containers · slp · Jan 17, 2025 · Dec 11, 2024
@@ -1,13 +1,13 @@
-KERNEL_VERSION = linux-6.6.63
+KERNEL_VERSION = linux-6.12.3
 KERNEL_REMOTE = https://cdn.kernel.org/pub/linux/kernel/v6.x/$(KERNEL_VERSION).tar.xz
 KERNEL_TARBALL = tarballs/$(KERNEL_VERSION).tar.xz
 KERNEL_SOURCES = $(KERNEL_VERSION)
 KERNEL_PATCHES = $(shell find patches/ -name "0*.patch" | sort)
 KERNEL_C_BUNDLE = kernel.c
 
 ABI_VERSION = 4
-FULL_VERSION = 4.6.0
-TIMESTAMP = "Mon Dec  2 11:39:28 CET 2024"
+FULL_VERSION = 4.7.0
+TIMESTAMP = "Wed Dec 11 20:34:13 CET 2024"
 
 KERNEL_FLAGS = KBUILD_BUILD_TIMESTAMP=$(TIMESTAMP)
 KERNEL_FLAGS += KBUILD_BUILD_USER=root

@@ -1,4 +1,4 @@
-From 937e56d777cf3809a5ac0a5d8d42dfcbcc93c330 Mon Sep 17 00:00:00 2001
+From 08321e01f374236bbd4358824a7d0bed75db56ca Mon Sep 17 00:00:00 2001
 From: Sergio Lopez <slp@sinrega.org>
 Date: Fri, 10 Sep 2021 13:05:01 +0200
 Subject: [PATCH 1/4] virtio: enable DMA API if memory is restricted
@@ -15,10 +15,10 @@ Signed-off-by: Sergio Lopez <slp@redhat.com>
  2 files changed, 4 insertions(+), 6 deletions(-)
 
 diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c
-index 71dee622b771..f92475dbca43 100644
+index b9095751e43b..9e6420d5bc66 100644
 --- a/drivers/virtio/virtio.c
 +++ b/drivers/virtio/virtio.c
-@@ -180,12 +180,6 @@ static int virtio_features_ok(struct virtio_device *dev)
+@@ -213,12 +213,6 @@ static int virtio_features_ok(struct virtio_device *dev)
  				 "device must provide VIRTIO_F_VERSION_1\n");
  			return -ENODEV;
  		}
@@ -32,7 +32,7 @@ index 71dee622b771..f92475dbca43 100644
 
  	if (!virtio_has_feature(dev, VIRTIO_F_VERSION_1))
 diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
-index 80669e05bf0e..438b4f6c5cdb 100644
+index 98374ed7c577..8daebc83208c 100644
 --- a/drivers/virtio/virtio_ring.c
 +++ b/drivers/virtio/virtio_ring.c
 @@ -6,6 +6,7 @@

@@ -1,4 +1,4 @@
-From 15cc4533c0e0bfa1b8a762ecffb5486ed258d87a Mon Sep 17 00:00:00 2001
+From 9da8c48cd0849c0c58b848c01f8cca7adf79ee70 Mon Sep 17 00:00:00 2001
 From: Sergio Lopez <slp@redhat.com>
 Date: Thu, 20 Oct 2022 10:23:16 +0200
 Subject: [PATCH 2/4] x86/sev: write AP reset vector
@@ -8,14 +8,14 @@ into the AP reset vector used by libkrun's qboot.
 
 Signed-off-by: Sergio Lopez <slp@redhat.com>
 ---
- arch/x86/kernel/sev.c | 25 ++++++++++++++++++++++++-
+ arch/x86/coco/sev/core.c | 25 ++++++++++++++++++++++++-
  1 file changed, 24 insertions(+), 1 deletion(-)
 
-diff --git a/arch/x86/kernel/sev.c b/arch/x86/kernel/sev.c
-index 9905dc0e0b09..38df85fd1324 100644
---- a/arch/x86/kernel/sev.c
-+++ b/arch/x86/kernel/sev.c
-@@ -1116,6 +1116,29 @@ void __init snp_set_wakeup_secondary_cpu(void)
+diff --git a/arch/x86/coco/sev/core.c b/arch/x86/coco/sev/core.c
+index de1df0cb45da..7ed486a790fb 100644
+--- a/arch/x86/coco/sev/core.c
++++ b/arch/x86/coco/sev/core.c
+@@ -1266,6 +1266,29 @@ void __init snp_set_wakeup_secondary_cpu(void)
  	apic_update_callback(wakeup_secondary_cpu, wakeup_cpu_via_vmgexit);
  }
 
