Граф коммитов

206 Коммитов

Автор SHA1 Сообщение Дата
Henry Li 3c60151ba7
Add cpupower and turbostat to kernel-tools (#3409)
* add cpupower and turbostat to kernel-tools

* update manifest versioning

Co-authored-by: Henry Li <lihl@microsoft.com>
2022-07-21 17:05:03 -07:00
Henry Li 27f25906a2
resolve grub2 CVE (#3393)
Co-authored-by: Henry Li <lihl@microsoft.com>
2022-07-21 16:00:26 -07:00
Henry Li 8e5f41a845
Add second grub efi binary without specifying the prefix directory (#3361)
* staging for now

* update grub2

* add grub pxe binary

* fix mistake in spec

* revert unnecessary changes

* add subpackage and update binary name

* update changes

* Update SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec

Co-authored-by: Christopher Co <35273088+christopherco@users.noreply.github.com>

Co-authored-by: Henry Li <lihl@microsoft.com>
Co-authored-by: Christopher Co <35273088+christopherco@users.noreply.github.com>
2022-07-21 10:44:51 -07:00
eiffel-fl 93253b9c50
kernel config: Add configs needed by eBPF tracers. (#3210)
FTRACE_SYSCALLS was removed in a previous commit.
Sadly, this option is needed by eBPF CO-RE tools which use syscall tracepoints
(sys_enter_* and sys_exec_*).
Without this option, tools like iovisor/bcc/libbpf-tools/execsnoop cannot work
on CBL Mariner.

Also, some standard eBPF tools needs kernel headers to be available, hence
IKHEADERS was set as a module.
Without this option, tools like iovisor/bcc/tools/biolatency.py cannot work.

Fixes: 344c087e52 ("kernel configs to bring down boot time for initrd")
Signed-off-by: Francis Laniel <flaniel@linux.microsoft.com>
2022-07-13 10:56:00 -07:00
Neha Agarwal 94e2c8b8ed
kernel: enable virtio config, add vmlinuz symlink, enable verbose log (#3264)
* add virtio_fs config, remove quiet

* Add other files
2022-06-29 09:46:36 -07:00
Max Brodeur-Urbas 9b57ac6aec
Enabling Vgem driver in kernel (#3227) 2022-06-24 09:11:15 -07:00
Neha Agarwal 238dcba07f
Update kernel to v5.15.48.1 (#3188)
* Update kernel to v5.15.48.1

* Update source signature

* Fix config according to build

* Incorporate comments
2022-06-20 10:05:41 -07:00
Pawel Winogrodzki c982e3b29d
Adding `kpatch` package and updating `kernel.spec` and `kernel-rt.spec`. (#3171) 2022-06-15 13:53:56 -07:00
Cameron E Baird 0423c89595
[main] Update kernel to 5.15.45.1; kernel-rt to 5.15.44.1 (#3144)
* Update kernel to 5.15.45.1; kernel-rt to 5.15.44.1

* update kernel-rt cgmanifest entry

* update kernel configs

* address kernel config changes

* track nopatch; update Source0 in kernel-rt to reflect mariner-2 naming convention for tags
2022-06-15 12:02:53 -07:00
Max Brodeur-Urbas 8e53ebb480
kernel: silencing ptp_kvm failure error (#3122) 2022-06-07 11:05:17 -07:00
Pawel Winogrodzki 413fc8f5f8
Enabling the `LIVEPATCH` option in the kernel config. (#3107) 2022-06-03 17:53:09 -07:00
Minghe Ren 54f8e95cf6
kernel: Remove Smack LSM support from kernel (#3080)
* disable smack kernel config

Co-authored-by: minghe <mingheren@microsoft.com>
2022-06-03 17:20:57 -07:00
Cameron E Baird eb9bb8360b
Update kernel source to 5.15.41.1 to address CVE-2022-28893, CVE-2022-29581 (#3063)
* Nopatch CVE-2020-35501

* Kernel update script --> 5.15.41.1

* correct hashes

* correct kernel-rt signature; don't auto update kernel-rt (we need to check for a patch-version)

* re-fix sig

* Address more cves

* fix kernel-rt cgmanifest entry

* fix dockerfile and update_kernel script tag

* remove tag errors in cgman

* use nifty new cve tool to generate more accurate nopatch
2022-05-26 11:42:59 -07:00
Neha Agarwal 344c087e52
kernel configs to bring down boot time for initrd (#3048)
* change config for boot time

* Remove ring_buffer_allow_swap

* Update release in headers/signed
2022-05-24 11:43:10 -07:00
Neha Agarwal 4984e40369
Change kernel aarch64 config, marketplace image console (#3007)
* fix console, cdrom, mouse, kexec aarch64 config

* Bump up release number

* Fix aarch64 config according to build

* Bump up release in kernel-header

* Update release in kernel-signed, add kernel option for initcall_blacklist

* Add config for crash-on-demand

* Fix order in pkggen_core
2022-05-20 13:58:09 -07:00
Neha Agarwal d44a400958
[main] Update kernel to v5.15.37, fix CVE, enable IFB config (#2996)
* Update kernel to v5.15.37.1, enable IFB module

* Fix kernel source signature

* Add CVE nopatches

* Update signature in toolchain

* Fix config as suggested by build

* Update config_aarch64 to match build

* Fix typo in config-aarch64

* Add changelog for config

* Incorporate comments
2022-05-13 15:35:30 -07:00
Cameron E Baird d97c660004
[main] Update kernel to v5.15.34.1 to address several CVEs (#2789)
* update kernel to 5.15.34.1, clean up nopatches in kernel.spec, address CVEs

* bump kernel-rt config version

* add missed kernel-rt patch

* fix naming convention for kernel source tar to match that used in LSG

* fix toolchain container kernel source link

* correct toolchain kernel source hash

* fix signatures to be correct version of kernel source

* switch to cm2

* fix config hash kernel-rt

* fix usbip

* stop packaging tar creation script in usbip; add update_kernel.sh

* fix usbip again

* nopatch CVE-2022-29156

* clean up update_kernel.sh
2022-04-26 11:17:34 -07:00
Max Brodeur-Urbas 89577230f9
kernel: Removing lockdown cfg from grub envblock (#2793)
* kernel: Removing lockdown cfg from grub envblock

