kata(-cc): upgrade to LSG release v2405.9.2 (#9261)

Co-authored-by: Dallas Delaney <dadelan@microsoft.com> Co-authored-by: CBL-Mariner Servicing Account <cblmargh@microsoft.com>
2024-06-05 12:40:57 -07:00 · 2024-06-05 12:40:57 -07:00 · 4e90dd61c1
--- a/SPECS-SIGNED/kernel-mshv-signed/kernel-mshv-signed.spec
+++ b/SPECS-SIGNED/kernel-mshv-signed/kernel-mshv-signed.spec
@ -6,8 +6,8 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed MSHV-enabled Linux Kernel for %{buildarch} systems
 Name:           kernel-mshv-signed-%{buildarch}
-Version:        5.15.126.mshv9
-Release:        3%{?dist}
+Version:        5.15.157.mshv1
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -149,6 +149,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner-mshv.cfg
 %exclude /lib/modules/%{uname_r}/build

 %changelog
+* Tue May 14 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.157.mshv1-1
+- Auto-upgrade to 5.15.157.mshv1
+
 * Mon Apr 01 2024 Cameron Baird <cameronbaird@microsoft.com> - 5.15.126.mshv9-3
 - BuildRequires: grub2-rpm-macros to expand mkconfig configuration requirement

