[main] Update kernel to v5.15.34.1 to address several CVEs (#2789)

* update kernel to 5.15.34.1, clean up nopatches in kernel.spec, address CVEs

* bump kernel-rt config version

* add missed kernel-rt patch

* fix naming convention for kernel source tar to match that used in LSG

* fix toolchain container kernel source link

* correct toolchain kernel source hash

* fix signatures to be correct version of kernel source

* switch to cm2

* fix config hash kernel-rt

* fix usbip

* stop packaging tar creation script in usbip; add update_kernel.sh

* fix usbip again

* nopatch CVE-2022-29156

* clean up update_kernel.sh

SPECS-SIGNED/kernel-signed/kernel-signed.spec

@@ -9,8 +9,8 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
-Version:        5.15.32.1
-Release:        3%{?dist}
+Version:        5.15.34.1
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Tue Apr 19 2022 Cameron Baird <cameronbaird@microsoft.com> - 5.15.34.1-1
+- Update source to 5.15.34.1
+
 * Tue Apr 19 2022 Max Brodeur-Urbas <maxbr@microsoft.com> - 5.15.32.1-3
 - Bump release number to match kernel release
 

SPECS/hyperv-daemons/hyperv-daemons.signatures.json

@@ -7,6 +7,6 @@
   "hypervkvpd.service": "25339871302f7a47e1aecfa9fc2586c78bc37edb98773752f0a5dec30f0ed3a1",
   "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1",
   "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d",
-  "kernel-5.15.32.1.tar.gz": "8f87899c194ba5e17714a647b303c2e7104fb86ed32aae3c5d892f6edf708749"
+  "kernel-5.15.34.1.tar.gz": "2b40ab4051ec59735f8d89092c8aff9f9c673e7296ecbb7f43a1cd99b2371910"
  }
 }

SPECS/hyperv-daemons/hyperv-daemons.spec

@@ -8,8 +8,8 @@
 %global udev_prefix 70
 Summary:        Hyper-V daemons suite
 Name:           hyperv-daemons
-Version:        5.15.32.1
-Release:        2%{?dist}
+Version:        5.15.34.1
+Release:        1%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -103,7 +103,7 @@ BuildArch:      noarch
 Contains tools and scripts useful for Hyper-V guests.
 
 %prep
-%setup -q -n CBL-Mariner-Linux-Kernel-rolling-lts-mariner-%{version}
+%setup -q -n CBL-Mariner-Linux-Kernel-rolling-lts-mariner-2-%{version}
 
 %build
 pushd tools/hv
@@ -219,6 +219,9 @@ fi
 %{_sbindir}/lsvmbus
 
 %changelog
+* Tue Apr 19 2022 Cameron Baird <cameronbaird@microsoft.com> - 5.15.34.1-1
+- Update source to 5.15.34.1
+
 * Tue Apr 12 2022 Andrew Phelps <anphel@microsoft.com> - 5.15.32.1-2
 - Bump release number to match kernel release
 

SPECS/kernel-headers/kernel-headers.signatures.json

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "kernel-5.15.32.1.tar.gz": "8f87899c194ba5e17714a647b303c2e7104fb86ed32aae3c5d892f6edf708749"
+  "kernel-5.15.34.1.tar.gz": "2b40ab4051ec59735f8d89092c8aff9f9c673e7296ecbb7f43a1cd99b2371910"
  }
 }

SPECS/kernel-headers/kernel-headers.spec

@@ -1,7 +1,7 @@
 Summary:        Linux API header files
 Name:           kernel-headers
-Version:        5.15.32.1
-Release:        3%{?dist}
+Version:        5.15.34.1
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -17,14 +17,14 @@ BuildArch:      noarch
 The Linux API Headers expose the kernel's API for use by Glibc.
 
 %prep
-%setup -q -n CBL-Mariner-Linux-Kernel-rolling-lts-mariner-%{version}
+%setup -q -n CBL-Mariner-Linux-Kernel-rolling-lts-mariner-2-%{version}
 
 %build
 make mrproper
 make headers_check
 
 %install
-cd %{_builddir}/CBL-Mariner-Linux-Kernel-rolling-lts-mariner-%{version}
+cd %{_builddir}/CBL-Mariner-Linux-Kernel-rolling-lts-mariner-2-%{version}
 make headers
 find usr/include -name '.*' -delete
 rm usr/include/Makefile
@@ -37,6 +37,9 @@ cp -rv usr/include/* /%{buildroot}%{_includedir}
 %{_includedir}/*
 
 %changelog
+* Tue Apr 19 2022 Cameron Baird <cameronbaird@microsoft.com> - 5.15.34.1-1
+- Update source to 5.15.34.1
+
 * Tue Apr 19 2022 Max Brodeur-Urbas <maxbr@microsoft.com> - 5.15.32.1-3
 - Bump release number to match kernel release
 

SPECS/kernel-rt/config

@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 5.15.32.1 Kernel Configuration
+# Linux/x86_64 5.15.34.1 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
 CONFIG_CC_IS_GCC=y

