* Adding livepatch for kernel 5.15.92.1-2.cm2.
This commit is contained in:
Pawel Winogrodzki 2023-02-17 15:58:39 -08:00 коммит произвёл GitHub
Родитель 3e36f4d528
Коммит ba6d1b5b91
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
8 изменённых файлов: 7813 добавлений и 2 удалений

4
.github/workflows/check-livepatches.yml поставляемый
Просмотреть файл

@ -25,7 +25,9 @@ jobs:
python-version: 3.9
- name: Get Python dependencies
run: sudo python3 -m pip install python-rpm-spec
run: |
sudo apt-get install -y python3-rpm
sudo python3 -m pip install rpm pyrpm python-rpm-spec validators
- name: Check livepatch specs are valid
run: |

2
SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md сгенерированный

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -2119,6 +2119,7 @@
"livepatch-5.15.87.1-1.cm2",
"livepatch-5.15.90.1-1.cm2",
"livepatch-5.15.92.1-1.cm2",
"livepatch-5.15.92.1-2.cm2",
"livepatching",
"lld",
"local-path-provisioner",

Разница между файлами не показана из-за своего большого размера Загрузить разницу

Просмотреть файл

@ -0,0 +1,7 @@
{
"Signatures": {
"config-5.15.92.1-2.cm2": "02f78f4b512622c8ac5cb2698391a094d43cc07ef3377c1f5951ae500e26ced5",
"kernel-5.15.92.1.tar.gz": "97a283ba4250880a88c7437eac88e8d86ed426430746c4e7dc6ecd9de9be04ea",
"mariner-5.15.92.1-2.cm2.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0"
}
}

Просмотреть файл

@ -0,0 +1,189 @@
%define kernel_version_release 5.15.92.1-2.cm2
%define kernel_version %(echo %{kernel_version_release} | grep -oP "^[^-]+")
%define kernel_release %(echo %{kernel_version_release} | grep -oP "(?<=-).+")
%define builds_module %([[ -n "$(echo "%{patches}" | grep -oP "CVE-\\d+-\\d+(?=\\.patch)")" ]] && echo 1 || echo 0)
# Kpatch module names allow only alphanumeric characters and '_'.
%define livepatch_name %(value="%{name}-%{version}-%{release}"; echo "${value//[^a-zA-Z0-9_]/_}")
%define livepatch_install_dir %{_libdir}/livepatching/%{kernel_version_release}
%define livepatch_module_name %{livepatch_name}.ko
%define livepatch_module_path %{livepatch_install_dir}/%{livepatch_module_name}
%define patch_applicable_for_kernel [[ -f "%{livepatch_module_path}" && "$(uname -r)" == "%{kernel_version_release}" ]]
%define patch_installed kpatch list | grep -qP "%{livepatch_name}.*%{kernel_version_release}"
%define patch_loaded kpatch list | grep -qP "%{livepatch_name}.*enabled"
# Install patch if the RUNNING kernel matches.
# No-op for initial (empty) livepatch.
%define install_if_should \
if %{patch_applicable_for_kernel} && ! %{patch_installed} \
then \
kpatch install %{livepatch_module_path} \
fi
# Load patch, if the RUNNING kernel matches.
# No-op for initial (empty) livepatch.
%define load_if_should \
if %{patch_applicable_for_kernel} && ! %{patch_loaded} \
then \
kpatch load %{livepatch_module_path} \
fi
%define uninstall_if_should \
if %{patch_installed} \
then \
kpatch uninstall %{livepatch_name} \
fi
%define unload_if_should \
if %{patch_loaded} \
then \
kpatch unload %{livepatch_name} \
fi
%define patches_description \
%(
echo "Patches list ('*' - fixed, '!' - unfixable through livepatching, kernel update required):"
for patch in %{patches}
do
patch_file=$(basename "$patch")
cve_number="${patch_file%.*}"
patch_suffix="${patch_file#*.}"
if [ "$patch_suffix" = "patch" ]
then
echo "*$cve_number"
else
echo "\!$cve_number: $(cat "$patch")"
fi
done
)
Summary: Set of livepatches for kernel %{kernel_version_release}
Name: livepatch-%{kernel_version_release}
Version: 1.0.0
Release: 1%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
Group: System Environment/Base
URL: https://github.com/microsoft/CBL-Mariner
Source0: https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/%{kernel_version}.tar.gz#/kernel-%{kernel_version}.tar.gz
Source1: config-%{kernel_version_release}
Source2: mariner-%{kernel_version_release}.pem
ExclusiveArch: x86_64
Provides: livepatch = %{kernel_version_release}
# Must be kept below the "Patch" tags to correctly evaluate %%builds_module.
%if %{builds_module}
BuildRequires: audit-devel
BuildRequires: bash
BuildRequires: bc
BuildRequires: binutils
BuildRequires: bison
BuildRequires: diffutils
BuildRequires: dwarves
BuildRequires: elfutils-libelf-devel
BuildRequires: flex
BuildRequires: gcc
BuildRequires: glib-devel
BuildRequires: glibc-devel
BuildRequires: kbd
BuildRequires: kernel-debuginfo = %{kernel_version_release}
BuildRequires: kernel-headers = %{kernel_version_release}
BuildRequires: kmod-devel
BuildRequires: kpatch-build
BuildRequires: libdnet-devel
BuildRequires: libmspack-devel
BuildRequires: make
BuildRequires: openssl
BuildRequires: openssl-devel
BuildRequires: pam-devel
BuildRequires: procps-ng-devel
BuildRequires: python3-devel
BuildRequires: rpm-build
Requires: coreutils
Requires: livepatching-filesystem
Requires(post): coreutils
Requires(post): kpatch
Requires(preun): kpatch
%description
A set of kernel livepatches addressing CVEs present in Mariner's
%{kernel_version_release} kernel.
%{patches_description}
%prep
%setup -q -n CBL-Mariner-Linux-Kernel-rolling-lts-mariner-2-%{kernel_version}
cp %{SOURCE1} .config
cp %{SOURCE2} certs/mariner.pem
sed -i 's#CONFIG_SYSTEM_TRUSTED_KEYS=""#CONFIG_SYSTEM_TRUSTED_KEYS="certs/mariner.pem"#' .config
sed -i 's/CONFIG_LOCALVERSION=""/CONFIG_LOCALVERSION="-%{kernel_release}"/' .config
%build
# Building cumulative patch.
all_patches_file=all.patch
for patch in %{patches}
do
[[ "$patch" == *.patch ]] && cat "$patch" >> $all_patches_file
done
kpatch-build -ddd \
--sourcedir . \
--vmlinux %{_libdir}/debug/lib/modules/%{kernel_version_release}/vmlinux \
--name %{livepatch_name} \
$all_patches_file
%install
install -dm 755 %{buildroot}%{livepatch_install_dir}
install -m 744 %{livepatch_module_name} %{buildroot}%{livepatch_module_path}
%post
%load_if_should
%install_if_should
%preun
%uninstall_if_should
%unload_if_should
# Re-enable patch on rollbacks to supported kernel.
%triggerin -- kernel = %{kernel_version_release}
%load_if_should
%install_if_should
# Prevent the patch from being loaded after a reboot to a different kernel.
# Previous kernel is still running, do NOT unload the livepatch.
%triggerin -- kernel > %{kernel_version_release}, kernel < %{kernel_version_release}
%uninstall_if_should
%files
%defattr(-,root,root)
%dir %{livepatch_install_dir}
%{livepatch_module_path}
# else builds_module
%else
%global debug_package %{nil}
%description
Empty package enabling subscription to future kernel livepatches
addressing CVEs present in Mariner's %{kernel_version_release} kernel.
%files
# endif builds_module
%endif
%changelog
* Fri Feb 17 2023 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.0.0-1
- Original version for CBL-Mariner.
- License verified.