@@ -45,7 +45,7 @@ index 9905dc0e0b09..38df85fd1324 100644
  int __init sev_es_setup_ap_jump_table(struct real_mode_header *rmh)
  {
  	u16 startup_cs, startup_ip;
-@@ -1127,7 +1150,7 @@ int __init sev_es_setup_ap_jump_table(struct real_mode_header *rmh)
+@@ -1277,7 +1300,7 @@ int __init sev_es_setup_ap_jump_table(struct real_mode_header *rmh)
 
  	/* On UP guests there is no jump table so this is not a failure */
  	if (!jump_table_addr)

@@ -1,4 +1,4 @@
-From 4db2da9b067d0c7b10d7f7543c45dcb0d608e307 Mon Sep 17 00:00:00 2001
+From ff94a2d240ee168296ce4e2bb3370ee10272bbef Mon Sep 17 00:00:00 2001
 From: Sergio Lopez <slp@redhat.com>
 Date: Wed, 3 Aug 2022 12:35:12 +0200
 Subject: [PATCH 3/4] Implement driver to retrieve secrets from cmdline
@@ -14,24 +14,24 @@ efi_secret.c
 
 Signed-off-by: Sergio Lopez <slp@redhat.com>
 ---
- arch/x86/kernel/setup.c                       |   7 +
- drivers/virt/Kconfig                          |   2 +
- drivers/virt/Makefile                         |   1 +
+ arch/x86/kernel/setup.c                       |   6 +
+ drivers/virt/coco/Kconfig                     |   2 +
+ drivers/virt/coco/Makefile                    |   1 +
  drivers/virt/coco/cmdline_secret/Kconfig      |  13 ++
  drivers/virt/coco/cmdline_secret/Makefile     |   2 +
  .../virt/coco/cmdline_secret/cmdline_secret.c | 135 ++++++++++++++++++
  include/linux/init.h                          |   4 +
  init/main.c                                   |  13 ++
- 8 files changed, 177 insertions(+)
+ 8 files changed, 176 insertions(+)
  create mode 100644 drivers/virt/coco/cmdline_secret/Kconfig
  create mode 100644 drivers/virt/coco/cmdline_secret/Makefile
  create mode 100644 drivers/virt/coco/cmdline_secret/cmdline_secret.c
 
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index eb129277dcdd..3906896a62af 100644
+index f1fea506e20f..3778d544e93b 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -876,7 +876,9 @@ void __init setup_arch(char **cmdline_p)
+@@ -751,12 +751,18 @@ void __init setup_arch(char **cmdline_p)
  	 */
  	__flush_tlb_all();
  #else
@@ -41,42 +41,40 @@ index eb129277dcdd..3906896a62af 100644
  	boot_cpu_data.x86_phys_bits = MAX_PHYSMEM_BITS;
  #endif
 
-@@ -961,6 +963,11 @@ void __init setup_arch(char **cmdline_p)
-
  #ifdef CONFIG_CMDLINE_BOOL
  #ifdef CONFIG_CMDLINE_OVERRIDE
 +#ifdef CONFIG_CMDLINE_SECRET
 +	strscpy(early_secret_cmdline, boot_command_line, COMMAND_LINE_SIZE);
 +	memzero_explicit(boot_command_line, COMMAND_LINE_SIZE);
-+	clflush_cache_range(boot_command_line, COMMAND_LINE_SIZE);
 +#endif
  	strscpy(boot_command_line, builtin_cmdline, COMMAND_LINE_SIZE);
  #else
  	if (builtin_cmdline[0]) {
-diff --git a/drivers/virt/Kconfig b/drivers/virt/Kconfig
-index f79ab13a5c28..4a62feec1a0e 100644
---- a/drivers/virt/Kconfig
-+++ b/drivers/virt/Kconfig
-@@ -50,6 +50,8 @@ source "drivers/virt/acrn/Kconfig"
-
- source "drivers/virt/coco/efi_secret/Kconfig"
+diff --git a/drivers/virt/coco/Kconfig b/drivers/virt/coco/Kconfig
+index d9ff676bf48d..fd37c502b42d 100644
+--- a/drivers/virt/coco/Kconfig
++++ b/drivers/virt/coco/Kconfig
+@@ -7,6 +7,8 @@ config TSM_REPORTS
+ 	select CONFIGFS_FS
+ 	tristate
 