SPECS/kernel-rt/kernel-rt.signatures.json

@@ -1,8 +1,8 @@
 {
  "Signatures": {
   "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
-  "config": "fcd21baa2e67f08f310bde054ac3933d84a67ef5ae06c51b13f141029ed9a0fa",
-  "kernel-5.15.32.1.tar.gz": "8f87899c194ba5e17714a647b303c2e7104fb86ed32aae3c5d892f6edf708749",
+  "config": "9f2fa68046f3557a5dcca29d0b52bff848fd76aab7ee3bd33240406d5b0e2c09",
+  "kernel-5.15.34.1.tar.gz": "2b40ab4051ec59735f8d89092c8aff9f9c673e7296ecbb7f43a1cd99b2371910",
   "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f"
  }
 }

SPECS/kernel-rt/kernel-rt.spec

@@ -1,11 +1,12 @@
 %global security_hardening none
 %global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh
-%global rt_version rt39
+%global rt_version rt40
 %define uname_r %{version}-%{rt_version}-%{release}
+%define version_upstream %(echo %{version} | rev | cut -d'.' -f2- | rev)
 Summary:        Realtime Linux Kernel
 Name:           kernel-rt
-Version:        5.15.32.1
-Release:        3%{?dist}
+Version:        5.15.34.1
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -19,7 +20,7 @@ Source3:        cbl-mariner-ca-20211013.pem
 # When updating, make sure to grab the matching patch from 
 # https://mirrors.edge.kernel.org/pub/linux/kernel/projects/rt/
 # Also, remember to bump the global rt_version macro above ^
-Patch0:         patch-5.15.32-%{rt_version}.patch
+Patch0:         patch-%{version_upstream}-%{rt_version}.patch
 # Kernel CVEs are addressed by moving to a newer version of the stable kernel.
 # Since kernel CVEs are filed against the upstream kernel version and not the
 # stable kernel version, our automated tooling will still flag the CVE as not
@@ -132,7 +133,7 @@ This package contains the bpftool, which allows inspection and simple
 manipulation of eBPF programs and maps.
 
 %prep
-%setup -q -n CBL-Mariner-Linux-Kernel-rolling-lts-mariner-%{version}
+%setup -q -n CBL-Mariner-Linux-Kernel-rolling-lts-mariner-2-%{version}
 %patch0 -p1
 
 %build
@@ -353,6 +354,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Tue Apr 19 2022 Cameron Baird <cameronbaird@microsoft.com> - 5.15.34.1-1
+- Update source to 5.15.34.1
+
 * Tue Apr 19 2022 Max Brodeur-Urbas <maxbr@microsoft.com> - 5.15.32.1-3
 - Remove kernel lockdown config from grub envblock
 

SPECS/kernel/CVE-2021-4197.nopatch

@@ -0,0 +1,19 @@
+CVE-2021-4197 - Fix backported to 5.15.32:
+
+Upstream: 1756d7994ad85c2479af6ae5a9750b92324685af
+Stable:  c6ebc35298848accb5e50c37fdb2490cf4690c92
+
+Upstream: 0d2b5955b36250a9428c832664f2079cbf723bec
+Stable:  50273128d640e8d21a13aec5f4bbce4802f17d7d
+
+Upstream: e57457641613fef0d147ede8bd6a3047df588b95
+Stable:  43fa0b3639c5fd48c96b19d645d0c7ff2327651a
+
+Upstream: b09c2baa56347ae65795350dfcc633dedb1c2970
+Stable:  e326f218de1fcc0b59a5839671b5fe6d386c4583
+
+Upstream: 613e040e4dc285367bff0f8f75ea59839bc10947
+Stable:  47802775bc119658e59199d859ba31d62dc5e826
+
+Upstream: bf35a7879f1dfb0d050fe779168bcf25c7de66f5
+Stable:  4693fce5a5d461ed6cdcce12ec37bbf5cabab699

SPECS/kernel/CVE-2021-4202.nopatch

@@ -0,0 +1,10 @@
+CVE-2021-4202 - Already backported to 5.15.32:
+
+Upstream: 86cdf8e38792545161dbe3350a7eced558ba4d15
+Stable:  96a209038a99a379444ea3ef9ae823e685ba60e7
+
+Upstream: 48b71a9e66c2eab60564b1b1c85f4928ed04e406
+Stable:  ed35e950d8e5658db5b45526be2c4e3778746909
+
+Upstream: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102
+Stable: 8a9c61c3ef187d8891225f9b932390670a43a0d3

SPECS/kernel/CVE-2022-0330.nopatch

@@ -0,0 +1,4 @@
+CVE-2022-0330 - Already backported to 5.15.32:
+
+Upstream: 7938d61591d33394a21bdd7797a245b65428f44c
+Stable:  8a17a077e7e9ecce25c95dbdb27843d2d6c2f0f7

SPECS/kernel/CVE-2022-0433.nopatch

@@ -0,0 +1,8 @@
+CVE-2022-0433 - Vulnerable code not yet backported to 5.15.34
+
+Code introduced upstream by 9330986c03006ab1d33d243b7cfe598a7a3c1baa
+Upstream fix:  3ccdcee28415c4226de05438b4d89eb5514edf73
+
+It is assumed that either:
+    1) The maintainers will never backport the vulnerable code to 5.15
+    2) The maintainers will backport the code + the fix at the same time