* kernel: updating release number on kernel-signed and kernel-headers
2022-04-22 16:02:12 -07:00
Andrew Phelps 2c27859664
Fix kernel debug build hang (#2720)
* fix kernel debug symbol issue

* update kernel-headers

* update hyperv-daemons and kernel-rt

* fix typo in specs

* remove xerces-c-devel BR from kernel

* exclude debug folder from main kernel package. fix bogus date in changelog

* remove aarch64 exclude workaround. use /usr/lib/debug
2022-04-15 18:03:25 -07:00
Neha Agarwal a8b995a2a6
[main] Update kernel to v5.15.32.1 (#2699)
* kernel: Update to v5.15.32.1

* Add files

* Add kernel-rt update, mana config

* Fix date in changelog
2022-04-11 12:16:54 -07:00
Henry Li b2bf426721
[main] Add kernel support for Dell devices (#2671)
* update kernel to support Dell devices

* update signature

Co-authored-by: Henry Li <lihl@microsoft.com>
2022-04-08 16:08:13 -07:00
rlmenge 9564d3c2c5
[main] kernel: Remove hardcoded cert from kernel config (#2608)
* Remove hardcoded cert from kernel config
2022-03-30 09:24:59 -07:00
Vince Perri 4f44807a20
[main] Add compressed firmware support (#2201)
* Add compressed firmware support

* Update *.signatures.json

* unset CONFIG_FW_LOADER_USER_HELPER_FALLBACK

* Fix version in kernel-headers changelog
2022-03-23 14:20:14 -07:00
Cameron E Baird 23062f91d9
[main] [kernel] [CVEs] Update kernel to v5.15.26.1; Address CVEs (#2436)
* Initial update pass

* blindly accept config changes

* bump to 15.26

* Address CVEs with nopatches

* fix kernel-headers manifests to be cm2

* correct configs

* rebase onto main

* update rt patch

* don't touch config_dxgkrnl

* fix kernel-rt spec

* fix naming mismatch in kernel-rt patch

* address CVE-2022-0847
2022-03-11 12:38:44 -08:00
George Mileka 763575c572
[main] Enable NO_IOMMU kernel flag. (#2385)
* [main] Enable NO_IOMMU kernel flag.

In order to support high data throughput for network connections, user-mode
drivers require direct access to the underlying devices. Such access can be
managed/protected by the IOMMU controller if it is present in the hardware.

For VMs, we may not have IOMMU exposed by the hypervisor. So we must provide
a way for the VFIO module to say that there is no IOMMU but still use VFIO
to keep the software stack the same.

The Mariner kernel today is compiled such that IOMMU is always required for
such user-mode drivers to work. This is a problem for virtual machines where
such requirement cannot be met.

This fix changes the kernel NO_IOMMU compile option such that it is possible
for the root user to choose whether to require IOMMU or not based on their
needs without recompiling the kernel.

The default is that IOMMU is required.

The root user must explicitly disable the IOMMU requirement with the following
command:
/sbin/modprobe vfio enable_unsafe_noiommu_mode=Y

* Enable NO_IOMMU: update version of kernel related spec files.

* Enable NO_IOMMU: update toolkit references.

* Enable NO_IOMMU: update pkggen references.

* Update kernel signature file after merge with main.
2022-03-07 17:33:07 -08:00
Cameron E Baird 0a9b7b6a72
[main] CONFIG_BPF_UNPRIV_DEFAULT_OFF=y (#2352)
* CONFIG_BPF_UNPRIV_DEFAULT_OFF=y

* kernel-rt parity

* release num

* rebase

* correct signatures after rebase
2022-03-04 14:11:21 -08:00
Henry Li 02a3af922d
[main] Re-enable tboot in Mariner and Upgrade tboot to v1.10.2 (#2357)
* save changes to kernel and tboot

* save change

* update kernel signature files

* fix manifests

* fix grub2-efi-binary-signed

* update changelog

* fix licesing

Co-authored-by: Henry Li <lihl@microsoft.com>
2022-03-03 15:24:44 -08:00
chalamalasetty bdd54e5acd
Add usbip kernel configs and user space modules (#2341) 2022-02-25 12:14:46 -08:00
Andrew Phelps 8c6486dbe1
Use _topdir variable in gen-ld-script.sh (#2249)
* use _topdir

* update spec

* use _topdir in other specs

* linting
2022-02-17 17:00:02 -08:00
Cameron E Baird b82585af98
[main] Update kernel to 5.15.18.1; Address several kernel CVES (#2104)
* Address CVES CVE-2010-0309 CVE-2018-1000026 CVE-2018-16880 CVE-2019-3016 CVE-2019-3819 CVE-2019-3887 CVE-2020-25672 CVE-2021-3564 CVE-2021-45095 CVE-2021-45469 CVE-2021-45480

* bump release

* correct nopatch justification

* swap patches to nopatches

* update kernel to 5.15.18.1

* update rt config version

* kernel-rt sig

* handle manifest divergence

* cm1 --> cm2

* remove redundant patch (upstreamed between 15.2 and 15.18)

* condense changelog entries

* finish removing 0002-add-linux-syscall...patch

* finish removing 0002-add-linux...patch

* fix config diff

* combine changelog entries
2022-02-14 09:34:50 -08:00
Christopher Co 977e74007a
grub2: Update to 2.06 and include tftp support (#2174)
* grub2: Update to 2.06 release

* grub2: Add efinet and tftp modules to grub efi binary

Signed-off-by: Chris Co <chrco@microsoft.com>
2022-02-10 11:48:26 -08:00
Christopher Co 8d6824e872
[main] shim: update shim bootloader (#2173)
* [1.0] shim: update shim bootloader (#2157)

* shim: update key used

Our current keys have a 1 year expiration time, and it will expire
shortly. Update the key to one that will expire in 10/13/22. Ultimately
we plan to move to a longer lived CA cert once that is made available.

* shim: Add critical patches

* shim: Update to new signed shim bootloader binary

New shim bootloader contains the renewed Mariner Secure Boot Production
key embedded inside. And this shim binary itself is signed with the MS
UEFI CA.