 +source "drivers/virt/coco/cmdline_secret/Kconfig"
 +
- source "drivers/virt/coco/sev-guest/Kconfig"
+ source "drivers/virt/coco/efi_secret/Kconfig"
 
- source "drivers/virt/coco/tdx-guest/Kconfig"
-diff --git a/drivers/virt/Makefile b/drivers/virt/Makefile
-index e9aa6fc96fab..9174d4f9286e 100644
---- a/drivers/virt/Makefile
-+++ b/drivers/virt/Makefile
-@@ -10,5 +10,6 @@ obj-y				+= vboxguest/
- obj-$(CONFIG_NITRO_ENCLAVES)	+= nitro_enclaves/
- obj-$(CONFIG_ACRN_HSM)		+= acrn/
- obj-$(CONFIG_EFI_SECRET)	+= coco/efi_secret/
-+obj-$(CONFIG_CMDLINE_SECRET)	+= coco/cmdline_secret/
- obj-$(CONFIG_SEV_GUEST)		+= coco/sev-guest/
- obj-$(CONFIG_INTEL_TDX_GUEST)	+= coco/tdx-guest/
+ source "drivers/virt/coco/pkvm-guest/Kconfig"
+diff --git a/drivers/virt/coco/Makefile b/drivers/virt/coco/Makefile
+index b69c30c1c720..da3d9254900c 100644
+--- a/drivers/virt/coco/Makefile
++++ b/drivers/virt/coco/Makefile
+@@ -3,6 +3,7 @@
+ # Confidential computing related collateral
+ #
+ obj-$(CONFIG_TSM_REPORTS)	+= tsm.o
++obj-$(CONFIG_CMDLINE_SECRET)	+= cmdline_secret/
+ obj-$(CONFIG_EFI_SECRET)	+= efi_secret/
+ obj-$(CONFIG_ARM_PKVM_GUEST)	+= pkvm-guest/
+ obj-$(CONFIG_SEV_GUEST)		+= sev-guest/
 diff --git a/drivers/virt/coco/cmdline_secret/Kconfig b/drivers/virt/coco/cmdline_secret/Kconfig
 new file mode 100644
 index 000000000000..bb601280d50d
@@ -246,7 +244,7 @@ index 000000000000..e53edce18768
 +module_init(cmdline_secret_init);
 +module_exit(cmdline_secret_exit);
 diff --git a/include/linux/init.h b/include/linux/init.h
-index 01b52c9c7526..889a0cf32832 100644
+index ee1309473bc6..96c0f3c72395 100644
 --- a/include/linux/init.h
 +++ b/include/linux/init.h
 @@ -143,6 +143,10 @@ extern int do_one_initcall(initcall_t fn);
@@ -261,10 +259,10 @@ index 01b52c9c7526..889a0cf32832 100644
 
  /* used by init/main.c */
 diff --git a/init/main.c b/init/main.c
-index c787e94cc898..2fb8a8af9af6 100644
+index c4778edae797..a475bd3bcb34 100644
 --- a/init/main.c
 +++ b/init/main.c
-@@ -147,6 +147,11 @@ static char *extra_command_line;
+@@ -149,6 +149,11 @@ static char *extra_command_line;
  /* Extra init arguments */
  static char *extra_init_args;
 
@@ -276,7 +274,7 @@ index c787e94cc898..2fb8a8af9af6 100644
  #ifdef CONFIG_BOOT_CONFIG
  /* Is bootconfig on command line? */
  static bool bootconfig_found;
-@@ -670,6 +675,14 @@ static void __init setup_command_line(char *command_line)
+@@ -685,6 +690,14 @@ static void __init setup_command_line(char *command_line)
  	}
 
  	saved_command_line_len = strlen(saved_command_line);

@@ -1,4 +1,4 @@
-From d53bef286ab6731ad5c721537ef8ad3ec39c0200 Mon Sep 17 00:00:00 2001
+From 459990b97e11b3be4272d06b4647bdab6bdf099e Mon Sep 17 00:00:00 2001
 From: Sergio Lopez <slp@redhat.com>
 Date: Wed, 5 Jun 2024 16:20:08 +0200
 Subject: [PATCH 4/4] x86/sev: Avoid using native_cpuid
@@ -16,7 +16,7 @@ Signed-off-by: Sergio Lopez <slp@redhat.com>
  1 file changed, 3 insertions(+), 23 deletions(-)
 
 diff --git a/arch/x86/mm/mem_encrypt_identity.c b/arch/x86/mm/mem_encrypt_identity.c
-index cc47a818a640..a2b5b08eee23 100644
+index ac33b2263a43..d894fdb89007 100644
 --- a/arch/x86/mm/mem_encrypt_identity.c
 +++ b/arch/x86/mm/mem_encrypt_identity.c
 @@ -495,37 +495,17 @@ void __head sme_enable(struct boot_params *bp)