--- a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md
+++ b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md
--- a/SPECS/LICENSES-AND-NOTICES/data/licenses.json
+++ b/SPECS/LICENSES-AND-NOTICES/data/licenses.json
@ -2165,6 +2165,7 @@
                "check-restart",
                "clamav",
                "cloud-hypervisor",
+                "cloud-hypervisor-cvm",
                "cmake-fedora",
                "coredns",
                "csi-driver-lvm",
--- a/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.signatures.json
+++ b/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.signatures.json
@ -0,0 +1,7 @@
+{
+    "Signatures": {
+        "cloud-hypervisor-cvm-38.0.72-vendor.tar.gz": "6092868ed042c0397e4e96f2572a59d80491662b6c68fd210fe458a8f7d0d429",
+        "cloud-hypervisor-cvm-38.0.72.tar.gz": "e6d15d99c5d9ec4bede43ef8fac971d2cc0ae49a7eafffc6ca7e5b948ed4282a",
+        "config.toml": "74c28b7520c157109b8990b325fe8f13504e56561a9bac51499d4c6bf4a66e52"
+    }
+}
--- a/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.spec
+++ b/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.spec
@ -0,0 +1,216 @@
+%define using_rustup 0
+%define using_musl_libc 0
+%define using_vendored_crates 1
+
+Name:           cloud-hypervisor-cvm
+Summary:        Cloud Hypervisor CVM is an open source Virtual Machine Monitor (VMM) that enables running SEV SNP enabled VMs on top of MSHV using the IGVM file format as payload.
+Version:        38.0.72
+Release:        1%{?dist}
+License:        ASL 2.0 OR BSD-3-clause
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+Group:          Applications/System
+URL:            https://github.com/microsoft/cloud-hypervisor
+Source0:        https://github.com/microsoft/cloud-hypervisor/archive/refs/tags/msft/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+%if 0%{?using_vendored_crates}
+# Note: the %%{name}-%%{version}-cargo.tar.gz file contains a cache created by capturing the contents downloaded into $CARGO_HOME.
+# To update the cache and config.toml run:
+#   tar -xf %{name}-%{version}.tar.gz
+#   cd %{name}-%{version}
+#   cargo vendor > config.toml
+#   tar -czf %{name}-%{version}-cargo.tar.gz vendor/
+# rename the tarball to %{name}-%{version}-cargo.tar.gz when updating version
+Source1:        %{name}-%{version}-vendor.tar.gz
+Source2:        config.toml
+%endif
+
+Conflicts: cloud-hypervisor
+
+BuildRequires:  binutils
+BuildRequires:  gcc
+BuildRequires:  git
+BuildRequires:  glibc-devel
+BuildRequires:  openssl-devel
+
+%if ! 0%{?using_rustup}
+BuildRequires:  rust >= 1.62.0
+BuildRequires:  cargo >= 1.62.0
+%endif
+
+Requires: bash
+Requires: glibc
+Requires: libgcc
+Requires: libcap
+
+ExclusiveArch:  x86_64
+
+%ifarch x86_64
+%define rust_def_target x86_64-unknown-linux-gnu
+%define cargo_pkg_feature_opts --no-default-features --features "mshv,kvm,sev_snp,igvm"
+%endif
+%ifarch aarch64
+%define rust_def_target aarch64-unknown-linux-gnu
+%define cargo_pkg_feature_opts --all
+%endif
+
+%if 0%{?using_musl_libc}
+%ifarch x86_64
+%define rust_musl_target x86_64-unknown-linux-musl
+%endif
+%ifarch aarch64
+%define rust_musl_target aarch64-unknown-linux-musl
+%endif
+%endif
+
+%if 0%{?using_vendored_crates}
+%define cargo_offline --offline
+%endif
+
+%description
+Cloud Hypervisor is an open source Virtual Machine Monitor (VMM) that runs on top of KVM. The project focuses on exclusively running modern, cloud workloads, on top of a limited set of hardware architectures and platforms. Cloud workloads refers to those that are usually run by customers inside a cloud provider. For our purposes this means modern Linux* distributions with most I/O handled by paravirtualised devices (i.e. virtio), no requirement for legacy devices and recent CPUs and KVM.
+
+%prep
+
+%setup -q -n cloud-hypervisor-%{version}
+%if 0%{?using_vendored_crates}
+tar xf %{SOURCE1}
+mkdir -p .cargo
+cp %{SOURCE2} .cargo/
+%endif
+
+%install
+install -d %{buildroot}%{_bindir}
+install -D -m755  ./target/%{rust_def_target}/release/cloud-hypervisor %{buildroot}%{_bindir}
+
+%if 0%{?using_musl_libc}
+install -d %{buildroot}%{_libdir}/cloud-hypervisor/static
+install -D -m755 target/%{rust_musl_target}/release/cloud-hypervisor %{buildroot}%{_libdir}/cloud-hypervisor/static
+install -D -m755 target/%{rust_musl_target}/release/ch-remote %{buildroot}%{_libdir}/cloud-hypervisor/static
+%endif
+
+
+%build
+cargo_version=$(cargo --version)
+if [[ $? -ne 0 ]]; then
+	echo "Cargo not found, please install cargo. exiting"
+	exit 0
+fi
+
+%if 0%{?using_rustup}
+which rustup
+if [[ $? -ne 0 ]]; then
+	echo "Rustup not found please install rustup #curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh"
+fi
+%endif
+
+echo ${cargo_version}
+
+%if 0%{?using_rustup}
+rustup target list --installed | grep x86_64-unknown-linux-gnu
+if [[ $? -ne 0 ]]; then
+         echo "Target  x86_64-unknown-linux-gnu not found, please install(#rustup target add x86_64-unknown-linux-gnu). exiting"
+fi
+	%if 0%{?using_musl_libc}
+rustup target list --installed | grep x86_64-unknown-linux-musl
+if [[ $? -ne 0 ]]; then
+         echo "Target  x86_64-unknown-linux-musl not found, please install(#rustup target add x86_64-unknown-linux-musl). exiting"
+fi
+	%endif
+%endif
+
+%if 0%{?using_vendored_crates}
+# For vendored build, prepend this so openssl-sys doesn't trigger full OpenSSL build
+export OPENSSL_NO_VENDOR=1
+%endif
+cargo build --release --target=%{rust_def_target} %{cargo_pkg_feature_opts} %{cargo_offline}
+%if 0%{?using_musl_libc}
+cargo build --release --target=%{rust_musl_target} %{cargo_pkg_feature_opts} %{cargo_offline}
+%endif
+
+%files
+%defattr(-,root,root,-)
+%caps(cap_net_admin=ep) %{_bindir}/cloud-hypervisor
+%if 0%{?using_musl_libc}
+%{_libdir}/cloud-hypervisor/static/ch-remote