SPECS/kernel/CVE-2022-0435.nopatch

@@ -0,0 +1,4 @@
+CVE-2022-0435 - Already backported to 5.15.32:
+
+Upstream: 9aa422ad326634b76309e8ff342c246800621216
+Stable:  1f1788616157b0222b0c2153828b475d95e374a7

SPECS/kernel/CVE-2022-0494.nopatch

@@ -0,0 +1,4 @@
+CVE-2022-0494 - Already backported to 5.15.32:
+
+Upstream: cc8f7fe1f5eab010191aa4570f27641876fa1267
+Stable:  a1ba98731518b811ff90009505c1aebf6e400bc2

SPECS/kernel/CVE-2022-0854.nopatch

@@ -0,0 +1,4 @@
+CVE-2022-0854 - Already backported to 5.15.32:
+
+Upstream: aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13
+Stable:  2c1f97af38be151527380796d31d3c9adb054bf9

SPECS/kernel/CVE-2022-27950.nopatch

@@ -0,0 +1,4 @@
+CVE-2022-27950 - Already backported to 5.15.32:
+
+Upstream: 817b8b9c5396d2b2d92311b46719aad5d3339dbe
+Stable:  de0d102d0c8c681fc9a3263d842fb35f7cf662f4

SPECS/kernel/CVE-2022-28356.nopatch

@@ -0,0 +1,4 @@
+CVE-2022-28356 - Already backported to 5.15.32:
+
+Upstream: 764f4eb6846f5475f1244767d24d25dd86528a4a 
+Stable:  e9072996108387ab19b497f5b557c93f98d96b0b

SPECS/kernel/CVE-2022-28388.nopatch

@@ -0,0 +1,4 @@
+CVE-2022-28388 - Already backported to 5.15.32:
+
+Upstream: 3d3925ff6433f98992685a9679613a2cc97f3ce2
+Stable:  f2ce5238904f539648aaf56c5ee49e5eaf44d8fc

SPECS/kernel/CVE-2022-28389.nopatch

@@ -0,0 +1,4 @@
+CVE-2022-28389 - Already backported to 5.15.34:
+
+Upstream: 04c9b00ba83594a29813d6b1fb8fdc93a3915174
+Stable:  37f07ad24866c6c1423b37b131c9a42414bcf8a1

SPECS/kernel/CVE-2022-28390.nopatch

@@ -0,0 +1,4 @@
+CVE-2022-28390 - Already backported to 5.15.34:
+
+Upstream: c70222752228a62135cee3409dccefd494a24646
+Stable:  459b19f42fd5e031e743dfa119f44aba0b62ff97

SPECS/kernel/CVE-2022-29156.nopatch

@@ -0,0 +1,3 @@
+CVE-2022-29156 - Fix already backported to 5.15.34:
+Upstream: 8700af2cc18c919b2a83e74e0479038fd113c15d
+Stable: bf2cfad0c6e4b0d1b34d26420fddaf18dc25e56d

SPECS/kernel/config

@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 5.15.32.1 Kernel Configuration
+# Linux/x86_64 5.15.34.1 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
 CONFIG_CC_IS_GCC=y

SPECS/kernel/config_aarch64

@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/arm64 5.15.32.1 Kernel Configuration
+# Linux/arm64 5.15.34.1 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
 CONFIG_CC_IS_GCC=y

SPECS/kernel/kernel.signatures.json

@@ -1,9 +1,9 @@
 {
  "Signatures": {
   "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
-  "config": "e2dc9935575e1390bbf9d51a3469cedb9a60392dd86349aa32171102a5126a84",
-  "config_aarch64": "3469ec34329a7894d0377307fddff2dfbdab5208744f2c411931799284f4183e",
-  "kernel-5.15.32.1.tar.gz": "8f87899c194ba5e17714a647b303c2e7104fb86ed32aae3c5d892f6edf708749",
+  "config": "fb7cbf9e24224a528682ee0aa680d807cd682d1e3380118636c8066537593097",
+  "config_aarch64": "d9cfb5f7bf53a90da348a690e514ee0b4abde0ced722c1cfae23a55a979254fe",
+  "kernel-5.15.34.1.tar.gz": "2b40ab4051ec59735f8d89092c8aff9f9c673e7296ecbb7f43a1cd99b2371910",
   "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f"
  }
 }