* grub: bump release number to force re-signing

In order to not regress current users of the grub2-2.06~rc1-7 package,
bump release number which will cause the newer grubx64.efi inside the
grub2-efi-binary-2.06~rc1-8 package to be signed with the updated secure
boot key that matches with the one embedded in the 15.4-2 shim binary.

* License verified

Signed-off-by: Chris Co <chrco@microsoft.com>
2022-02-09 18:35:20 -08:00
Henry Li 23bd9ce397
[main] Enable Intel_SGX Support in Mariner (#2154)
* enable sgx config

* update kernel-hyperv

* save changes

* update a couple packages

* fix spec file check

* fix linting

* update kernel configs

* revert unnecessary kernel config changes

* save changes

* update manifest

Co-authored-by: Henry Li <lihl@microsoft.com>
2022-02-08 22:21:13 -08:00
rlmenge 3398b7ccd8
Add libperf-jvmti.so to tools package (#2075)
As a result of the new install method for msopenjdk (from 40d19ce9b9),
the libperf-jvmti.so is now available and can be added to the tools
package
2022-02-02 16:00:21 -08:00
Dan Mihai 8bf0f7a0f7
Include KDB frontend for kgdb (CONFIG_KGDB_KDB) (#2043)
KDB seems to work easier than KGDB over Hyper-V VM serial ports.

The same kernel command line parameters used to enable KGDB are used
to enable KDB too. All the KDB commands are enabled at compile time, but
the run time availability of these features can be restricted by using the
kdb.cmd_enable command line parameter.

Switching back and forth between KDB to KGDB/gdb mode is also supported
(when debugging a machine where KGDB was working before this change).

Co-authored-by: Daniel Mihai <dmihai@microsoft.com>
2022-01-31 09:43:33 -08:00
Christopher Co 8450dc84b3
kernel: Update Mariner cert in kernel keyring (#1979)
* kernel: Update mariner cert in kernel keyring

* kernel-hyperv: Update mariner cert in kernel keyring

* kernel-headers: Bump to match kernel release number

* kernel-signed: Bump to match kernel release

Signed-off-by: Chris Co <chrco@microsoft.com>
2022-01-23 23:17:35 -08:00
rlmenge e992d0a3c4
[main] kernel: update to 5.15.2.1 (#1932)
* Update to 5.15

* audit: update to 3.0.6

Current audit 3.0 version fails to build because linux/ipx.h header
is no longer part of 5.15 kernel source. audit 3.0.6 has a change to
handle this 5.15 difference.

Co-authored-by: Chris Co <chrco@microsoft.com>
2022-01-19 16:22:09 -08:00
Andrew Phelps 455142ea03
exclude module_info.ld (#1912) 2022-01-13 16:00:28 -08:00
chalamalasetty 7e026da45c
Provides exclude debug build-id to generate aarch64 debuginfo rpm (#1840) 2022-01-04 15:25:59 -08:00
chalamalasetty 2543e9a223
Enable CONFIG_COMPAT kernel configs (#1815) 2021-12-29 12:50:28 -08:00
Pawel Winogrodzki e63dbeefbf
[main] `kernel-signed`: skip copying `ld` scripts from `%prep` phase. (#1779) 2021-12-16 11:23:34 -08:00
rlmenge 34502d0ddc
[dev] kernel: update to 5.10.78.1 (#1640)
* Update kernel 5.10.78.1

* Add patch to fix linux license issue in headers

* address additional CVE

* Move patch for better readability
2021-11-30 13:42:17 -08:00
Thomas Crain 3c5765cdeb
Add python3-perf subpackage to kernel (#1646) 2021-11-22 09:10:57 -08:00
Andrew Phelps d7cb7c78e9
Update toolchain and packages to build with gcc 11.2.0 and glibc 2.34 (#1623)
* update coreutils and texinfo specs

* update coreutils and texinfo in toolchain

* fix patch url

* update binutils to 2.37

* update version in manifests

* update util-linux mpfr mpc gmp

* fix mpfr tarball

* fix gmp

* update cgmanifest.json

* cleanup

* restore binutils patch

* fix gmp and mpfr specs

* update util-linux spec

* fix binutils and util-linux breaks

* update kernel CONFIG_LD_VERSION

* bump kernel release

* remove reference to rpm-define-RPM-LD-FLAGS.patch

* fix gen-ld-script.sh sha256sum

* update gcc spec to 11.2.0

* update kernel configs for gcc

* update cgmanifest

* update gcc to 11.2.0 in raw toolchain

* add patch for gcc texi issue

* update glibc to 2.34

* update manifests for diffutils and glibc

* disable tm_texi patch in toolchain

* fix SIGSTKSZ gcc issue

* patch m4 for glibc 2.34

* update make to 4.3 and diffutils to 3.8

* revert make to 4.2.1 due to operation not permitted error

* fix make and texinfo build issues with glibc 2.34

* dont build zstd in temp toolchain due to gcc build errors

* remove glibc workarounds for fintutils and gzip

* update findutils and gzip

* update gzip and findutils specs

* update gdbm to 1.21

* update elfutils to 1.185 in toolchain. fix manifests

* remove findutils test change

* remove texinfo patch

* fix kernel changelogs

* add patch for cpio extern issue

* restore rpm patch

* fix m4 spec

* fix elfutils and gpgme spec issues

* fix kernel-hyperv changelog

* update kbd and libtirpc to resolve gcc 11.2.0 issues

* fix m4 version in pkggen_core

* fix libtirpc in manifests

* fix nss error

* fix openjdk

* fix aarch64 openjdk8

* fix elfutils spec

* GODEBUG=netdns=go

* verbose rpm query

* fix coreutils on aarch64. use rpm 1.14.2.1 in raw toolchain. revert rpm.go

* bump cpio release

* revert rpm.go change

* cleanup toolchain scripts and specs. parallel make for glibc

* enable fortran

* remove aarch64 ld-2.27.so link

* add gfortran to toolchain manifests

* fix binutils changelog

* fix kernel release version

* update bison grep sed tar

* add glibc pthread patch

* upgrade file gawk and xz. fix sed and grep spec issues

* set -fcommon

* revert file to 5.34

* fix temp gawk version

* fix xz man1 files

* update libgpg-error to 1.43

* add ld-linux-aarch64.so.1 to glibc spec

* use /lib/ld-linux-aarch64.so.1

* update file 5.40 and bzip2 1.0.8 in toolchain. openjdk8 remove -fcommon.