+%caps(cap_net_admim=ep) %{_libdir}/cloud-hypervisor/static/cloud-hypervisor
+%endif
+%license LICENSE-APACHE
+%license LICENSE-BSD-3-Clause
+
+%changelog
+* Wed May 15 2024 Saul Paredes <saulparedes@microsoft.com> - 38.0.72-1
+- Initial CBL-Mariner import from Azure
+- Upgrade to v38.0.72
+- Update install to match cloud-hypervisor install locations
+- Add conflicts with cloud-hypervisor
+- License verified.
+
+* Mon Nov 6 2023 Dallas Delaney <dadelan@microsoft.com> - 32.0.314-2000
+- Upgrade to v32.0.314
+
+* Thu Sep 21 2023 Saul Paredes <saulparedes@microsoft.com> - 32.0.209-2000
+- Upgrade to v32.0.209
+
+* Fri Sep 15 2023 Saul Paredes <saulparedes@microsoft.com> - 32.0.192-2000
+- Upgrade to v32.0.192
+
+* Tue Aug 1 2023 Saul Paredes <saulparedes@microsoft.com> - 32.0.0-2000
+- Accomodate cloud-hypervisor
+
+* Fri May 19 2023 Anatol Belski <anbelski@linux.microsoft.com> - 32.0.0-1000
+- Upgrade to v32.0
+
+* Wed Apr 19 2023 Anatol Belski <anbelski@linux.microsoft.com> - 31.1.0-1000
+- Upgrade to v31.1
+
+* Thu Apr 06 2023 Anatol Belski <anbelski@linux.microsoft.com> - 31.0.0-1000
+- Upgrade to v31.0
+
+* Fri Feb 24 2023 Anatol Belski <anbelski@linux.microsoft.com> - 30.0.0-1000
+- Upgrade to v30.0
+
+* Sun Jan 15 2023 Anatol Belski <anbelski@linux.microsoft.com> - 29.0.0-1000
+- Upgrade to v29.0
+
+* Thu Dec 15 2022 Anatol Belski <anbelski@linux.microsoft.com> - 28.1.0-1000
+- Upgrade to v28.1
+
+* Thu Nov 17 2022 Anatol Belski <anbelski@linux.microsoft.com> - 28.0.0-1000
+- Upgrade to v28.0
+
+* Wed Oct 12 2022 Anatol Belski <anbelski@linux.microsoft.com> - 27.0.0-1001
+- Spec refactoring towards pulling an arbitrary revision
+
+* Wed Oct 05 2022 Anatol Belski <anbelski@linux.microsoft.com> - 27.0-1
+- Upgrade to 27.0
+
+* Thu Sep 15 2022 Anatol Belski <anbelski@linux.microsoft.com> - 26.0-2
+- Unbundle tarballs from git
+
+* Wed Aug 17 2022 Anatol Belski <anbelski@linux.microsoft.com> - 26.0-1
+- Pull release 26.0 for Mariner from upstream
+
+* Tue May 16 2022 Anatol Belski <anbelski@linux.microsoft.com> - 23.1-0
+- Initial import 23.1 for Mariner from upstream
+
+*   Thu Apr 13 2022 Rob Bradford <robert.bradford@intel.com> 23.0-0
+-   Update to 23.0
+
+*   Thu Mar 03 2022 Rob Bradford <robert.bradford@intel.com> 22.0-0
+-   Update to 22.0
+
+*   Thu Jan 20 2022 Rob Bradford <robert.bradford@intel.com> 21.0-0
+-   Update to 21.0
+
+*   Thu Dec 02 2021 Sebastien Boeuf <sebastien.boeuf@intel.com> 20.0-0
+-   Update to 20.0
+
+*   Mon Nov 08 2021 Fabiano Fidêncio <fabiano.fidencio@intel.com> 19.0-0
+-   Update to 19.0
+
+*   Fri May 28 2021 Muminul Islam <muislam@microsoft.com> 15.0-0
+-   Update version to 15.0
+
+*   Wed Jul 22 2020 Muminul Islam <muislam@microsoft.com> 0.8.0-0
+-   Initial version
+
--- a/SPECS/cloud-hypervisor-cvm/config.toml
+++ b/SPECS/cloud-hypervisor-cvm/config.toml
@ -0,0 +1,50 @@
+[source.crates-io]
+replace-with = "vendored-sources"
+
+[source."git+https://github.com/cloud-hypervisor/kvm-bindings?branch=ch-v0.7.0"]
+git = "https://github.com/cloud-hypervisor/kvm-bindings"
+branch = "ch-v0.7.0"
+replace-with = "vendored-sources"
+
+[source."git+https://github.com/cloud-hypervisor/versionize_derive?branch=ch-0.1.6"]
+git = "https://github.com/cloud-hypervisor/versionize_derive"
+branch = "ch-0.1.6"
+replace-with = "vendored-sources"
+
+[source."git+https://github.com/firecracker-microvm/micro-http?branch=main"]
+git = "https://github.com/firecracker-microvm/micro-http"
+branch = "main"
+replace-with = "vendored-sources"
+
+[source."git+https://github.com/microsoft/igvm?branch=main"]
+git = "https://github.com/microsoft/igvm"
+branch = "main"
+replace-with = "vendored-sources"
+
+[source."git+https://github.com/rust-vmm/acpi_tables?branch=main"]
+git = "https://github.com/rust-vmm/acpi_tables"
+branch = "main"
+replace-with = "vendored-sources"
+
+[source."git+https://github.com/rust-vmm/mshv?branch=main"]
+git = "https://github.com/rust-vmm/mshv"
+branch = "main"
+replace-with = "vendored-sources"
+
+[source."git+https://github.com/rust-vmm/vfio-user?branch=main"]
+git = "https://github.com/rust-vmm/vfio-user"
+branch = "main"
+replace-with = "vendored-sources"
+
+[source."git+https://github.com/rust-vmm/vfio?branch=main"]
+git = "https://github.com/rust-vmm/vfio"
+branch = "main"
+replace-with = "vendored-sources"
+
+[source."git+https://github.com/rust-vmm/vm-fdt?branch=main"]
+git = "https://github.com/rust-vmm/vm-fdt"
+branch = "main"
+replace-with = "vendored-sources"
+
+[source.vendored-sources]
+directory = "vendor"
--- a/SPECS/cloud-hypervisor/cloud-hypervisor.signatures.json
+++ b/SPECS/cloud-hypervisor/cloud-hypervisor.signatures.json
@ -1,7 +1,7 @@
 {
- "Signatures": {
-  "cloud-hypervisor-32.0-cargo.tar.gz": "2dd7ca374109ba337afeb0ff95d5edac8193431ec74cdbb6b1a400c600f4d915",
-  "cloud-hypervisor-32.0.tar.gz": "b9754a5ecd26697e5416a642345b2f35f4fdc983a83d540d740978309f2eb419",
-  "config.toml": "6d2aeec19782ae17eb2708262b0a7c551db3cc36b56542abca18d577de042458"
- }
+  "Signatures": {
+    "cloud-hypervisor-32.0-cargo.tar.gz": "2dd7ca374109ba337afeb0ff95d5edac8193431ec74cdbb6b1a400c600f4d915",
+    "cloud-hypervisor-32.0.tar.gz": "b9754a5ecd26697e5416a642345b2f35f4fdc983a83d540d740978309f2eb419",
+    "config.toml": "6d2aeec19782ae17eb2708262b0a7c551db3cc36b56542abca18d577de042458"
+  }
 }
--- a/SPECS/cloud-hypervisor/cloud-hypervisor.spec
+++ b/SPECS/cloud-hypervisor/cloud-hypervisor.spec
@ -5,7 +5,7 @@
 Summary:        Cloud Hypervisor is an open source Virtual Machine Monitor (VMM) that runs on top of KVM.
 Name:           cloud-hypervisor
 Version:        32.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        ASL 2.0 OR BSD-3-clause
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -28,6 +28,8 @@ Patch2:         CVE-2023-50711-vhost.patch
 Patch3:         CVE-2023-50711-versionize.patch
 %endif