SPECS/kernel/kernel.spec

@@ -6,8 +6,8 @@
 %endif
 Summary:        Linux Kernel
 Name:           kernel
-Version:        5.15.32.1
-Release:        3%{?dist}
+Version:        5.15.34.1
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -18,55 +18,6 @@ Source1:        config
 Source2:        config_aarch64
 Source3:        sha512hmac-openssl.sh
 Source4:        cbl-mariner-ca-20211013.pem
-# Kernel CVEs are addressed by moving to a newer version of the stable kernel.
-# Since kernel CVEs are filed against the upstream kernel version and not the
-# stable kernel version, our automated tooling will still flag the CVE as not
-# fixed.
-# To indicate a kernel CVE is fixed to our automated tooling, add nopatch files
-# but do not apply them as a real patch. Each nopatch file should contain
-# information on why the CVE nopatch was applied.
-Patch1001:      CVE-2020-25672.nopatch
-Patch1002:      CVE-2018-16880.nopatch
-Patch1003:      CVE-2018-1000026.nopatch
-Patch1004:      CVE-2019-3016.nopatch
-Patch1005:      CVE-2019-3819.nopatch
-Patch1006:      CVE-2019-3887.nopatch
-Patch1007:      CVE-2010-0309.nopatch
-Patch1008:      CVE-2021-3564.nopatch
-Patch1009:      CVE-2021-45469.nopatch
-Patch1010:      CVE-2021-45480.nopatch
-Patch1011:      CVE-2021-45095.nopatch
-Patch1012:      CVE-2021-20194.nopatch
-Patch1013:      CVE-2022-24122.nopatch
-Patch1014:      CVE-2022-24448.nopatch
-Patch1015:      CVE-2022-0264.nopatch
-Patch1016:      CVE-2022-24959.nopatch
-Patch1017:      CVE-2021-44879.nopatch
-Patch1018:      CVE-2022-0185.nopatch
-Patch1019:      CVE-2022-0382.nopatch
-Patch1020:      CVE-2021-45402.nopatch
-Patch1021:      CVE-2022-25265.nopatch
-Patch1022:      CVE-2021-4090.nopatch
-Patch1023:      CVE-2022-25258.nopatch
-Patch1024:      CVE-2022-25375.nopatch
-Patch1025:      CVE-2022-0617.nopatch
-Patch1026:      CVE-2022-0847.nopatch
-Patch1027:      CVE-1999-0524.nopatch
-Patch1030:      CVE-2008-4609.nopatch
-Patch1031:      CVE-2010-0298.nopatch
-Patch1032:      CVE-2010-4563.nopatch
-Patch1033:      CVE-2011-0640.nopatch
-Patch1034:      CVE-2022-0492.nopatch
-Patch1035:      CVE-2021-3743.nopatch
-Patch1036:      CVE-2022-26966.nopatch
-Patch1037:      CVE-2022-0516.nopatch
-Patch1038:      CVE-2022-26878.nopatch
-Patch1039:      CVE-2022-27223.nopatch
-Patch1040:      CVE-2022-24958.nopatch
-Patch1041:      CVE-2022-0742.nopatch
-Patch1042:      CVE-2022-1011.nopatch
-Patch1043:      CVE-2022-26490.nopatch
-Patch1044:      CVE-2021-4002.nopatch
 BuildRequires:  audit-devel
 BuildRequires:  bash
 BuildRequires:  bc
@@ -171,7 +122,7 @@ This package contains the bpftool, which allows inspection and simple
 manipulation of eBPF programs and maps.
 
 %prep
-%setup -q -n CBL-Mariner-Linux-Kernel-rolling-lts-mariner-%{version}
+%setup -q -n CBL-Mariner-Linux-Kernel-rolling-lts-mariner-2-%{version}
 
 %build
 make mrproper
@@ -415,6 +366,13 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Tue Apr 19 2022 Cameron Baird <cameronbaird@microsoft.com> - 5.15.34.1-1
+- Update source to 5.15.34.1
+- Clean up nopatches in Patch list, no longer needed for CVE automation
+- Nopatch CVE-2022-28390, CVE-2022-28389, CVE-2022-28388, CVE-2022-28356, CVE-2022-0435,
+    CVE-2021-4202, CVE-2022-27950, CVE-2022-0433, CVE-2022-0494, CVE-2022-0330, CVE-2022-0854, 
+    CVE-2021-4197, CVE-2022-29156
+
 * Tue Apr 19 2022 Max Brodeur-Urbas <maxbr@microsoft.com> - 5.15.32.1-3
 - Remove kernel lockdown config from grub envblock
 

SPECS/usbip/extract_usbip.sh

@@ -1,10 +1,10 @@
 #!/bin/sh
 if [ "q$1" == "q" ]; then
-	echo "Usage: $0 <kernel version>"
+	echo "Usage: $0 <kernel tar path>"
 	exit 1
 fi
 echo "Extracting linux source"
-tar -xvf "$1".tar.gz
+tar -xvf $1
 if [ "$?" -ne "0" ]; then
 	echo "Error extracting kernel source"
 	exit 1
@@ -12,7 +12,7 @@ fi
 if [ -d "usbip-$1" ]; then
 	rm -rf "usbip-$1"
 fi
-mv "CBL-Mariner-Linux-Kernel-rolling-lts-mariner-${1}"/tools/usb/usbip "usbip-$1"
+mv "CBL-Mariner-Linux-Kernel-rolling-lts-mariner-2-${1}"/tools/usb/usbip "usbip-$1"
 echo "Creating usbip archive"
 tar -cJvf "usbip-$1".tar.xz "usbip-$1"
 rm -rf "linux-$1"

SPECS/usbip/usbip.signatures.json

@@ -1,8 +1,8 @@
 {
  "Signatures": {
-  "usbip-5.15.32.1.tar.xz": "0965adc9a16c1579eaec920d5ffe8af244b23ffd36a2333b65b202bdd8c79ac0",
+  "usbip-5.15.34.1.tar.xz": "7e55ef3d527a08c4ae5fbe4e9115db180da94de1957f5dfa20b3b152a77e5bf5",
   "usbip-server.service": "68a727d13e270564b5e2c97cad5ccdb97086c4d1065b6ef70205b54769260b0f",
   "usbip-client.service": "7b83311e550793014a897b43fe7b4e5339f114924b3d5f52cceb58787fc65008",
-  "extract_usbip.sh": "08c63ca9002df5e5e9f068719cc8b2e8e3b2c5abd077fab94521bf4117aaaa77"
+  "extract_usbip.sh": "e19faf9d95444cc0b0757e3ad063e534478f9c28a6fb5b2beb17ca89b9461ad4"
  }
 }