* update to perl 5.32.0 in toolchain

* fix glibc aarch64 exclude. add shadow-utils provides. fix perl src filename

* fix efivar build. upgrade dtc

* Removing 'ctags'.

* Updating 'libacvp' to version 1.4.1.

* Updating 'nlohmann-json' to version 3.10.4.

* Updating 'dhcp.spec' CFLAGS to include CBL-Mariner's defaults.

* update and fix ipxe build. remove perl debuginfo.

* add fixes for autofs and libcomps

* Adjusting build steps for 'dhcp' and 'nlohmann-json'.

* fix rocksdb

* fix ntp

* fix libcomps url in cgmanifest. revert perl change

* fix nfs-utils

* fix azure-iot-sdk-c

* Remove 'tboot'.

* fix qemu-kvm

* update R and ant

* Updating 'libiothsm-std' to version 1.2.5.

* Linting.

* Remove tcp_wrappers  package

* fix syslinux

* Downgrading 'libiothsm-std' to 1.1.8.

* fix fuse. fix libcomps url

* Downgrading 'libacvp' to 1.3.0.

* Applying GCC 11 patch.

* fix fuse configure.ac issue

* Fixing 'libiothsm-std' build.

* Upgrade lldpad to 1.1.0

* Upgrade gdb to 11.1

* Upgrade catch to 2.13.7

* fixup! Upgrade gdb to 11.1

* fixup! Upgrade lldpad to 1.1.0

* remove bazel

* Updating 'toml11' to version 3.7.0.

* update cgmanifest for catch gdb lldpad

* fix qt5-qtbase

* fix device-mapper-multipath

* fix syslinux

* fix grpc

* fix kernel configs

* fix kernel-hyperv config

* increase heap size for ant

* update lttng-consume

* fix auoms

* update valgrind. fix arm64 gdb issue

* update arm64 kernel config

* fix blobfuse

* update and fix azure-iotedge

* fix grpc 1.41.1 in cgmanifest

* fix kernel and kernel-hyperv PTHREAD_STACK_MIN issue

* remove ant ant-contrib jna R

* Updating 'azure-iotedge' sources creation instructions.

* add back ant ant-contrib bazel jna R

* restrict jdk8 packages

* verify licenses

* only build conda picosat python-pycosat on arm64. fix cgmanifest

* update openjdk8 to version 1.8.0.302

* fix cgmanifest for ant and R

* always build ant

* update licenses. remove tdnf workaround. bump shadow-utils release

* update LICENSES-MAP.md to remove tboot ctags tcp_wrappers. bump libavcp release

* fix ant builds only on arm64

* Clarifying license for 'ntp'.

* Verifying license for 'ant-contrib'.

* Verifying more specs.

* revert libabcvp CFLAGS changes

* add kernel patch file

* set -fcommon to fix libacvp build

* fix python-filelock

* revert tdnf line change

Co-authored-by: CBL-Mariner Service Account <cblmargh@microsoft.com>
Co-authored-by: Pawel Winogrodzki <pawel.winogrodzki@microsoft.com>
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
Co-authored-by: Thomas Crain <thcrain@microsoft.com>
2021-11-17 21:41:55 -08:00
rlmenge 11b7f41b47
Add configs for eBPF (#1586) 2021-11-01 09:09:16 -07:00
rlmenge 969c8868c5
[dev] kernel: Update to 5.10.74.1 (#1571)
* Update to 5.10.74.1

* Add license verified for all files
2021-10-22 11:39:58 -07:00
rlmenge 973e10f0ff
[dev] kernel: update to 5.10.69.1 (#1517)
* Update to kernel 5.10.69.1

* add CVE-2020-3653

* Add CVE-2021-42008
2021-10-14 15:11:26 -07:00
rlmenge f40ccb952e
[dev] kernel: Enable config_net_vrf (#1439)
* Enable config_net_vrf

* Add the vrf to the initramfs
2021-09-27 14:01:04 -07:00
rlmenge b6c179b10f
Update kernel to 5.10.64.1 (#1432) 2021-09-22 19:08:16 -07:00
rlmenge f4b1260d78
update to 5.10.60.1 (#1420)
Update kernel to 5.10.60.1. Apply patch for kernel to work with hyperv as in #1233. Remove cn from dracut add-drivers as in #1406. Address 24 CVEs. No kernel config changes were needed.
2021-09-21 11:16:59 -07:00
Andrew Phelps 560f9c0eba
Add ELF note metadata (2.0) (#1393)
* add basic ELF note script

* fixes for grub2

* remove change to grub2

* add generate-package-note.py
2021-09-18 12:01:11 -07:00
Muhammad Falak R Wani e7ffde92cb
[dev] kernel: export bpftool subpackage (#1375) 2021-09-13 21:58:11 +05:30
jslobodzian 17b0e93e71
Merge 1.0 to dev branch
This merge brings the latest SELinux and many packages and CVE fixes from the 1.0 branch.
2021-08-19 13:46:51 -07:00
Pawel Winogrodzki 4ac255ee79
[dev] Adding `Provides` for common `grub2` subpackages. (#1162) 2021-07-20 12:15:55 -07:00
Thomas Crain 64a8a405d2
[dev] Fix build breaks due to Python2 toolchain removal (#982)
* Remove python2 libxml2 package

* Fix grub2

* Ensure python3-libxml2 is installed in toolchain before building itstool
2021-05-25 22:21:15 -07:00
Thomas Crain 3fc27c5474
Add glibc-kernheaders provides to kernel-headers (#985) 2021-05-25 17:49:51 -07:00
Thomas Crain f5ab309436 Update entangled specs 2021-05-17 11:23:27 -07:00
Christopher Co de8f255023
kernel: Disable CONFIG_EFI_DISABLE_PCI_DMA (#875)
On certain poorly-behaving hardware, CONFIG_EFI_DISABLE_PCI_DMA can
cause the kernel to fail to boot. When this happens, the boot log
shows an EFI stub error where Exit boot services failed:

   EFI stub: Booting Linux Kernel...
   EFI stub: Using DTB from configuration table
   EFI stub: Exiting boot services and installing virtual address map...
   EFI stub: ERROR: Exit boot services failed.
   EFI stub: ERROR: Failed to update FDT and exit boot services

To confirm if one is hitting this specific PCI busmastering issue, one
can add "efi=no_disable_early_pci_dma" to the kernel command line
and observe if the boot issue goes away.

