kabichk: 0} %{?!_without_kabichk: 1}
+%define with_kabichk 0
# Control whether we perform a compat. check against DUP ABI.
%define with_kabidupchk %{?_with_kabidupchk: 1} %{?!_with_kabidupchk: 0}
@@ -92,7 +95,7 @@ Summary: The Linux kernel
# Set debugbuildsenabled to 1 for production (build separate debug kernels)
# and 0 for rawhide (all kernels are debug kernels).
# See also 'make debug' and 'make release'. RHEL only ever does 1.
-%define debugbuildsenabled 1
+%define debugbuildsenabled 0
%define with_gcov %{?_with_gcov: 1} %{?!_with_gcov: 0}
@@ -386,6 +389,7 @@ BuildRequires: bison flex
# required for zfcpdump
BuildRequires: glibc-static
%endif
+BuildRequires: util-linux
Source0: linux-%{rpmversion}-%{pkgrelease}.tar.xz
@@ -453,6 +457,12 @@ Patch1000: debrand-single-cpu.patch
Patch1001: debrand-rh_taint.patch
Patch1002: debrand-rh-i686-cpu.patch
+# StarlingX Cloud sources here.
+# Not sure if we need to worry about numerical collisions between
+# SourceX and PatchX, so let's not risk it
+Source30000: kernel-3.10.0-x86_64.config.tis_extra
+Source30001: ima_signing_key.pub
+
BuildRoot: %{_tmppath}/kernel-%{KVRA}-root
%description
@@ -626,6 +636,13 @@ This package provides debug information for the bpftool package.
%endif # with_bpftool
+%ifarch x86_64
+%package unsigned
+Summary: Unsigned build of the Linux kernel
+%description unsigned
+Contains an unsigned version of the Linux kernel
+%endif # x86_64
+
%if %{with_gcov}
%package gcov
Summary: gcov graph and source files for coverage data collection.
@@ -791,6 +808,9 @@ cd linux-%{KVRA}
# Drop some necessary files from the source dir into the buildroot
cp $RPM_SOURCE_DIR/kernel-%{version}-*.config .
+# Copy any TiS-specific config changes
+cp $RPM_SOURCE_DIR/kernel-%{version}-*.config.tis_extra .
+
ApplyOptionalPatch linux-kernel-test.patch
ApplyOptionalPatch debrand-single-cpu.patch
ApplyOptionalPatch debrand-rh_taint.patch
@@ -835,6 +855,15 @@ for i in *.config
do
mv $i .config
Arch=`head -1 .config | cut -b 3-`
+
+ # Handle StarlingX Cloud customizations. Use -n to match oldnoconfig below. We want this before
+ # the make line below so that the one below removes any dependencies of ones that we
+ # turn off here. We also want it before "make listnewconfig" so that we can set the
+ # config option for new configs introduced in the StarlingX Cloud patches.
+ if [ -f ${i}.tis_extra ]; then
+ scripts/kconfig/merge_config.sh -m -n .config ${i}.tis_extra
+ fi
+
make %{?cross_opts} ARCH=$Arch listnewconfig | grep -E '^CONFIG_' >.newoptions || true
%if %{listnewconfig_fail}
if [ -s .newoptions ]; then
@@ -908,12 +937,13 @@ BuildKernel() {
# and now to start the build process
- make %{?cross_opts} -s mrproper
+ make -j"%(nproc)" %{?cross_opts} -s mrproper
cp %{SOURCE11} . # x509.genkey
cp %{SOURCE12} . # extra_certificates
cp %{SOURCE15} . # rheldup3.x509
cp %{SOURCE16} . # rhelkpatch1.x509
+ cp %{SOURCE30001} . # ima_signing_key.pub
cp configs/$Config .config
@@ -928,8 +958,8 @@ BuildKernel() {
fi
%endif
- make -s %{?cross_opts} ARCH=$Arch oldnoconfig >/dev/null
- make -s %{?cross_opts} ARCH=$Arch V=1 %{?_smp_mflags} KCFLAGS="%{?kcflags}" WITH_GCOV="%{?with_gcov}" $MakeTarget %{?sparse_mflags}
+ make -s -j"%(nproc)" %{?cross_opts} ARCH=$Arch oldnoconfig >/dev/null
+ make -s -j"%(nproc)" %{?cross_opts} ARCH=$Arch V=1 %{?_smp_mflags} KCFLAGS="%{?kcflags}" WITH_GCOV="%{?with_gcov}" $MakeTarget %{?sparse_mflags}