+Conflicts: cloud-hypervisor-cvm
+
 BuildRequires:  binutils
 BuildRequires:  gcc
 BuildRequires:  git
@ -162,6 +164,9 @@ cargo build --release --target=%{rust_musl_target} --package vhost_user_block %{
 %license LICENSE-BSD-3-Clause

 %changelog
+* Mon May 20 2024 Saul Paredes <saulparedes@microsoft.com> - 32.0-4
+- Add conflicts with cloud-hypervisor-cvm
+
 * Mon Jan 15 2024 Sindhu Karri <lakarri@microsoft.com> - 32.0-3
 - Patch CVE-2023-50711 in vendor/vmm-sys-util, vendor/vhost, vendor/versionize

--- a/SPECS/kata-containers-cc/kata-containers-cc.signatures.json
+++ b/SPECS/kata-containers-cc/kata-containers-cc.signatures.json
@ -1,7 +1,7 @@
 {
  "Signatures": {
    "mariner-coco-build-uvm.sh": "4f2be6965d8c4d7919fd201a68160fc8ab02a1be50a336abbfea13f16a6ffb89",
-    "kata-containers-cc-3.2.0.azl1-cargo.tar.gz": "e9225097732f0e9be4da806dac9189c94b43e76dc54b964d1c07beaf8ea65e36",
-    "kata-containers-cc-3.2.0.azl1.tar.gz": "1c0461a0bcb6920888955ad54c6542b8adfce939e008e6c89f102cf4baeb74a4"
+    "kata-containers-cc-3.2.0.azl2.tar.gz": "49265e0ecd21af4ed8f23398d1e46ef9961786cb44f40fe582abff06c1c1a873",
+    "kata-containers-cc-3.2.0.azl2-cargo.tar.gz": "ddf919a672200f0fb53d1cb6c66d6b1c401cf26368541c750d9a12e62da605a1"
  }
 }
--- a/SPECS/kata-containers-cc/kata-containers-cc.spec
+++ b/SPECS/kata-containers-cc/kata-containers-cc.spec
@ -12,7 +12,7 @@
 %global debug_package %{nil}

 Name:         kata-containers-cc
-Version:      3.2.0.azl1
+Version:      3.2.0.azl2
 Release:      1%{?dist}
 Summary:      Kata Confidential Containers package developed for Confidential Containers on AKS
 License:      ASL 2.0
@ -158,10 +158,9 @@ mkdir -p %{buildroot}%{share_kata}
 mkdir -p %{buildroot}%{coco_path}/libexec
 mkdir -p %{buildroot}/etc/systemd/system/containerd.service.d/

-# for testing policy/snapshotter without SEV SNP we use CH (with kernel-uvm and initrd) instead of CH-CVM with IGVM
 # Note: our kata-containers config toml expects cloud-hypervisor and kernel under a certain path/name, so we align this through symlinks here
 ln -s /usr/bin/cloud-hypervisor               %{buildroot}%{coco_bin}/cloud-hypervisor
-ln -s /usr/bin/cloud-hypervisor-cvm           %{buildroot}%{coco_bin}/cloud-hypervisor-snp
+ln -s /usr/bin/cloud-hypervisor               %{buildroot}%{coco_bin}/cloud-hypervisor-snp

 # this is again for testing without SEV SNP
 ln -s /usr/share/cloud-hypervisor/vmlinux.bin %{buildroot}%{share_kata}/vmlinux.container
@ -289,6 +288,10 @@ install -D -m 0755 %{_builddir}/%{name}-%{version}/tools/osbuilder/image-builder
 %exclude %{osbuilder}/tools/osbuilder/rootfs-builder/ubuntu