Просмотреть файл

@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIFBjCCA+6gAwIBAgITMwAABO5/lN6NQyelHwABAAAE7jANBgkqhkiG9w0BAQsF
ADB5MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH
UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQD
ExpNaWNyb3NvZnQgVGVzdGluZyBQQ0EgMjAxMDAeFw0yMTEwMTQxNzI4MDVaFw0y
MjEwMTMxNzI4MDVaMIGGMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv
bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0
aW9uMTAwLgYDVQQDEydNYXJpbmVyIFNlY3VyZSBCb290KFByb2R1Y3Rpb24gU2ln
bmluZykwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDF45hTHPQAA7yc
6g3iVuqcQKF51ylCynjUySYqqQha2sQzE7tbJ2egVkW4cfY1UbJsm65i2/VGI1OL
Zia4sRwXRN7toRK5aElYfpsghMgGEaCSPs6915BVqO4WX0jxXswqRZ2CPH+evNCC
hQnOqtjvFCqp7aeQ44b/DpZmaMicL/DwbI4925HWGSYa+/Mp1Fs3yGhP5X75+c9v
w4gJ5KoxcOFRmQEt0c7lOclOi5Np5jys7lrrdmPPbjoALERBatiXj8w72LUZu4+I
970/6jqNEkHeGxqVSPRRNIEZubjvRIfg8uULr8k/Kj8TbznCWoGuaT/9yoVbHhqU
KQMJxxFrAgMBAAGjggF3MIIBczATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4E
FgQUtC1rnigJt7kJfP+emwGUuG6Av5UwRQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsT
FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEWMBQGA1UEBRMNNDYwODk3KzQ2ODU5NzAf
BgNVHSMEGDAWgBS/ZaKrb3WjTkWWVwXPOYf0wBUcHDBcBgNVHR8EVTBTMFGgT6BN
hktodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQl
MjBUZXN0aW5nJTIwUENBJTIwMjAxMCgxKS5jcmwwaQYIKwYBBQUHAQEEXTBbMFkG
CCsGAQUFBzAChk1odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRz
L01pY3Jvc29mdCUyMFRlc3RpbmclMjBQQ0ElMjAyMDEwKDEpLmNydDAMBgNVHRMB
Af8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCybuv6kmhT2y97FOLRljLCLvQlBL/E
dxKPDYNFhHCKIUd550yUoUW8XIxSYa+Dmx/1+NYS4Nxql7ecuR4g9+4i0DOmNjYO
NY8epPspIpjUd9OAiKNKJSs2303i2TQojXQcZVeTO89bK3pX+spoACGuEVEuWSdL
q+oPDYZwNTKyobj9wHYO6WXJfcdLPlYZghDjR/WNO5bzvzpi2nn/c4OYvMihLNq0
5uNO0IB/zquyAaCKbi15v/PqYos1BsT+Yft4zf8ry17yFVBIqJMa2An6Gex7SNWj
jj1S7uBga3oZcTHvR8xv3fmbwfQMIrZRmZrq8xkySxQV7xea0sE7X/pJ
-----END CERTIFICATE-----

Просмотреть файл

@ -11716,6 +11716,16 @@
}
}
},
{
"component": {
"type": "other",
"other": {
"name": "livepatch-5.15.92.1-2.cm2",
"version": "1.0.0",
"downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.92.1.tar.gz"
}
}
},
{
"component": {
"type": "other",