* Kernel upgrade to 5.15.60.1 version
* move kernel to 5.15.60.2 source to fix arm builds
* Clean up changelog; add nopatches for CVE-2022-36879, CVE-2022-36946, CVE-2022-2503, CVE-2022-1973
Co-authored-by: CBL-Mariner Servicing Account <cblmargh@microsoft.com>
* staging for now
* update grub2
* add grub pxe binary
* fix mistake in spec
* revert unnecessary changes
* add subpackage and update binary name
* update changes
* Update SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec
Co-authored-by: Christopher Co <35273088+christopherco@users.noreply.github.com>
Co-authored-by: Henry Li <lihl@microsoft.com>
Co-authored-by: Christopher Co <35273088+christopherco@users.noreply.github.com>
FTRACE_SYSCALLS was removed in a previous commit.
Sadly, this option is needed by eBPF CO-RE tools which use syscall tracepoints
(sys_enter_* and sys_exec_*).
Without this option, tools like iovisor/bcc/libbpf-tools/execsnoop cannot work
on CBL Mariner.
Also, some standard eBPF tools needs kernel headers to be available, hence
IKHEADERS was set as a module.
Without this option, tools like iovisor/bcc/tools/biolatency.py cannot work.
Fixes: 344c087e52 ("kernel configs to bring down boot time for initrd")
Signed-off-by: Francis Laniel <flaniel@linux.microsoft.com>
* Nopatch CVE-2020-35501
* Kernel update script --> 5.15.41.1
* correct hashes
* correct kernel-rt signature; don't auto update kernel-rt (we need to check for a patch-version)
* re-fix sig
* Address more cves
* fix kernel-rt cgmanifest entry
* fix dockerfile and update_kernel script tag
* remove tag errors in cgman
* use nifty new cve tool to generate more accurate nopatch
* fix console, cdrom, mouse, kexec aarch64 config
* Bump up release number
* Fix aarch64 config according to build
* Bump up release in kernel-header
* Update release in kernel-signed, add kernel option for initcall_blacklist
* Add config for crash-on-demand
* Fix order in pkggen_core
* update kernel to 5.15.34.1, clean up nopatches in kernel.spec, address CVEs
* bump kernel-rt config version
* add missed kernel-rt patch
* fix naming convention for kernel source tar to match that used in LSG
* fix toolchain container kernel source link
* correct toolchain kernel source hash
* fix signatures to be correct version of kernel source
* switch to cm2
* fix config hash kernel-rt
* fix usbip
* stop packaging tar creation script in usbip; add update_kernel.sh
* fix usbip again
* nopatch CVE-2022-29156
* clean up update_kernel.sh
* fix kernel debug symbol issue
* update kernel-headers
* update hyperv-daemons and kernel-rt
* fix typo in specs
* remove xerces-c-devel BR from kernel
* exclude debug folder from main kernel package. fix bogus date in changelog
* remove aarch64 exclude workaround. use /usr/lib/debug
* [main] Enable NO_IOMMU kernel flag.
In order to support high data throughput for network connections, user-mode
drivers require direct access to the underlying devices. Such access can be
managed/protected by the IOMMU controller if it is present in the hardware.
For VMs, we may not have IOMMU exposed by the hypervisor. So we must provide
a way for the VFIO module to say that there is no IOMMU but still use VFIO
to keep the software stack the same.
The Mariner kernel today is compiled such that IOMMU is always required for
such user-mode drivers to work. This is a problem for virtual machines where
such requirement cannot be met.
This fix changes the kernel NO_IOMMU compile option such that it is possible
for the root user to choose whether to require IOMMU or not based on their
needs without recompiling the kernel.
The default is that IOMMU is required.
The root user must explicitly disable the IOMMU requirement with the following
command:
/sbin/modprobe vfio enable_unsafe_noiommu_mode=Y
* Enable NO_IOMMU: update version of kernel related spec files.
* Enable NO_IOMMU: update toolkit references.
* Enable NO_IOMMU: update pkggen references.
* Update kernel signature file after merge with main.
* [1.0] shim: update shim bootloader (#2157)
* shim: update key used
Our current keys have a 1 year expiration time, and it will expire
shortly. Update the key to one that will expire in 10/13/22. Ultimately
we plan to move to a longer lived CA cert once that is made available.
* shim: Add critical patches
* shim: Update to new signed shim bootloader binary
New shim bootloader contains the renewed Mariner Secure Boot Production
key embedded inside. And this shim binary itself is signed with the MS
UEFI CA.
* grub: bump release number to force re-signing
In order to not regress current users of the grub2-2.06~rc1-7 package,
bump release number which will cause the newer grubx64.efi inside the
grub2-efi-binary-2.06~rc1-8 package to be signed with the updated secure
boot key that matches with the one embedded in the 15.4-2 shim binary.
* License verified
Signed-off-by: Chris Co <chrco@microsoft.com>
KDB seems to work easier than KGDB over Hyper-V VM serial ports.
The same kernel command line parameters used to enable KGDB are used
to enable KDB too. All the KDB commands are enabled at compile time, but
the run time availability of these features can be restricted by using the
kdb.cmd_enable command line parameter.
Switching back and forth between KDB to KGDB/gdb mode is also supported
(when debugging a machine where KGDB was working before this change).
Co-authored-by: Daniel Mihai <dmihai@microsoft.com>
* kernel: Update mariner cert in kernel keyring
* kernel-hyperv: Update mariner cert in kernel keyring
* kernel-headers: Bump to match kernel release number
* kernel-signed: Bump to match kernel release
Signed-off-by: Chris Co <chrco@microsoft.com>
* Update to 5.15
* audit: update to 3.0.6
Current audit 3.0 version fails to build because linux/ipx.h header
is no longer part of 5.15 kernel source. audit 3.0.6 has a change to
handle this 5.15 difference.
Co-authored-by: Chris Co <chrco@microsoft.com>
Cameron E Baird
rlmenge
Henry Li
CBL-Mariner-Bot
eiffel-fl
Neha Agarwal
Max Brodeur-Urbas
Pawel Winogrodzki
Minghe Ren
Andrew Phelps
Vince Perri
George Mileka
chalamalasetty
Christopher Co
Dan Mihai
Thomas Crain