 %changelog
+* Wed May 29 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.2.0.azl2-1
+- Auto-upgrade to 3.2.0.azl2
+- Update cloud-hypervisor-snp symlink to also point to /usr/bin/cloud-hypervisor
+
 * Thu May 02 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.2.0.azl1-1
 - Auto-upgrade to 3.2.0.azl1
 - Remove opa
--- a/SPECS/kata-containers/kata-containers.signatures.json
+++ b/SPECS/kata-containers/kata-containers.signatures.json
@ -2,7 +2,7 @@
  "Signatures": {
    "50-kata": "fb108c6337b3d3bf80b43ab04f2bf9a3bdecd29075ebd16320aefe8f81c502a7",
    "mariner-build-uvm.sh": "a0fbee4def82ee492eab64a8b5a948c2fef125fa1ca5686aafa0a80c64144068",
-    "kata-containers-3.2.0.azl1-cargo.tar.gz": "9fb37f5141d09d359f9ddbd6588ddc0f0a58c20e7d8da3e96037f6549b283015",
-    "kata-containers-3.2.0.azl1.tar.gz": "140118610896fd3ef6c63649e06a9a4d2380dc1fbf2d82ec676245c06ffb6f36"
+    "kata-containers-3.2.0.azl2-cargo.tar.gz": "830c90cc6e44f492e6366012f8834ae6fc84bd790edf678c23003368c288b98c",
+    "kata-containers-3.2.0.azl2.tar.gz": "ab65f23787347fae11cf07e0a380e925e9f7b6f0f862ef6440a683b816206011"
  }
 }
--- a/SPECS/kata-containers/kata-containers.spec
+++ b/SPECS/kata-containers/kata-containers.spec
@ -38,7 +38,7 @@

 Summary:        Kata Containers
 Name:           kata-containers
-Version:        3.2.0.azl1
+Version:        3.2.0.azl2
 Release:        1%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
@ -215,6 +215,9 @@ ln -sf %{_bindir}/kata-runtime %{buildroot}%{_prefix}/local/bin/kata-runtime
 %exclude %{kataosbuilderdir}/rootfs-builder/ubuntu

 %changelog
+* Wed May 29 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.2.0.azl2-1
+- Auto-upgrade to 3.2.0.azl2
+
 * Thu May 02 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.2.0.azl1-1
 - Auto-upgrade to 3.2.0.azl1

--- a/SPECS/kernel-mshv/config
+++ b/SPECS/kernel-mshv/config
@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 5.15.126.mshv9 Kernel Configuration
+# Linux/x86_64 5.15.157.mshv1 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
 CONFIG_CC_IS_GCC=y
@ -491,6 +491,8 @@ CONFIG_CPU_IBPB_ENTRY=y
 CONFIG_CPU_IBRS_ENTRY=y
 CONFIG_CPU_SRSO=y
 # CONFIG_GDS_FORCE_MITIGATION is not set
+CONFIG_MITIGATION_RFDS=y
+CONFIG_MITIGATION_SPECTRE_BHI=y
 CONFIG_ARCH_HAS_ADD_PAGES=y
 CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y
 CONFIG_USE_PERCPU_NUMA_NODE_ID=y
@ -768,6 +770,9 @@ CONFIG_GCC_PLUGINS=y
 # CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
 # CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
 # CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
+CONFIG_FUNCTION_ALIGNMENT_4B=y
+CONFIG_FUNCTION_ALIGNMENT_16B=y
+CONFIG_FUNCTION_ALIGNMENT=16
 # end of General architecture-dependent options

 CONFIG_RT_MUTEXES=y
@ -1161,6 +1166,7 @@ CONFIG_NFT_HASH=m
 CONFIG_NFT_TPROXY=m
 # CONFIG_NFT_SYNPROXY is not set
 # CONFIG_NF_FLOW_TABLE is not set
+CONFIG_NF_FLOW_TABLE_PROCFS=y
 CONFIG_NETFILTER_XTABLES=y

 #
@ -1458,7 +1464,6 @@ CONFIG_NET_SCHED=y
 #
 # Queueing/Scheduling
 #
-CONFIG_NET_SCH_CBQ=m
 CONFIG_NET_SCH_HTB=m
 CONFIG_NET_SCH_HFSC=m
 CONFIG_NET_SCH_PRIO=m
@ -1472,7 +1477,6 @@ CONFIG_NET_SCH_TBF=m
 CONFIG_NET_SCH_ETF=m
 # CONFIG_NET_SCH_TAPRIO is not set
 CONFIG_NET_SCH_GRED=m
-CONFIG_NET_SCH_DSMARK=m
 CONFIG_NET_SCH_NETEM=m
 CONFIG_NET_SCH_DRR=m
 CONFIG_NET_SCH_MQPRIO=m
@ -1500,8 +1504,6 @@ CONFIG_NET_CLS_FW=m
 CONFIG_NET_CLS_U32=m
 CONFIG_CLS_U32_PERF=y
 CONFIG_CLS_U32_MARK=y
-CONFIG_NET_CLS_RSVP=m
-CONFIG_NET_CLS_RSVP6=m
 CONFIG_NET_CLS_FLOW=m
 CONFIG_NET_CLS_CGROUP=m
 CONFIG_NET_CLS_BPF=m
@ -3649,7 +3651,6 @@ CONFIG_MFD_INTEL_LPSS_PCI=m
 # CONFIG_MFD_SM501 is not set
 # CONFIG_MFD_SKY81452 is not set
 # CONFIG_MFD_SYSCON is not set
-# CONFIG_MFD_TI_AM335X_TSCADC is not set
 # CONFIG_MFD_LP3943 is not set
 # CONFIG_MFD_LP8788 is not set
 # CONFIG_MFD_TI_LMU is not set
@ -5164,18 +5165,28 @@ CONFIG_VIRTIO_PCI_LIB=y
 CONFIG_VIRTIO_MENU=y
 CONFIG_VIRTIO_PCI=y
 CONFIG_VIRTIO_PCI_LEGACY=y
+# CONFIG_VIRTIO_VDPA is not set
 # CONFIG_VIRTIO_PMEM is not set
 CONFIG_VIRTIO_BALLOON=y
 CONFIG_VIRTIO_MEM=m
 # CONFIG_VIRTIO_INPUT is not set
 CONFIG_VIRTIO_MMIO=y
 # CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
-# CONFIG_VDPA is not set
+CONFIG_VDPA=m
+CONFIG_VDPA_SIM=m
+CONFIG_VDPA_SIM_NET=m
+CONFIG_VDPA_SIM_BLOCK=m
+# CONFIG_VDPA_USER is not set
+# CONFIG_IFCVF is not set
+# CONFIG_MLX5_VDPA_NET is not set
+# CONFIG_VP_VDPA is not set
 CONFIG_VHOST_IOTLB=m
+CONFIG_VHOST_RING=m
 CONFIG_VHOST=m
 CONFIG_VHOST_MENU=y
 CONFIG_VHOST_NET=m
 CONFIG_VHOST_VSOCK=m
+CONFIG_VHOST_VDPA=m
 # CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set