@@ -1,7 +1,7 @@
-From a6442523102c4d482bf24f0f21a38ae29b3f0c8c Mon Sep 17 00:00:00 2001
+From 784c1bce5f1ca4c39d6c94dd1db220291cb26f9a Mon Sep 17 00:00:00 2001
 From: Sergio Lopez <slp@redhat.com>
 Date: Thu, 2 Mar 2023 07:34:49 +0100
-Subject: [PATCH 01/20] krunfw: Don't panic when init dies
+Subject: [PATCH 01/19] krunfw: Don't panic when init dies
 
 In libkrun, the isolated process runs as PID 1. When it exits,
 trigger an orderly reboot instead of panic'ing.
@@ -11,23 +11,24 @@ play with the printk levels instead.
 
 Signed-off-by: Sergio Lopez <slp@redhat.com>
 ---
- kernel/exit.c   | 5 +++++
+ kernel/exit.c   | 6 ++++++
  kernel/reboot.c | 2 ++
- 2 files changed, 7 insertions(+)
+ 2 files changed, 8 insertions(+)
 
 diff --git a/kernel/exit.c b/kernel/exit.c
-index 3540b2c9b1b6..8348e9825945 100644
+index 619f0014c33b..987bec96ebee 100644
 --- a/kernel/exit.c
 +++ b/kernel/exit.c
-@@ -69,6 +69,7 @@
+@@ -69,6 +69,8 @@
  #include <linux/rethook.h>
  #include <linux/sysfs.h>
  #include <linux/user_events.h>
 +#include <linux/reboot.h>
- 
++
  #include <linux/uaccess.h>
- #include <asm/unistd.h>
-@@ -840,8 +841,12 @@ void __noreturn do_exit(long code)
+
+ #include <uapi/linux/wait.h>
+@@ -905,8 +907,12 @@ void __noreturn do_exit(long code)
  		 * immediately to get a useable coredump.
  		 */
  		if (unlikely(is_global_init(tsk)))
@@ -41,10 +42,10 @@ index 3540b2c9b1b6..8348e9825945 100644
  #ifdef CONFIG_POSIX_TIMERS
  		hrtimer_cancel(&tsk->signal->real_timer);
 diff --git a/kernel/reboot.c b/kernel/reboot.c
-index 6ebef11c8876..4323caa5b871 100644
+index f05dbde2c93f..f047bde90c03 100644
 --- a/kernel/reboot.c
 +++ b/kernel/reboot.c
-@@ -269,10 +269,12 @@ void kernel_restart(char *cmd)
+@@ -278,10 +278,12 @@ void kernel_restart(char *cmd)
  	do_kernel_restart_prepare();
  	migrate_to_reboot_cpu();
  	syscore_shutdown();

@@ -1,7 +1,7 @@
-From 46b2f712bf3d3de11cbc0358ec6f833be99f2f49 Mon Sep 17 00:00:00 2001
+From c843c27bf58ade43ae935391ade4908d980ba1a2 Mon Sep 17 00:00:00 2001
 From: Sergio Lopez <slp@redhat.com>
 Date: Mon, 16 May 2022 16:04:27 +0200
-Subject: [PATCH 02/20] krunfw: Ignore run_cmd on orderly reboot
+Subject: [PATCH 02/19] krunfw: Ignore run_cmd on orderly reboot
 
 We don't really support restarting the conventional way, so ignore
 "run_cmd" so we can fall back to an emergency sync and reboot.
@@ -12,10 +12,10 @@ Signed-off-by: Sergio Lopez <slp@redhat.com>
  1 file changed, 4 insertions(+)
 
 diff --git a/kernel/reboot.c b/kernel/reboot.c
-index 4323caa5b871..d9d6f0dd2ebc 100644
+index f047bde90c03..aeea51201f90 100644
 --- a/kernel/reboot.c
 +++ b/kernel/reboot.c
-@@ -836,7 +836,11 @@ static int __orderly_reboot(void)
+@@ -852,7 +852,11 @@ static int __orderly_reboot(void)
  {
  	int ret;