Since this kernel package serves a wider array of hardware, some of
which do exhibit this boot failure, let's disable the config by default.

Signed-off-by: Chris Co <chrco@microsoft.com>
2021-04-25 15:39:10 -07:00
Christopher Co 67cf4f9b65
grub-efi-binary-signed: define new grub2-efi-binary subpackage (#855)
* grub-signed: Commonize on one spec

Use macros to swap spec contents based on build architecture. We will
still create an SRPM per arch, each with a unique name, so there is no
risk of SRPM name collision.

* grub-signed: Define new grub2-efi-binary subpackage

New subpackage will contain the signed grubx64.efi/grubaa64.efi binary.
This package name is identical to the unsigned version and we will
prefer to use this signed version if built.

* grub-signed: rename files

* grub2: bump spec version to match signed version

* Update github action checks

CG manifest, license file, and spec entanglement checks are failing
due to the grub-efi-binary-signed naming change. Update the checks to
account for the new name.

* grub2-signed: rename source0 to match subpackage

Source0 previous pointed to grub2-efi-unsigned rpm which technically
can work but it would be better to use the grub2-efi-binary package
instead because grub2-efi-binary package is ultimately the package we
will be replacing. We can also perform checks to make sure the output
rpm matches the inputs, modulo the signed binary.

Signed-off-by: Chris Co <chrco@microsoft.com>
2021-04-21 20:37:29 -07:00
Christopher Co e6c89b3300
kernel-signed: define a new kernel subpackage (#785)
* kernel-signed: define a new kernel subpackage

This spec purpose is to take an input kernel rpm and input secure-boot-signed
kernel binary from the same build and generate a new "kernel" rpm with the
signed kernel binary + all of the other original kernel files, triggers,
scriptlets, requires, provides, etc.

We need to ensure the kernel modules and kernel binary used are from the exact
same build because at build time the kernel modules are signed with an
ephemeral key that the kernel enrolls in its keyring. We enforce kernel
module signature checking when we enable security features like kernel
lockdown so our kernel can only load those specific kernel modules at runtime.

Additionally, to complete the UEFI Secure Boot chain, we must PE-sign the
kernel binary. Ideally we would enable secure-boot signing tools like pesign
or sbsign to be callable from inside the rpmbuild environment, that way we can
secure-boot sign the kernel binary during the kernel's rpmbuild. It is best
practice to sign as soon as possible. However there are issues getting that
secure boot signing infrastructure in place today. Hence we sign the
resulting kernel binary and "repackage" the kernel RPM (something rpm itself
actively tries to make sure you never do...generally for good reasons).

To achive this repackaging, this spec creates a new subpackage named
"kernel". To retain all of the initial kernel package behaviors, we make sure
the subpackage has the same requires, provides, triggers, post steps, and
files as the original kernel package.

This specific repackaging implementation leaves room for us to enable the
more ideal secure-boot signing flow in the future without introducing any
sort of breaking change or new packaging. Users still install a "kernel"
package like they normally would.

Maintenance Notes:
- This spec's "version" and "release" must reflect the unsigned version that
was signed. An important consequence is that when making a change to this
spec or the normal kernel spec, the other spec's version version/release must
be increased to keep the two versions consistent.

- Make sure the kernel subpackage's Requires, Provides, triggers, post/postun
scriptlets, and files match the normal kernel spec's. The kernel subpackage
should contain the same content as the input kernel package but replace the
kernel binary with our signed kernel binary. Since all the requires, provides,
etc are the same, this new kernel package can be a direct replacement for the
normal kernel package and RPM will resolve packages with kernel dependencies
correctly.

To populate the input sources:
  1. Build the unsigned packages as normal
  2. Sign the desired binary
  3. Place the unsigned package and signed binary in this spec's folder
  4. Build this spec

* kernel-signed: refactor into one common spec file

The only differences between kernel-signed-x86_64 and
kernel-signed-aarch64 spec files were primarily the architecture
type in the spec name and input Source0 rpm. We can use a macro to set
these and reduce down to one spec file

* Update checks to consider kernel-signed

* kernel-hyperv: match release number

Ideally we keep kernel-headers version/release in sync with kernel and
kernel-hyperv package version/release. This allows the user to install
kernel-headers on any Mariner system by using
   dnf install kernel-headers-$(uname -r)

Signed-off-by: Chris Co <chrco@microsoft.com>
2021-04-20 17:51:09 -07:00
rlmenge c9cef09e94
Add no patch for CVE-2021-29648 (#861) 2021-04-19 14:38:33 -04:00
Christopher Co 26d5c16802
kernel: update to 5.10.28.1 (#846)
Update the kernel to 5.10.28.1.

- 5.10.28.1 addresses the following CVEs:
CVE-2020-27170, CVE-2020-27171, CVE-2021-28375, CVE-2021-28660,
CVE-2021-28950, CVE-2021-28951, CVE-2021-28952, CVE-2021-28971,
CVE-2021-28972, CVE-2021-29266, CVE-2021-28964, CVE-2020-35508,
CVE-2020-16120, CVE-2021-29264, CVE-2021-29265, CVE-2021-29646,
CVE-2021-29647, CVE-2021-29649, CVE-2021-29650, CVE-2021-30002

- update uname_r define

It is generally expected that users can run "dnf install
kernel-devel-$(uname -r)" to pull the proper kernel-devel package
associated with the currently running kernel. Currently "uname -r"
returns something like "5.10.28.1-rolling-lts-mariner-1.cm1". RPM
package naming has the following convention:

[name]-[version]-[release].[arch].rpm
where [version] and [release] cannot contain any dash characters.
Therefore it is impossible to name a corresponding kernel-devel RPM
to match kernel-devel-$(uname -r).