if [ "$Flavour" != "kdump" ]; then
make -s %{?cross_opts} ARCH=$Arch V=1 %{?_smp_mflags} KCFLAGS="%{?kcflags}" WITH_GCOV="%{?with_gcov}" modules %{?sparse_mflags} || exit 1
@@ -953,6 +983,8 @@ BuildKernel() {
fi
# EFI SecureBoot signing, x86_64-only
%ifarch x86_64
+ cp $KernelImage vmlinuz.unsigned
+ $CopyKernel vmlinuz.unsigned $RPM_BUILD_ROOT/%{image_install_path}/vmlinuz.unsigned
%pesign -s -i $KernelImage -o $KernelImage.signed -a %{SOURCE13} -c %{SOURCE14} -n %{pesign_name}
mv $KernelImage.signed $KernelImage
%endif
@@ -969,7 +1001,7 @@ BuildKernel() {
if [ "$Flavour" != "kdump" ]; then
# Override $(mod-fw) because we don't want it to install any firmware
# we'll get it from the linux-firmware package and we don't want conflicts
- make -s %{?cross_opts} %{?_smp_mflags} ARCH=$Arch INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_install KERNELRELEASE=$KernelVer mod-fw=
+ make -s -j"%(nproc)" %{?cross_opts} %{?_smp_mflags} ARCH=$Arch INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_install KERNELRELEASE=$KernelVer mod-fw=
%if %{with_gcov}
# install gcov-needed files to $BUILDROOT/$BUILD/...:
# gcov_info->filename is absolute path
@@ -979,7 +1011,7 @@ BuildKernel() {
%endif
fi
%ifarch %{vdso_arches}
- make -s %{?cross_opts} ARCH=$Arch INSTALL_MOD_PATH=$RPM_BUILD_ROOT vdso_install KERNELRELEASE=$KernelVer
+ make -s -j"%(nproc)" %{?cross_opts} ARCH=$Arch INSTALL_MOD_PATH=$RPM_BUILD_ROOT vdso_install KERNELRELEASE=$KernelVer
if [ ! -s ldconfig-kernel.conf ]; then
echo > ldconfig-kernel.conf "\
# Placeholder file, no vDSO hwcap entries used in this kernel."
@@ -1188,6 +1220,12 @@ BuildKernel() {
cp signing_key.priv signing_key.priv.sign${Flavour:+.${Flavour}}
cp signing_key.x509 signing_key.x509.sign${Flavour:+.${Flavour}}
+ # STX: Copy these keys as part of the devel package
+ # The Module signing keys are to ensure that only Out-of-tree
+ # built against the StarlingX Kernel get signed and loaded sans warnings
+ cp signing_key.priv ${RPM_BUILD_ROOT}/lib/modules/${KernelVer}/build/
+ cp signing_key.x509 ${RPM_BUILD_ROOT}/lib/modules/${KernelVer}/build/
+
# remove files that will be auto generated by depmod at rpm -i time
for i in alias alias.bin builtin.bin ccwmap dep dep.bin ieee1394map inputmap isapnpmap ofmap pcimap seriomap symbols symbols.bin usbmap softdep devname
do
@@ -1248,15 +1286,15 @@ make %{?cross_opts} %{?_smp_mflags} -C tools/power/cpupower CPUFREQ_BENCH=false
%endif
%ifarch x86_64
pushd tools/power/x86/x86_energy_perf_policy/
- make
+ make -j"%(nproc)"
popd
pushd tools/power/x86/turbostat
- make
+ make -j"%(nproc)"
popd
%endif #turbostat/x86_energy_perf_policy
%endif
pushd tools
-make tmon
+make -j"%(nproc)" tmon
popd
%endif
@@ -1550,6 +1588,10 @@ fi}\
%{expand:\
%{_sbindir}/new-kernel-pkg --package kernel%{?-v:-%{-v*}} --install %{KVRA}%{?-v:.%{-v*}} || exit $?\
}\
+# If this is a pkg upgrade (ie installed as a patch), set the reboot flag\
+if [ $1 -gt 1 ] ; then\
+ touch /var/run/node_is_patched_rr\
+fi\
%{nil}
#
@@ -1775,6 +1817,11 @@ fi
%kernel_variant_files %{with_debug} debug
%kernel_variant_files %{with_kdump} kdump
+%ifarch x86_64
+%files unsigned
+/boot/vmlinuz.unsigned
+%endif
+
%changelog
* Fri Sep 20 2019 CentOS Sources <bugs@centos.org> - 3.10.0-1062.1.2.el7
- Apply debranding changes
--
1.8.3.1
View Git Blame Copy Permalink