 #
@ -5185,6 +5196,7 @@ CONFIG_HYPERV=y
 CONFIG_HYPERV_TIMER=y
 CONFIG_HYPERV_UTILS=y
 CONFIG_HYPERV_BALLOON=y
+CONFIG_HYPERV_NONTLFS_HEADERS=y
 CONFIG_MSHV=y
 CONFIG_MSHV_ROOT=y
 # CONFIG_MSHV_VTL is not set
@ -5472,12 +5484,17 @@ CONFIG_IIO_ST_ACCEL_I2C_3AXIS=m
 # CONFIG_MAX9611 is not set
 # CONFIG_MCP3422 is not set
 # CONFIG_NAU7802 is not set
-# CONFIG_STX104 is not set
 # CONFIG_TI_ADC081C is not set
 # CONFIG_TI_ADS1015 is not set
 # CONFIG_XILINX_XADC is not set
 # end of Analog to digital converters

+#
+# Analog to digital and digital to analog converters
+#
+# CONFIG_STX104 is not set
+# end of Analog to digital and digital to analog converters
+
 #
 # Analog Front Ends
 #
@ -6071,8 +6088,7 @@ CONFIG_NFS_DEBUG=y
 CONFIG_NFS_DISABLE_UDP_SUPPORT=y
 # CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFSD=m
-CONFIG_NFSD_V2_ACL=y
-CONFIG_NFSD_V3=y
+# CONFIG_NFSD_V2 is not set
 CONFIG_NFSD_V3_ACL=y
 CONFIG_NFSD_V4=y
 CONFIG_NFSD_PNFS=y
@ -6670,8 +6686,9 @@ CONFIG_DEBUG_INFO=y
 CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
 # CONFIG_DEBUG_INFO_DWARF4 is not set
 # CONFIG_DEBUG_INFO_DWARF5 is not set
-# CONFIG_DEBUG_INFO_BTF is not set
+CONFIG_DEBUG_INFO_BTF=y
 CONFIG_PAHOLE_HAS_SPLIT_BTF=y
+CONFIG_DEBUG_INFO_BTF_MODULES=y
 # CONFIG_GDB_SCRIPTS is not set
 CONFIG_FRAME_WARN=2048
 CONFIG_STRIP_ASM_SYMS=y
--- a/SPECS/kernel-mshv/kernel-mshv.signatures.json
+++ b/SPECS/kernel-mshv/kernel-mshv.signatures.json
@ -1,8 +1,8 @@
 {
- "Signatures": {
-  "kernel-mshv-5.15.126.mshv9.tar.gz": "3ed864ec26340e02b95696784f870eee53ad1e0ba1f30bd9545704bb45a5a2f2",
-  "50_mariner_mshv.cfg": "0a5fcad1efb1fd37f910f675c5303210a2aeeef9e089d804510ce40ff9b26369",
-  "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
-  "config": "b266255bd7dfef022aabb578cf928f3435025562a723a95fab6c2ee62acd00ea"
- }
+  "Signatures": {
+    "50_mariner_mshv.cfg": "0a5fcad1efb1fd37f910f675c5303210a2aeeef9e089d804510ce40ff9b26369",
+    "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
+    "config": "a83f8b5ccf093bae011d89575b410418e31f8705f6cf9ed291b0cfe1ea5896c9",
+    "kernel-mshv-5.15.157.mshv1.tar.gz": "8240745a0820ee383ebaf8750877c1189772dc0253cd0658deab199fb2140a4b"
+  }
 }
--- a/SPECS/kernel-mshv/kernel-mshv.spec
+++ b/SPECS/kernel-mshv/kernel-mshv.spec
@ -10,8 +10,8 @@