In 5.10.28.1, we changed the kernel Makefile's EXTRAVERSION value from
"EXTRAVERSION=.1-rolling-lts-mariner" to "EXTRAVERSION=.1", dropping
the extra "rolling-lts-mariner" from the uname. This allows the
"dnf install kernel-devel-$(uname -r)" to work as intended.

Signed-off-by: Chris Co <chrco@microsoft.com>
2021-04-12 12:38:14 -07:00
Dan Mihai 8265b13074
Enable kernel crypto config options (#831)
Enable NIST SP800-90A kernel DRBG config options:

CONFIG_CRYPTO_DRBG_HASH
CONFIG_CRYPTO_DRBG_CTR
2021-04-02 19:27:18 -07:00
rlmenge 5ded532076
Add nopatches for tooling (#834) 2021-04-02 21:57:16 -04:00
Christopher Co e1ea8ea060
grub2: Add a few more patches (#809)
Add a few more F34 patches that are useful to carry.

Patches:
- 017: fix for passing the kernel command line
- 037, 052: updates the documentation and makes patch 166 apply cleanly
- 069: Fix for tsc problem
- 166: Prevent user from overwriting signed grub EFI binary when using
grub2-install

Signed-off-by: Chris Co <chrco@microsoft.com>
2021-04-02 15:58:27 -07:00
Christopher Co 7f6819f1dc
grub2: Update to 2.06-rc1 (#781)
Update grub2 from 2.02 to 2.06-rc1 which handles BootHole v2. Additionally, we
drop all previous patches and rebaseline using a minimal number of patches
from FC34. These patches implement Secure Boot Handover protocol (needed
so the TPM Eventlog can be exposed to the kernel for TPM attestation scenarios)
and a few other nice-to-have fixes.

2.06 also introduces a new generation number based revocation mechanism known
as Secure Boot Advanced Targeting (SBAT) into the grub EFI binary. Components
that utilize the SHIM for secure boot will add an .sbat field into their binary's
PE-header, allowing the SHIM to check the component's sbat field against known
good component versions and allow for version-based revocation.

Signed-off-by: Chris Co <chrco@microsoft.com>
2021-03-25 15:06:01 -07:00
Christopher Co cc924b0466
kernel: Address CVEs and enable CONFIG_FANOTIFY_ACCESS_PERMISSIONS (#779)
This PR has two changes:

Address kernel CVEs, fix kernel-signed file copy
Address CVE-2021-27365, CVE-2021-27364, CVE-2021-27363

kernel-signed %install step was not copying hidden files to the
buildroot directory (i.e., /boot/.vmlinuz-<uname_r>.hmac). So fix
the copy step.

Enable CONFIG_FANOTIFY_ACCESS_PERMISSIONS
This allows security products to block access to malicious files in real-time

Signed-off-by: Chris Co chrco@microsoft.com
2021-03-24 11:57:54 -07:00
Nicolas Ontiveros eb68091b5e
Disable QAT kernel configs (#759) 2021-03-17 16:01:50 -07:00
Christopher Co 56063ad3ba
kernel: Update to 5.10.21.1 and add virtio drivers to initrd (#742)
* initial update kernel to 5.10.21.1

* add new CONFIG_KCMP

CONFIG_KCMP was introduced between our last kernel version and
this one. CONFIG_KCMP is selected (=y) by CONFIG_DRM and
CONFIG_CHECKPOINT_RESTORE

* Add virtio drivers to be added into initrd

Adding these drivers into the initrd allows us to boot offline-created
images on virtio-based machines (i.e., cloud-hypervisor VMs)

* kernel: Address CVEs

"Nopatch" the following CVEs. They are fixed in 5.10.21.1
- CVE-2021-26930
- CVE-2020-35499
- CVE-2021-26931
- CVE-2021-26932

* Remove CONFIG_USB_LGM_PHY from aarch64 config

New kernel version only exposes this config if building for X86.

Signed-off-by: Chris Co <chrco@microsoft.com>
2021-03-16 11:05:42 -07:00
Christopher Co 4f61392183
kernel: Enable kernel lockdown configs (#722)
* kernel: enable kernel lockdown lsm

* kernel-hyperv: enable kernel lockdown lsm

* kernel-signed: Use uname_r macro everywhere

There was a build break due to an incorrect name used
for vmlinuz in SOURCE1.

The new 5.10 kernel source introduced a new versioning
scheme when built. EXTRAVERSION will always contain
"-rolling-lts-mariner".

In kernel.spec, the vmlinuz we output has the name:
vmlinuz--rolling-lts-mariner-, which
is constructed using vmlinuz-%{uname_r}

So to fix, use vmlinuz-%{uname_r} in the kernel-signed
specs as well.

* add more lockdown configs

CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y enables the lockdown lsm
very early prior to the security subsystem's initialization.
Still subject to kernel boot parameters.

CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y no lockdown functionality
enabled by default, but can be enabled via kernel commandline or
/sys/kernel/security/lockdown

General distros should set lockdown integrity mode, while special
purpose distros should set lockdown confidentiality mode. These
can be set in the kernel command line

Signed-off-by: Chris Co <chrco@microsoft.com>
2021-03-10 18:04:23 -08:00
chalamalasetty d4d849e3c9
Add Broadcom NetXtreme and msr driver moudule support to kernel (#707) 2021-03-05 11:30:14 -08:00
Thomas Crain 3c4c5f30f2
Add speakup support to kernel (#655) 2021-02-24 16:50:27 -08:00
Christopher Co aae537bbbc
Update kernel source to 5.10.13.1 (#601)
Move to the new CBL-Mariner kernel source location and use the latest
5.10.13.1 version.

As part of the upgrade to 5.10.13.1, we can remove some out-of-tree
patches since these patches have been merged into upstream.