SPECS/usbip/usbip.spec

@@ -2,13 +2,13 @@
 
 Name:		   usbip
 Summary:	   USB/IP user-space
-Version:	   5.15.32.1
+Version:	   5.15.34.1
 Release:	   1%{?dist}
 License:	   GPLv2+
 Vendor:            Microsoft Corporation
 Distribution:      Mariner
 Group:             System/Kernel
-#Source:	   https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/%{version}.tar.gz
+#Source:	   https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/%{version}.tar.gz
 # In the interests of keeping the source rpm from being ridiculously large,
 # download the Linux kernel from above and run `extract_usbip.sh <version>`
 # in the SOURCE directory.
@@ -91,6 +91,9 @@ install -pm 644 %{SOURCE2} %{buildroot}%{_unitdir}
 %{_libdir}/*.so
 
 %changelog
+* Wed Apr 20 2022 Cameron Baird <cameronbaird@microsoft.com> - 5.15.34.1-1
+- Update version to 5.15.34.1
+
 * Wed Apr 13 2022 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.15.32.1-1
 - Update version to 5.15.32.1
 

cgmanifest.json

@@ -5630,8 +5630,8 @@
         "type": "other",
         "other": {
           "name": "hyperv-daemons",
-          "version": "5.15.32.1",
-          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.15.32.1.tar.gz"
+          "version": "5.15.34.1",
+          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.15.34.1.tar.gz"
         }
       }
     },
@@ -6991,8 +6991,8 @@
         "type": "other",
         "other": {
           "name": "kernel",
-          "version": "5.15.32.1",
-          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.15.32.1.tar.gz"
+          "version": "5.15.34.1",
+          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.15.34.1.tar.gz"
         }
       }
     },
@@ -7001,8 +7001,8 @@
         "type": "other",
         "other": {
           "name": "kernel-headers",
-          "version": "5.15.32.1",
-          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.15.32.1.tar.gz"
+          "version": "5.15.34.1",
+          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.15.34.1.tar.gz"
         }
       }
     },
@@ -7011,8 +7011,8 @@
         "type": "other",
         "other": {
           "name": "kernel-rt",
-          "version": "5.15.32.1",
-          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.15.32.1.tar.gz"
+          "version": "5.15.34.1",
+          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.15.34.1.tar.gz"
         }
       }
     },

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -1,5 +1,5 @@
 filesystem-1.1-8.cm2.aarch64.rpm
-kernel-headers-5.15.32.1-3.cm2.noarch.rpm
+kernel-headers-5.15.34.1-1.cm2.noarch.rpm
 glibc-2.35-1.cm2.aarch64.rpm
 glibc-devel-2.35-1.cm2.aarch64.rpm
 glibc-i18n-2.35-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -1,5 +1,5 @@
 filesystem-1.1-8.cm2.x86_64.rpm
-kernel-headers-5.15.32.1-3.cm2.noarch.rpm
+kernel-headers-5.15.34.1-1.cm2.noarch.rpm
 glibc-2.35-1.cm2.x86_64.rpm
 glibc-devel-2.35-1.cm2.x86_64.rpm
 glibc-i18n-2.35-1.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -136,7 +136,7 @@ intltool-0.51.0-7.cm2.noarch.rpm
 itstool-2.0.6-4.cm2.noarch.rpm
 kbd-2.2.0-1.cm2.aarch64.rpm
 kbd-debuginfo-2.2.0-1.cm2.aarch64.rpm
-kernel-headers-5.15.32.1-3.cm2.noarch.rpm
+kernel-headers-5.15.34.1-1.cm2.noarch.rpm
 kmod-29-1.cm2.aarch64.rpm
 kmod-debuginfo-29-1.cm2.aarch64.rpm
 kmod-devel-29-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -136,7 +136,7 @@ intltool-0.51.0-7.cm2.noarch.rpm
 itstool-2.0.6-4.cm2.noarch.rpm
 kbd-2.2.0-1.cm2.x86_64.rpm
 kbd-debuginfo-2.2.0-1.cm2.x86_64.rpm
-kernel-headers-5.15.32.1-3.cm2.noarch.rpm
+kernel-headers-5.15.34.1-1.cm2.noarch.rpm
 kmod-29-1.cm2.x86_64.rpm
 kmod-debuginfo-29-1.cm2.x86_64.rpm
 kmod-devel-29-1.cm2.x86_64.rpm

toolkit/scripts/toolchain/container/Dockerfile

@@ -57,7 +57,7 @@ COPY [ "./toolchain-sha256sums", \
 WORKDIR $LFS/sources
 RUN wget -nv --no-clobber --timeout=30 --continue --input-file=$LFS/tools/toolchain-local-wget-list --directory-prefix=$LFS/sources; exit 0
 RUN wget -nv --no-clobber --timeout=30 --continue --input-file=$LFS/tools/toolchain-remote-wget-list --directory-prefix=$LFS/sources; exit 0
-RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.15.32.1.tar.gz -O kernel-5.15.32.1.tar.gz --directory-prefix=$LFS/sources; exit 0
+RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.34.1.tar.gz -O kernel-5.15.34.1.tar.gz --directory-prefix=$LFS/sources; exit 0
 USER root
 RUN sha256sum -c $LFS/tools/toolchain-sha256sums && \
     groupadd lfs && \