 Summary:        Mariner kernel that has MSHV Host support
 Name:           kernel-mshv
-Version:        5.15.126.mshv9
-Release:        3%{?dist}
+Version:        5.15.157.mshv1
+Release:        1%{?dist}
 License:        GPLv2
 Group:          Development/Tools
 Vendor:         Microsoft Corporation
@ -248,6 +248,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner-mshv.cfg
 %{_includedir}/perf/perf_dlfilter.h

 %changelog
+* Tue May 14 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.157.mshv1-1
+- Auto-upgrade to 5.15.157.mshv1
+
 * Mon Apr 01 2024 Cameron Baird <cameronbaird@microsoft.com> - 5.15.126.mshv9-3
 - Bump release to match kernel-mshv-signed package

--- a/SPECS/kernel-uvm/config
+++ b/SPECS/kernel-uvm/config
@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 6.1.0.mshv16 Kernel Configuration
+# Linux/x86_64 6.1.58.mshv4 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
 CONFIG_CC_IS_GCC=y
@ -170,7 +170,8 @@ CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
 CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
 CONFIG_CC_HAS_INT128=y
 CONFIG_CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5"
-CONFIG_GCC12_NO_ARRAY_BOUNDS=y
+CONFIG_GCC11_NO_ARRAY_BOUNDS=y
+CONFIG_CC_NO_ARRAY_BOUNDS=y
 CONFIG_ARCH_SUPPORTS_INT128=y
 # CONFIG_NUMA_BALANCING is not set
 CONFIG_CGROUPS=y
@ -440,6 +441,8 @@ CONFIG_RETHUNK=y
 CONFIG_CPU_UNRET_ENTRY=y
 CONFIG_CPU_IBPB_ENTRY=y
 CONFIG_CPU_IBRS_ENTRY=y
+CONFIG_CPU_SRSO=y
+# CONFIG_GDS_FORCE_MITIGATION is not set
 CONFIG_ARCH_HAS_ADD_PAGES=y
 CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y

@ -596,6 +599,7 @@ CONFIG_GENERIC_SMP_IDLE_THREAD=y
 CONFIG_ARCH_HAS_FORTIFY_SOURCE=y
 CONFIG_ARCH_HAS_SET_MEMORY=y
 CONFIG_ARCH_HAS_SET_DIRECT_MAP=y
+CONFIG_ARCH_HAS_CPU_FINALIZE_INIT=y
 CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y
 CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y
 CONFIG_ARCH_WANTS_NO_INSTR=y
@ -870,6 +874,7 @@ CONFIG_SECRETMEM=y
 # CONFIG_ANON_VMA_NAME is not set
 # CONFIG_USERFAULTFD is not set
 # CONFIG_LRU_GEN is not set
+CONFIG_LOCK_MM_AND_FIND_VMA=y

 #
 # Data Access Monitoring
@ -919,6 +924,7 @@ CONFIG_SYN_COOKIES=y
 # CONFIG_INET_AH is not set
 # CONFIG_INET_ESP is not set
 # CONFIG_INET_IPCOMP is not set
+CONFIG_INET_TABLE_PERTURB_ORDER=16
 # CONFIG_INET_DIAG is not set
 # CONFIG_TCP_CONG_ADVANCED is not set
 CONFIG_TCP_CONG_CUBIC=y
@ -1268,12 +1274,9 @@ CONFIG_NET_SCH_FQ=y
 #
 CONFIG_NET_CLS=y
 # CONFIG_NET_CLS_BASIC is not set
-# CONFIG_NET_CLS_TCINDEX is not set
 # CONFIG_NET_CLS_ROUTE4 is not set
 # CONFIG_NET_CLS_FW is not set
 # CONFIG_NET_CLS_U32 is not set
-# CONFIG_NET_CLS_RSVP is not set
-# CONFIG_NET_CLS_RSVP6 is not set
 # CONFIG_NET_CLS_FLOW is not set
 CONFIG_NET_CLS_CGROUP=y
 # CONFIG_NET_CLS_BPF is not set
@ -1573,7 +1576,9 @@ CONFIG_VIRTIO_BLK=y
 # CONFIG_MISC_RTSX_PCI is not set
 # CONFIG_HABANA_AI is not set
 # CONFIG_UACCE is not set
-# CONFIG_PVPANIC is not set
+CONFIG_PVPANIC=y
+# CONFIG_PVPANIC_MMIO is not set
+CONFIG_PVPANIC_PCI=y
 # end of Misc devices

 #
@ -2265,6 +2270,7 @@ CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y
 CONFIG_HYPERV=y
 CONFIG_HYPERV_TIMER=y
 # CONFIG_HYPERV_BALLOON is not set
+# CONFIG_DXGKRNL is not set
 # end of Microsoft Hyper-V guest support