Additionally, we need to account for the new location of module.lds
for aarch64 builds. The aarch64 module.lds is no longer checked in
as part of the source tree. See this upstream commit for more details:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=596b0474d3d9b1242eab713f84d8873f9887d980

Turn off CONFIG_GCC_PLUGIN_RANDSTRUCT protection. This struct
randomization is causing difficulty in parsing vmcore files.

Enable upstream smartpqi driver by default

Signed-off-by: Chris Co <chrco@microsoft.com>
2021-02-19 17:48:41 -08:00
Nicolas Ontiveros 9382f3845f
Add kernel crypto configs to enable tcrypt in FIPS mode (#635) 2021-02-18 06:56:53 -08:00
Nicolas Ontiveros cdeaf32fa3
Use OpenSSL to hmac calc the kernel (#615) 2021-02-09 13:43:57 -08:00
Nicolas Ontiveros fd1089c861
Add support for kernel crypto API in user space (#576)
* Add kernel configs for userspace crypto support

* First version of libkcapi

* Add libkcapi to license map

* Use hmac calc for kernel fips compliance

* Update kernel-headers

* Update kernel-signed* spec files

* Address linting

* Update cgmanifest

* Address comments on libkcapi.spec

* Address spec linting

* Update kernel signatures.json

* Update toolchain/pkggen txt files

* Rename perl-interpreter to perl

* Disable libkcapi tests for now
2021-02-04 06:58:13 -08:00
Daniel McIlvaney 7d582bd35d Add verity-read-only-root package 2021-01-28 14:07:48 -08:00
Christopher Co b32a70d67c
Update kernel sources to 5.4.91 (#563)
* kernel: update to 5.4.91

* kernel: Add nopatch files

* kernel: Remove hyperv GUI patch

* kernel: update config file and hashes

* kernel-hyperv: Update config file and hash

* kernel: Remove framebuffer patch file

* kernel: Remove PGTABLE_MAPPING

CONFIG_PGTABLE_MAPPING not supported in new 5.4.91 kernel
2021-01-23 17:04:37 -08:00
rlmenge 655e53b59a
Add i.MX8mq-evk board support (#472)
* Add i.MX8mq-evk board support

Modify the kernel configs to include the needed drivers as well as voltage regulators.
Add the dtb to the kernel spec as a subpackage by arch type
Update the kernel files to match spec version number
2021-01-13 12:15:59 -05:00
Andrew Phelps d1309e5a21
Add kernel patch to fix GUI installer crash due to mmap issue (#526)
* add kernel patch to fix gui installer crash

* update kernel-hyperv release

* revert hyperv-daemons and kernel-hyperv releasenum per feedback
2021-01-12 12:04:01 -08:00
Nicolas Ontiveros dde135df99
No patch kernel CVE-2020-27777 (#499)
* No patch kernel CVE-2020-27777

* Add upstream/stable commit info for CVE-2020-27777.nopatch

Co-authored-by: Thomas Crain <thcrain@microsoft.com>
2021-01-07 14:53:02 -08:00
Pawel Winogrodzki 852bc1e87a
Updating signed specs to be aligned with their unsigned counterparts. (#496) 2020-12-23 14:17:41 -08:00
Henry Beberman 30ca334c63
Update kernel to 4.5.83, Address 7 kernel CVEs (#470)
- Update kernel-headers, kernel, kernel-hyperv, and hyperv-daemons specs to use 5.4.83
- Refresh version numbers for kernel-signed- specs
- Update toolchain to use 5.4.83 source when building kernel headers
- Address CVE-2020-14351, CVE-2020-14381, CVE-2020-25656, CVE-2020-25704,
  CVE-2020-29534, CVE-2020-29660, CVE-2020-29661
- Update cgmanifest's download URLs to point to 5.4.83 source location
2020-12-16 14:59:31 -08:00
Christopher Co 28451002d5
Update kernel to 5.4.81, Address 16 kernel CVEs (#434)
* Initial update to 5.4.81 using autoupdater script

* kernel: Address 16 CVEs

Address CVE-2020-25705, CVE-2020-15436, CVE-2020-28974, CVE-2020-29368,
CVE-2020-29369, CVE-2020-29370, CVE-2020-29374, CVE-2020-29373, CVE-2020-28915,
CVE-2020-28941, CVE-2020-27675, CVE-2020-15437, CVE-2020-29371, CVE-2020-29372,
CVE-2020-27194, CVE-2020-27152

* kernel: Remove patch for kexec in HyperV

Remove patch for kexec in HyperV. Integrated in 5.4.81.

* kernel: Update kernel configs for 5.4.81

* kernel: Add missing aarch64 configs

* kernel-hyperv: fix up configs
2020-12-07 15:47:17 -08:00
Christopher Co aac1f33546
kernel: Add tpm eventlog patch for arm (#426) 2020-12-03 11:28:37 -08:00
Christopher Co c51c6d44f9
Fix kexec() flow in HyperV (#415)
When invoking kexec() on a Linux guest running on a Hyper-V host, the kernel panics. Created and applied kernel patch that fixes this issue.
2020-11-30 16:14:43 -08:00
chalamalasetty 8b3b80703b
Disable kernel config SLUB_DEBUG_ON due to tcp throughput perf impact (#387) 2020-11-18 17:21:20 -08:00
chalamalasetty d42ad2134f
Enable arm64 hyperv and SoCs support for CBL-Mariner (#366)
* Enable arm64 hyperv and SoCs support for CBL-Mariner

* Update kernel config for Arm64 arch

* Update kernel configs for arm64 arch

* Enable arm64 hyperv and SoCs support for CBL-Mariner

Co-authored-by: schalam <schalam@microsoft.com>
2020-11-12 00:00:27 -08:00
Christopher Co 157fad7d83
Update kernel to 5.4.72, Address 54 kernel CVEs, Add license file (#273)
Update kernel source to 5.4.72. New kernel source contains fixes for many kernel CVEs flagged by our tooling so address the CVEs. As part of this update, also add the kernel COPYING file to the packages missing the license file.
2020-11-04 10:57:49 -08:00
Pawel Winogrodzki 22ee531895
Fixing CVE-2020-15705 in `grub2`. (#319)
* Applying spec linter's suggestions.