toolkit/scripts/toolchain/container/toolchain-sha256sums

@@ -26,7 +26,7 @@ fd4829912cddd12f84181c3451cc752be224643e87fac497b69edddadc49b4f2  gmp-6.2.1.tar.
 5c10da312460aec721984d5d83246d24520ec438dd48d7ab5a05dbc0d6d6823c  grep-3.7.tar.xz
 3a48a9d6c97750bfbd535feeb5be0111db6406ddb7bb79fc680809cda6d828a5  groff-1.22.3.tar.gz
 9b9a95d68fdcb936849a4d6fada8bf8686cddf58b9b26c9c4289ed0c92a77907  gzip-1.11.tar.xz
-8f87899c194ba5e17714a647b303c2e7104fb86ed32aae3c5d892f6edf708749  kernel-5.15.32.1.tar.gz
+2b40ab4051ec59735f8d89092c8aff9f9c673e7296ecbb7f43a1cd99b2371910  kernel-5.15.34.1.tar.gz
 a36613695ffa2905fdedc997b6df04a3006ccfd71d747a339b78aa8412c3d852  libarchive-3.6.0.tar.gz
 06a92076ce39a78bd28089e32085f1bde7f3bfa448fad37d895c2358f760b2eb  libcap-2.60.tar.xz
 0d72e12e4f2afff67fd7b9df0a24d7ba42b5a7c9211ac5b3dcccc5cd8b286f2b  libpipeline-1.5.0.tar.gz

toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh

@@ -67,14 +67,14 @@ set -e
 #
 cd /sources
 
-echo Linux-5.15.32.1 API Headers
-tar xf kernel-5.15.32.1.tar.gz
-pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.15.32.1
+echo Linux-5.15.34.1 API Headers
+tar xf kernel-5.15.34.1.tar.gz
+pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-2-5.15.34.1
 make mrproper
 make headers
 cp -rv usr/include/* /usr/include
 popd
-rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.15.32.1
+rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-2-5.15.34.1
 touch /logs/status_kernel_headers_complete
 
 echo 6.8. Man-pages-5.02

toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh

@@ -114,14 +114,14 @@ rm -rf gcc-11.2.0
 
 touch $LFS/logs/temptoolchain/status_gcc_pass1_complete
 
-echo Linux-5.15.32.1 API Headers
-tar xf kernel-5.15.32.1.tar.gz
-pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.15.32.1
+echo Linux-5.15.34.1 API Headers
+tar xf kernel-5.15.34.1.tar.gz
+pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-2-5.15.34.1
 make mrproper
 make headers
 cp -rv usr/include/* /tools/include
 popd
-rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.15.32.1
+rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-2-5.15.34.1
 