 # CONFIG_GREYBUS is not set
@ -2589,7 +2595,7 @@ CONFIG_CIFS_STATS2=y
 # CONFIG_CIFS_SWN_UPCALL is not set
 # CONFIG_CIFS_ROOT is not set
 # CONFIG_SMB_SERVER is not set
-CONFIG_SMBFS_COMMON=y
+CONFIG_SMBFS=y
 # CONFIG_CODA_FS is not set
 # CONFIG_AFS_FS is not set
 CONFIG_9P_FS=y
@ -3060,7 +3066,10 @@ CONFIG_OBJTOOL=y
 #
 # Generic Kernel Debugging Instruments
 #
-# CONFIG_MAGIC_SYSRQ is not set
+CONFIG_MAGIC_SYSRQ=y
+CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x1
+CONFIG_MAGIC_SYSRQ_SERIAL=y
+CONFIG_MAGIC_SYSRQ_SERIAL_SEQUENCE=""
 # CONFIG_DEBUG_FS is not set
 CONFIG_HAVE_ARCH_KGDB=y
 # CONFIG_KGDB is not set
--- a/SPECS/kernel-uvm/kernel-uvm.signatures.json
+++ b/SPECS/kernel-uvm/kernel-uvm.signatures.json
@ -1,6 +1,6 @@
 {
- "Signatures": {
-  "config": "875ddf9294126989d10aeae4ab0fb31c0e4152d3f15c0a6fe8db29540576bd7c",
-  "kernel-uvm-6.1.0.mshv16.tar.gz": "f0453c3665387a2a87743782347dbccb6c0a2da1f1e9f35c04acd6ba9a9fd92c"
- }
-}
+  "Signatures": {
+    "config": "f94bc8a7c5e0507b3a19e0771ff0798862bac30aa5ababc0cc05ce60e3fdf9de",
+    "kernel-uvm-6.1.58.mshv4.tar.gz": "81ac99ab06cf7df0845f0bd596b394658fb3f1801d0ad985f5b64ffa3d90e80a"
+  }
+}
--- a/SPECS/kernel-uvm/kernel-uvm.spec
+++ b/SPECS/kernel-uvm/kernel-uvm.spec
@ -10,8 +10,8 @@

 Summary:        Linux Kernel for Kata UVM
 Name:           kernel-uvm
-Version:        6.1.0.mshv16
-Release:        2%{?dist}
+Version:        6.1.58.mshv4
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -154,6 +154,9 @@ find %{buildroot}/lib/modules -name '*.ko' -exec chmod u+x {} +
 %{_prefix}/src/linux-headers-%{uname_r}

 %changelog
+* Tue May 14 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.1.58.mshv4-1
+- Auto-upgrade to 6.1.58.mshv4
+
 * Wed Mar 27 2024 Archana Choudhary <archana1@microsoft.com> - 6.1.0.mshv16-2
 - Enable CIFS modules

--- a/cgmanifest.json
+++ b/cgmanifest.json
@ -1812,6 +1812,16 @@
        }
      }
    },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "cloud-hypervisor-cvm",
+          "version": "38.0.72",
+          "downloadUrl": "https://github.com/microsoft/cloud-hypervisor/archive/refs/tags/msft/v38.0.72.tar.gz"
+        }
+      }
+    },
    {
      "component": {
        "type": "other",
@ -8061,8 +8071,8 @@
        "type": "other",
        "other": {
          "name": "kata-containers",
-          "version": "3.2.0.azl1",
-          "downloadUrl": "https://github.com/microsoft/kata-containers/archive/refs/tags/3.2.0.azl1.tar.gz"
+          "version": "3.2.0.azl2",
+          "downloadUrl": "https://github.com/microsoft/kata-containers/archive/refs/tags/3.2.0.azl2.tar.gz"
        }
      }
    },
@ -8071,8 +8081,8 @@
        "type": "other",
        "other": {
          "name": "kata-containers-cc",
-          "version": "3.2.0.azl1",
-          "downloadUrl": "https://github.com/microsoft/kata-containers/archive/refs/tags/3.2.0.azl1.tar.gz"
+          "version": "3.2.0.azl2",
+          "downloadUrl": "https://github.com/microsoft/kata-containers/archive/refs/tags/3.2.0.azl2.tar.gz"
        }
      }
    },
@ -8191,8 +8201,8 @@
        "type": "other",
        "other": {
          "name": "kernel-mshv",
-          "version": "5.15.126.mshv9",
-          "downloadUrl": "https://azurelinuxsrcstorage.blob.core.windows.net/sources/core/kernel-mshv-5.15.126.mshv9.tar.gz"
+          "version": "5.15.157.mshv1",
+          "downloadUrl": "https://azurelinuxsrcstorage.blob.core.windows.net/sources/core/kernel-mshv-5.15.157.mshv1.tar.gz"
        }
      }
    },
@ -8211,8 +8221,8 @@
        "type": "other",
        "other": {
          "name": "kernel-uvm",
-          "version": "6.1.0.mshv16",
-          "downloadUrl": "https://azurelinuxsrcstorage.blob.core.windows.net/sources/core/kernel-uvm-6.1.0.mshv16.tar.gz"
+          "version": "6.1.58.mshv4",
+          "downloadUrl": "https://azurelinuxsrcstorage.blob.core.windows.net/sources/core/kernel-uvm-6.1.58.mshv4.tar.gz"
        }
      }
    },