* Adding a patch for CVE-2020-15705.
2020-11-04 10:29:29 -08:00
chalamalasetty b54a5a8a61
Merge branch '1.0-dev' into schalam/qatengine 2020-10-19 20:50:14 -07:00
Christopher Co b354cbf3da
Nopatch kernel CVE-2020-10757, CVE-2020-12653, CVE-2020-12657, CVE-2010-3865, CVE-2020-11668, CVE-2020-12654, CVE-2020-24394, CVE-2020-8428 (#193)
* Address CVE-2020-10757, CVE-2020-12653, CVE-2020-12657, CVE-2010-3865, CVE-2020-11668, CVE-2020-12654, CVE-2020-24394, CVE-2020-8428
2020-10-19 10:06:38 -07:00
chalamalasetty c5ecb62a31 Enable QAT kernel configs in CBL-Mariner 2020-10-18 17:35:18 -07:00
Christopher Co c6ccffa563
Fix kernel aarch64 package build break due to missing CONFIG_IMA_KEXEC (#171) 2020-10-02 17:19:24 -07:00
Emre Girgin f86fe912bd
Fix kernel specs' %postun scripts (#164)
* Fix `kernel.spec`'s `%postun` script

* Fix `kernel-signed-aarch64`'s `%postun` script

* Fix kernel-signed-x64.spec's %postun script

* Fix kernel-hyperv.spec's %postun script
2020-10-01 21:32:16 -07:00
chalamalasetty 4c83bb02b6 Enable Mellanox kernel configs 2020-09-25 22:17:53 -07:00
Daniel McIlvaney 6068d8b5b4
Add IMA feature to the kernel, add config for it (#135)
* Add  IMA feature to the kernel, add config for it

- Add IMA measurement configs to the x86_64, and aarch64 kernel configs (IMA_APPRAISE currently disabled).
- Add KernelCommandLine config field to control IMA, and allow additional configs to be passed.

Signed-off-by: Daniel McIlvaney <damcilva@microsoft.com>
Co-authored-by: Christopher Co <christopher.co@microsoft.com>
2020-09-25 16:07:17 -07:00
Daniel McIlvaney 013ed241df Add kernel config check logic to the build (#29)
* Add kernel config checks
Automatically check if the kernel configs have any inconsistencies
during the SPEC build for both kernel and kernel-hyperv

* Address feedback
2020-09-03 19:16:38 -07:00
Christopher Co e0f1243efe kernel: apply additional kernel hardening configs (#84)
* kernel: apply more kernel hardening configs

* kernel-signed-x64: Bump release number

* kernel-signed-aarch64: Bump release number
2020-09-03 15:19:21 -07:00
Christopher Co fada873708 Add kernel requires to kernel-signed requires (#90)
* kernel-signed-x64: Add missing requires

The %post step fails because /sbin/depmod is not present. depmod
is supplied by the kmod package.

This error manifested as a hyper-v boot hang where the image is
stuck infinitely waiting for the rootfs to mount. Since depmod was
never run during kernel installation, the module database is stale. Then when the initramfs regeneration occurs, certain modules (i.e. hv_storvsc)
are not available for dracut to include into the initrd.

Bump release number

* kernel-signed-aarch64: Add missing requires

The %post step fails because /sbin/depmod is not present. depmod
is supplied by the kmod package.

This error manifested as a hyper-v boot hang where the image is
stuck infinitely waiting for the rootfs to mount. Since depmod was
never run during kernel installation, the module database is stale. Then when the initramfs regeneration occurs, certain modules (i.e. hv_storvsc)
are not available for dracut to include into the initrd.

Bump release number

* kernel: Bump release

* kernel: clean up lingering invalid aarch64 configs

* kernel: Fix bogus date rpmlint message
2020-09-03 14:58:03 -07:00
Christopher Co c8bdc7356d Update kernel hashes to latest 5.4.51 (#85)
* hyperv-daemons: Update source hash

* kernel: Update source hash

* kernel-hyperv: Update source hash

* kernel-headers: Update source hash

* Update manifests

* Update toolchain remote md5sum

* kernel-signed-aarch64: Bump release number

* kernel-signed-x64: Bump release number

* kernel: update config

* kernel-hyperv: Update config
2020-09-03 09:20:22 -07:00
Christopher Co 17b2b03820
Update kernel source to stable 5.4.51 (#59)
* kernel-headers: Update source to 5.4.51

* hyperv-daemons: Update source to 5.4.51

* kernel: Update to 5.4.51

* kernel-hyperv: Update to 5.4.51

* kernel: Add nopatch for fixed CVEs

Address CVE-2020-11494, CVE-2020-11565, CVE-2020-12655, CVE-2020-12771,
CVE-2020-13974, CVE-2020-15393, CVE-2020-8647, CVE-2020-8648, CVE-2020-8649,
CVE-2020-9383, CVE-2020-11725

* cgmanifest: Update kernel urls to 5.4.51
2020-08-26 15:25:40 -07:00
Pawel 92a60e14fa Adding missing license and spec origin info. 2020-08-25 11:36:03 -07:00
Chris Co d0e924ae02 kernel: Update Requires for kernel subpackages 2020-08-19 19:55:22 +00:00
Chris Co cb944fb8e6 Introduce kernel-signed-<arch> package
As part of enabling the UEFI Secure Boot chain, the kernel binary must
be signed with our distro key.

At the moment, the signing infrastructure isn't quite ready to perform
inline signing during package build. So to work around this, we
introduced the kernel-signed-<arch> packages. The purpose of these
packages is to supply a way for signed versions of the kernel binary
and the associated kernel modules to land on the end-user's
filesystem.
2020-08-19 01:48:59 +00:00
Chris Co 89382c8efc Introduce grub2-efi-binary-signed-<arch> package
As part of enabling UEFI Secure Boot, the grub2 EFI binary must be
signed with our distro key.

At the moment, the signing infrastructure isn't quite ready to perform
inline signing during package build. So to work around this, we
introduced the grub2-efi-binary-signed-<arch> packages. The purpose
of these packages is to supply a way for signed versions of the
grub efi binary to land on the end-user's filesystem.
2020-08-19 01:48:50 +00:00