 touch $LFS/logs/temptoolchain/status_kernel_headers_complete
 

toolkit/scripts/update_kernel.sh

@@ -0,0 +1,284 @@
+#!/bin/bash
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+set -x
+set -e
+
+# $1 = TARGET_SPEC
+function copy_local_tarball {
+    DESTINATION_FOLDER=$(dirname $1)
+    cp $DOWNLOAD_FILE_PATH $DESTINATION_FOLDER
+}
+
+# $1 = spec name
+function remove_local_tarball {
+    rm $WORKSPACE/SPECS/$1/$TARBALL_NAME
+}
+
+function clean {
+    rm -rf $TMPDIR
+    for spec in $SPECS
+    do
+        remove_local_tarball $spec
+    done
+}
+
+function download {
+    mkdir -p $TMPDIR
+    pushd $TMPDIR
+    echo Downloading $FULL_URL
+    wget $FULL_URL -O $TARBALL_NAME
+    # if [ $? -gt 0 ]; then
+    #     echo "$FULL_URL failed to be reached. Does the version exist on CBL-Mariner-Linux-Kernel?"
+    #     return 1
+    #     exit 1
+    # fi
+    popd
+    return 0
+}
+
+# $1 = path to spec
+# $2 = changelog entry text
+function create_new_changelog_entry {
+    CHANGELOG_LINE=$(grep -n %changelog $1 | tail -1 | cut -f1 -d:)
+    NEW_CHANGELOG_LINE=$((CHANGELOG_LINE+1))
+    NEW_CHANGELOG_DATE=$(date +"%a %b %d %Y")
+    NEW_CHANGELOG_HEADER="* $NEW_CHANGELOG_DATE $USER_NAME <$USER_EMAIL> - $VERSION-1"
+    NEW_CHANGELOG_ENTRY="- Update source to $VERSION"
+    FULL_CHANGELOG_ENTRY="$NEW_CHANGELOG_HEADER\n$NEW_CHANGELOG_ENTRY\n"
+    sed -i "${NEW_CHANGELOG_LINE}i${FULL_CHANGELOG_ENTRY}" $1
+}
+
+# $1 = TARGET_SPEC
+function update_spec {
+    sed -i "s/Version:.*/Version:        $VERSION/" $1
+    sed -i "s/Release:.*/$NEW_RELEASE_NUMBER/" $1
+    create_new_changelog_entry $1
+}
+
+function find_old_version {
+    FILE=$WORKSPACE/SPECS/kernel/kernel.spec
+    LINE=$(grep "Version:" $FILE)
+    OLD_VERSION=${LINE:16}
+}
+
+function update_configs {
+    CONFIG_FILE="kernel/config kernel/config_aarch64 kernel-rt/config"
+    for configfile in $CONFIG_FILE
+    do
+        FILE=$WORKSPACE/SPECS/$configfile
+        BASE=${FILE%/*}
+        SPEC=${configfile%/*}
+        SIGNATURE_FILE="$BASE/$SPEC.signatures.json"
+        PATTERN="$OLD_VERSION Kernel Configuration"
+        REPLACE="$VERSION Kernel Configuration"
+        sed -i "s#$PATTERN#$REPLACE#" $FILE
+        SHA256="$(sha256sum $FILE | awk '{print $1;}')"
+        #CONFIG_ONLY=$($FILE | cut -d'/' -f2-)
+        CONFIG_ONLY=${FILE##*/}
+        FULL_SIGNATURE_ENTRY="  \"$CONFIG_ONLY\": \"$SHA256\""
+        FILE_PATTERN=$CONFIG_ONLY
+        sed -i "s/  \"$FILE_PATTERN\": \".*\"/$FULL_SIGNATURE_ENTRY/" $SIGNATURE_FILE
+    done
+}
+
+# $1 = TARGET_SIGNATUREJSON
+function update_signature {
+    SPEC_DIR=$(dirname $1)
+    SHA256="$(sha256sum $SPEC_DIR/$TARBALL_NAME | awk '{print $1;}')"
+    FULL_SIGNATURE_ENTRY="  \"$TARBALL_NAME\": \"$SHA256\""
+    sed -i "s/  \"$FILE_SIGNATURE_PATTERN.*\": \".*\"/$FULL_SIGNATURE_ENTRY/" $1
+}
+
+function update_toolchain_md5sum {
+    MD5SUM_FILE=$WORKSPACE/toolkit/scripts/toolchain/container/toolchain-md5sums
+    MD5="$(md5sum $DOWNLOAD_FILE_PATH | awk '{print $1;}')"
+    FULL_MD5SUM_ENTRY="$MD5  $TARBALL_NAME"
+    sed -i "s/.*$FILE_SIGNATURE_PATTERN.*/$FULL_MD5SUM_ENTRY/" $MD5SUM_FILE
+}
+
+function update_toolchain_sha256sum {
+    SHA256SUM_FILE=$WORKSPACE/toolkit/scripts/toolchain/container/toolchain-sha256sums
+    SHA256="$(sha256sum $DOWNLOAD_FILE_PATH | awk '{print $1;}')"
+    FULL_SHA256SUM_ENTRY="$SHA256  $TARBALL_NAME"
+    sed -i "s/.*$FILE_SIGNATURE_PATTERN.*/$FULL_SHA256SUM_ENTRY/" $SHA256SUM_FILE
+}
+
+function update_toolchain_scripts {
+    TOOLCHAIN_FOLDER=$WORKSPACE/toolkit/scripts/toolchain/
+    TOOLCHAIN_SCRIPTS="toolchain_build_in_chroot.sh toolchain_build_temp_tools.sh"
+    for script in $TOOLCHAIN_SCRIPTS
+    do
+        file=$TOOLCHAIN_FOLDER/container/$script
+        PATTERN="echo Linux-.* API Headers"
+        REPLACE="echo Linux-$VERSION API Headers"
+        sed -i "s/$PATTERN/$REPLACE/" $file
+        PATTERN="tar xf $FILE_SIGNATURE_PATTERN.*.tar.gz"
+        REPLACE="tar xf $TARBALL_NAME"
+        sed -i "s/$PATTERN/$REPLACE/" $file
+        PATTERN="CBL-Mariner-Linux-Kernel-rolling-lts-mariner-2-.*"
+        REPLACE="CBL-Mariner-Linux-Kernel-rolling-lts-mariner-2-$VERSION"
+        sed -i "s/$PATTERN/$REPLACE/" $file
+    done
+}
+
+function update_toolchain_wget_url {
