This commit simplifies package and UVM build by using
recipes established in our sources. These recipes also
make shipping separate UVM build scripts obsolete. The
UVMs can from now on be built standalone using the
kata-containers-(cc-)tools subpackages
Signed-off-by: Manuel Huber <mahuber@microsoft.com>
Since we upgraded wget for 3.0 with change #7672, upstream Fedora has added several packages that would be useful to us. These include patches that disable ocsp and tcp-fastopen by default (you can still set them on the command-line). A combination of these two things causes some issues on certain urls when downloading from a local hyper-v vm, and generally we'd rather have them disabled by default.
This change takes all the patches that fedora currently applies to wget.
CONFIG_SCSI_MPT2SAS and CONFIG_SCSI_MPT3SAS both point to the same driver for PCI-Express SAS 12Gb/s Host Adapters. Make loadable instead of built-in by default as not all use cases need these. We initially made these built-in with the initial distrobution of CBL-Mariner and not by specific request.
CONFIG_PATA_LEGACY supports PATA (Parallel ATA) the older parallel connected bus (those using ribbon cable). Make loadable instead of built-in by default.
Enable CONFIG_PARAVIRT_SPINLOCK. Performance improvement. Changes the spinlock mechanism for virtualized environments to "something virtualization-friendly". This is recommended by upstream default.
Enable CONFIG_X86_KERNEL_IBT. A security feature to protect against indirect branch tracking. The kernel IBT defense strongly mitigates the common "first step" of ROP attacks, by eliminating arbitrary stack pivots. It is now a recommended default. Should not impact hardware which does not support it.
Enable CONFIG_X86_CET. Selected by CONFIG_X86_KERNEL_IBT
Enable USB HID support for AMD. This feature allows devices to use the HIDDEV API. "The two big examples for this are power devices (especially uninterruptible power supplies) and monitor control on higher end monitors."
Enable the module ch341. This is being added as an optional loadable module to support using a Winchiphead CH341 single port USB to serial adapter.
The FAT filesystem is a tad confusing. Technically, FAT12, FAT16, and FAT32 refer to a fat filesystem with 12, 16, and 32 bit addressing respectively. However, you can't just use FAT32 for everything since each variant has different min and max partition sizes. So, instead you have to dynamically select the correct one based on the partition size. However, a lot of partioning tools (including Windows) hide this complexity and just use 'fat32' to mean either FAT12, FAT16, or FAT32.
There is also VFAT which refers to any FAT filesystem variants where long filename support is enabled. Nowadays it is pretty much always enabled. So, it isn't unusual for tools (including the Linux kernel) to use 'vfat' as a generic term to refer to any of the FAT filesystem variants.
The image customizer tool currently supports 'fat32' to mean dynamically selecting between FAT12, FAT16, or FAT32. This change adds 'vfat' to mean the same thing.
Allow the partition start to be inferred from the previous partition's end. Also, allow the disk's maxSize to be inferred from the size/end of the last partition.
In addition, since the partition start can now be omitted, require the partitions to be specified in order. Fortunately, most users do this anyway.
Add functional tests for the kernel modules API. There are already good test coverage for this feature from unit tests. So, the functional tests don't need to be that extensive.
Provide instructions for cloning and RPM repo (e.g. PMC) and then using the clone with the image customizer tool. This is primarily intended for those who want reproducible builds.
CVE-2024-3651 affects idma versions before 3.7. Therefore,
update vendored version of idma in pip to 3.7.
This patch is a combination of 2 upstream commits:
[d83c9e3] Upgrade idna to 3.6
[cba5b13] Upgrade idna to 3.7
Additionally, python3-wheel and python3-pip are both in the
toolchain so address "TODO" and add python3-wheel as a
BR to fix non-toolchain builds.
Note that python-pip has new versions (such as 24.2) but the
setup.py script was removed. They removed setup.py here: pypa/pip@0ad4c94
Therefore, patch CVE directly to avoid changing the build section
implementation.
This change disables building the DBM backend in the NSS library.
For the NSS library and tools, a replacement SQLite database backend has been available since v3.12. The DBM backend has been deprecated since v3.35. Also, the DBM backend code is scheduled for deletion in a future release. As such any found CVEs (e.g. CVE-2017-11695) are being WONTFIXed by upstream.
Manuel Huber
CBL-Mariner-Bot
Andrew Phelps
Tobias Brick
chalamalasetty
Rachel Menge
joejoew
Harshit Gupta
aadhar-agarwal
Chris Gunn
Ankita Pareek
amritakohli
Gary Swalling
Davis Goodin
KavyaSree2610
eiffel-fl
Muhammad Falak R Wani
sharath-srikanth-chellappa
elainezhao96
Rohit Rawat
Neha Agarwal
Pawel Winogrodzki
Lanze Liu