+    FILE=$WORKSPACE/toolkit/scripts/toolchain/container/toolchain-remote-wget-list
+    PATTERN="$DEFAULT_URL.*"
+    REPLACE="$FULL_URL"
+    sed -i "s#$PATTERN#$REPLACE#" $FILE
+}
+
+function update_toolchain_dockerfile {
+    FILE=$WORKSPACE/toolkit/scripts/toolchain/container/Dockerfile
+    PATTERN="$DEFAULT_URL.* -O"
+    REPLACE="$FULL_URL -O"
+    sed -i "s#$PATTERN#$REPLACE#" $FILE
+    PATTERN="kernel-.*.tar.gz"
+    REPLACE="$TARBALL_NAME"
+    sed -i "s#$PATTERN#$REPLACE#" $FILE
+}
+
+function update_toolchain_pkglist {
+    PKGLIST_FOLDER=$WORKSPACE/toolkit/resources/manifests/package/
+    PKGLIST="pkggen_core_aarch64.txt pkggen_core_x86_64.txt toolchain_aarch64.txt toolchain_x86_64.txt"
+    for pkg in $PKGLIST
+    do
+        file=$PKGLIST_FOLDER/$pkg
+        PATTERN="kernel-headers-.*"
+        REPLACE="kernel-headers-$VERSION-1.cm2.noarch.rpm"
+        sed -i "s/$PATTERN/$REPLACE/" $file
+    done
+}
+
+function update_toolchain {
+    #update_toolchain_md5sum
+    update_toolchain_sha256sum
+    update_toolchain_scripts
+    update_toolchain_pkglist
+    update_toolchain_dockerfile
+}
+
+function replace_cgversion {
+    for spec in $SPECS
+    do
+        PATTERN="\"name\": \"$spec\","
+        REPLACE="\ \ \ \ \ \ \ \ \ \ \"version\": \"$VERSION\","
+        sed -i "/$PATTERN/!b;n;c$REPLACE" $1
+    done
+}
+
+function update_cgmanifest {
+    CGMANIFEST_FILE=$WORKSPACE/cgmanifest.json
+    # Replace URL
+    PATTERN="$DEFAULT_URL.*"
+    REPLACE="$FULL_URL\""
+    sed -i "s#$PATTERN#$REPLACE#" $CGMANIFEST_FILE
+    # Replace version
+    replace_cgversion $CGMANIFEST_FILE
+}
+
+function print_metadata {
+    MD5="$(md5sum $DOWNLOAD_FILE_PATH | awk '{print $1;}')"
+    SHA256="$(sha256sum $DOWNLOAD_FILE_PATH | awk '{print $1;}')"
+    echo md5sum = $MD5
+    echo sha256 = $SHA256
+}
+
+
+function usage() { 
+    echo "Update sources for kernel" 
+    echo "v : Version you are updating to (ex. 5.10.37.1)" 
+    echo "u : Your name"
+    echo "e : Your email"
+    echo "w : Absoulte path to your workspace for your update - no quotes\n"
+
+    echo "example usage: ./toolkit/update_kernel.sh -v 5.15.34.1 -u 'Cameron Baird' -e 'cameronbaird@microsoft.com' -w \$(pwd)"
+
+    exit 1 
+}
+
+
+##### MAIN #####
+
+#TODO
+# error checking : bad tag on cbl-mariner-linux-kernel,
+# trigger build or config checker?
+# replace old version
+# handle kernel-rt patch automatically
+
+# Take arguments
+#WORKSPACE=~/repos/CBL-Mariner-Kernel
+while getopts "v:u:e:w:" OPTIONS; do
+  case "${OPTIONS}" in
+    v ) VERSION=$OPTARG ;;
+    u ) USER_NAME=$OPTARG ;;
+    e ) USER_EMAIL=$OPTARG ;;
+    w ) WORKSPACE=$OPTARG ;;
+    * ) usage 
+        ;;
+  esac
+done
+
+if [[ -z $VERSION ]]; then
+    echo "Missing -v"
+    usage
+fi
+if [[ -z $USER_NAME ]]; then
+    echo "Missing -u"
+    usage
+fi
+if [[ -z $USER_EMAIL ]]; then
+    echo "Missing -e"
+    usage
+fi
+if [[ -z $WORKSPACE ]]; then
+    echo "Missing -w"
+    usage
+fi
+
+# Create globals
+TAG="rolling-lts/mariner/$VERSION"
+TMPDIR="tmp-dir"
+SPECS="kernel-headers kernel kernel-rt hyperv-daemons"
+DEFAULT_URL="https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/"
+DEFAULT_EXTENSION=".tar.gz"
+FULL_URL=$DEFAULT_URL$TAG$DEFAULT_EXTENSION
+TARBALL_NAME="kernel-$VERSION$DEFAULT_EXTENSION"
+DOWNLOAD_FILE_PATH=$TMPDIR/$TARBALL_NAME
+SPECS="kernel-headers kernel kernel-rt hyperv-daemons"
+SIGNED_SPECS="kernel-signed"
+NEW_RELEASE_NUMBER="Release:        1%{?dist}"
+CHANGELOG_ENTRY="Update source to $NEW_KERNEL_VERSION"
+FILE_SIGNATURE_PATTERN="kernel-"
+
+# Go through needed specs
+find_old_version
+download
+if [ $? -gt 0 ]; then
+    return
+fi
+
+for spec in $SPECS
+do
+    TARGET_SPEC=$WORKSPACE/SPECS/$spec/$spec.spec
+    TARGET_SIGNATUREJSON=$WORKSPACE/SPECS/$spec/$spec.signatures.json
+    copy_local_tarball $TARGET_SPEC
+    update_spec $TARGET_SPEC
+    update_signature $TARGET_SIGNATUREJSON
+done
+for spec in $SIGNED_SPECS
+do
+    TARGET_SPEC=$WORKSPACE/SPECS-SIGNED/$spec/$spec.spec
+    update_spec $TARGET_SPEC
+done
+update_configs
+
+# Update toolchain related files
+update_toolchain
+update_cgmanifest
+print_metadata
+#clean
+
+echo "WARNING: update is not complete; this script does not update the rt patch in kernel-rt.spec, you must do this manually!"