[ciq-6.12.y-next] Multiple patches tested (59 commits)#1208
Merged
ciq-kernel-automation[bot] merged 59 commits intociq-6.12.y-nextfrom May 8, 2026
Merged
[ciq-6.12.y-next] Multiple patches tested (59 commits)#1208ciq-kernel-automation[bot] merged 59 commits intociq-6.12.y-nextfrom
ciq-kernel-automation[bot] merged 59 commits intociq-6.12.y-nextfrom
Conversation
Adding configs based of Fedora-ARK default config from 6.12.15. We are modifying these with the following configs where available CONFIG_MODIFY_LDT_SYSCALL=n CONFIG_LEGACY_VSYSCALL_NONE=n These options are for old software support which adds performance overhead and potential attack surfaces with go against the CIQ LT kernels priority of performance and security. CONFIG_LIVEPATCH=n We do not have Live patching on for any road-map, is not even supported as a config for ARM. CONFIG_WQ_POWER_EFFICIENT_DEFAULT=y This should be enabled, it often improves performance funnily enough CONFIG_PREEMPT_VOLUNTARY=y CONFIG_HZ=100 These are set to increase throughput CONFIG_PREEMPT_VOLUNTARY=y (default Fedora config) but CONFIG_HZ=100 for higher throughput over the x86_64 default of CONFIG_HZ=1000 which provides lower latency.
Setting up the default build configs to ensure everything builds when we update and rebase.
jira LE-2629 feature Additional SecureBoot patches for dynamic lockdown commit 78c8af872660c31779951583b6f1ebf283d95985 commit-source https://salsa.debian.org/kernel-team/linux.git commit-patch-path debian/patches/features/all/lockdown commit-info Checkout the commit sha above and move to the directory listed above to find Debian patches matching this commits summary line. Add a kernel configuration option to lock down the kernel, to restrict userspace's ability to modify the running kernel when UEFI Secure Boot is enabled. Based on the x86 patch by Matthew Garrett. Determine the state of Secure Boot in the EFI stub and pass this to the kernel using the FDT. Signed-off-by: Linn Crosetto <linn@hpe.com> [bwh: Forward-ported to 4.10: adjust context] [Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream] [bwh: Forward-ported to 4.15 and lockdown patch set: - Pass result of efi_get_secureboot() in stub through to efi_set_secure_boot() in main kernel - Use lockdown API and naming] [bwh: Forward-ported to 4.19.3: adjust context in update_fdt()] [dannf: Moved init_lockdown() call after uefi_init(), fixing SB detection] [bwh: Drop call to init_lockdown(), as efi_set_secure_boot() now calls this] [bwh: Forward-ported to 5.6: efi_get_secureboot() no longer takes a sys_table parameter] [bwh: Forward-ported to 5.7: EFI initialisation from FDT was rewritten, so: - Add Secure Boot mode to the parameter enumeration in fdtparams.c - Add a parameter to efi_get_fdt_params() to return the Secure Boot mode - Since Xen does not have a property name defined for Secure Boot mode, change efi_get_fdt_prop() to handle a missing property name by clearing the output variable] [Salvatore Bonaccorso: Forward-ported to 5.10: f30f242 ("efi: Rename arm-init to efi-init common for all arch") renamed arm-init.c to efi-init.c] Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira LE-2629 feature Additional SecureBoot patches for dynamic lockdown commit 78c8af872660c31779951583b6f1ebf283d95985 commit-source https://salsa.debian.org/kernel-team/linux.git commit-patch-path debian/patches/features/all/lockdown commit-info Checkout the commit sha above and move to the directory listed above to find Debian patches matching this commits summary line. UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT flag that can be passed to efi_enabled() to find out whether secure boot is enabled. Move the switch-statement in x86's setup_arch() that inteprets the secure_boot boot parameter to generic code and set the bit there. Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> cc: linux-efi@vger.kernel.org [rperier: Forward-ported to 5.5: - Use pr_warn() - Adjust context] [bwh: Forward-ported to 5.6: adjust context] [bwh: Forward-ported to 5.7: - Use the next available bit in efi.flags - Adjust context] Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira LE-2629 feature Additional SecureBoot patches for dynamic lockdown commit 78c8af872660c31779951583b6f1ebf283d95985 commit-source https://salsa.debian.org/kernel-team/linux.git commit-patch-path debian/patches/features/all/lockdown commit-info Checkout the commit sha above and move to the directory listed above to find Debian patches matching this commits summary line. Based on an earlier patch by David Howells, who wrote the following description: > UEFI Secure Boot provides a mechanism for ensuring that the firmware will > only load signed bootloaders and kernels. Certain use cases may also > require that all kernel modules also be signed. Add a configuration option > that to lock down the kernel - which includes requiring validly signed > modules - if the kernel is secure-booted. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> [Salvatore Bonaccorso: After fixing https://bugs.debian.org/956197 the help text for LOCK_DOWN_IN_EFI_SECURE_BOOT was adjusted to mention that lockdown is triggered in integrity mode (https://bugs.debian.org/1025417)] Signed-off-by: Salvatore Bonaccorso <carnil@debian.org> Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira LE-2629 feature Additional SecureBoot patches for dynamic lockdown commit 78c8af872660c31779951583b6f1ebf283d95985 commit-source https://salsa.debian.org/kernel-team/linux.git commit-patch-path debian/patches/features/all/lockdown commit-info Checkout the commit sha above and move to the directory listed above to find Debian patches matching this commits summary line. These drivers allow mapping arbitrary memory ranges as MTD devices. This should be disabled to preserve the kernel's integrity when it is locked down. * Add the HWPARAM flag to the module parameters * When slram is built-in, it uses __setup() to read kernel parameters, so add an explicit check security_locked_down() check Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Cc: Matthew Garrett <mjg59@google.com> Cc: David Howells <dhowells@redhat.com> Cc: Joern Engel <joern@lazybastard.org> Cc: linux-mtd@lists.infradead.org Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira LE-2629 feature Fedora EFI status status ommit 7a60169d168d6aae70aca10b7b71070666068529 commit-source https://gitlab.com/cki-project/kernel-ark/ This adds efi_status_to_str() for use when printing efi_status_t messages, and reworks efi_status_to_err() so that the two use a common list of errors. Upstream Status: RHEL only Signed-off-by: Peter Jones <pjones@redhat.com> Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira LE-2629 The config option CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is enabled for x86_64 from our base kernel-ark fork process however since we prioritized the additional lockdown patches from Debian as they also support ARM they've also set the config CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT to for their arm configs as well so we must do the same. For technical reasons its defined here: https://salsa.debian.org/kernel-team/linux/-/blob/debian/latest/debian/config/config?ref_type=heads#L7762 It was validated that this is the generic setting by downloading their arm64 configs from here: https://packages.debian.org/sid/amd64/linux-config-6.12/download
jira LE-2628 The config changes should have been run through make olddefconfig but were not after making their modifications. We want to do thsi so that we can identify easily configs that might be introduced in a Zeta release of the LT or Stable GKH kernels. Fixes: 59a132d
[CIQ] v6.12.17 config updates All configs dropped the follwoing since its dependent on ARCH_MVEBU which is not configured on so there is no reason to ask. # CONFIG_CZNIC_PLATFORMS is not set See upstream commit: dd0f05b x86_64 configs also dropped a previously defined y config -CONFIG_IMX_SCMI_MISC_DRV=y This comes from firmware: imx: IMX_SCMI_MISC_DRV should depend on ARCH_MXC See Upstream Commit: be6686b Whats a little confusing is that the fedora kernel-ark says that this is marked as a `y` $ cat redhat/configs/rhel/generic/CONFIG_IMX_SCMI_MISC_DRV CONFIG_IMX_SCMI_MISC_DRV=y [kernel-ark]$ ls redhat/configs/kernel-6.13.8-x86_64* redhat/configs/kernel-6.13.8-x86_64-automotive.config redhat/configs/kernel-6.13.8-x86_64.config redhat/configs/kernel-6.13.8-x86_64-rt.config redhat/configs/kernel-6.13.8-x86_64-automotive-debug.config redhat/configs/kernel-6.13.8-x86_64-debug.config redhat/configs/kernel-6.13.8-x86_64-rt-debug.config [kernel-ark]$ grep CONFIG_IMX_SCMI_MISC_DRV redhat/configs/kernel-6.13.8-x86_64* [kernel-ark]$ Do to this we're leaving this as the default Kconfig of off for x86_64 [CIQ] v6.12.19 - rebased configs These are all default options that are extending other selections already present in our configs. FW_CACHE is enabled ddue to PM_SLEEP being enabled in all kernels drm/nouveau: select FW caching Upstream commit 6b481ab DRM_CLIENT_SELECTION is enabled due to this change for nouveau drm/nouveau: Run DRM default client setup Upstream commit ef35089 DRM_CLIENT_SETUP is selected if DRM_CLIENT_SELECTION is selected and if DRM_FBDEV_EMULATION is selected which is selected in all configs drm: Add client-agnostic setup helper Upstream comimt d07fdf9 [CIQ] v6.12.23 - rebased configs HAVE_EISA is only allowed for 32-bit x86/platform: Only allow CONFIG_EISA for 32-bit Upstream: commit 3e14d9a LD_CAN_USE_KEEP_IN_OVERLAY is now enabled if LD_IS_BFD=y ARM: 9443/1: Require linker to support KEEP within OVERLAY for DCE Upstream: 59fc423 [CIQ] v6.12.24 - rebased configs CONFIG_IRQ_BYPASS_MANAGER now follows KVM CONFIG_HAVE_KVM_IRQ_BYPASS now follows KVM KVM: Allow building irqbypass.ko as as module when kvm.ko is a module Upstream: fae0a87 CONFIG_HID_UNIVERSAL_PIDFF is new HID: Add hid-universal-pidff driver and supported device ids Upstream: f45f26a [CIQ] v6.12.25 - rebased configs CONFIG_SND_HDA_CIRRUS_SCODEC and CONFIG_SND_HDA_CIRRUS_SCODEC_KUNIT_TEST are no longer automatically selected on arm64 builds ALSA: hda/cirrus_scodec_test: Don't select dependencies Upstream: 9b019be [CIQ] v6.12.27 - rebased configs The following changes come from : crypto: lib/Kconfig - Hide arch options from user 17ec3e7 which is a fix and simplificatio for: crypto: lib/Kconfig - Fix lib built-in failure when arch is modular 1047e21 kernel-aarch64-64k-debug.config kernel-aarch64-64k.config kernel-aarch64-debug.config kernel-aarch64.config kernel-x86_64-debug.config kernel-x86_64.config CONFIG_CRYPTO_LIB_CHACHA_INTERNAL=y CONFIG_CRYPTO_LIB_CURVE25519_INTERNAL=m CONFIG_CRYPTO_LIB_POLY1305_INTERNAL=y kernel-x86_64-debug.config kernel-x86_64.config -CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519=m +CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519=y [CIQ] v6.12.29 - rebased configs CONFIG_MITIGATION_ITS is new and enabled by default for x86 x86/its: Add support for ITS-safe indirect thunk Upstream: 16a7d5b [CIQ] v6.12.35 - rebased configs CONFIG_LONGEST_SYM_KUNIT_TEST was added and defaults to =m because our config already has CONFIG_KUNIT_ALL_TESTS=m Kunit to check the longest symbol length Upstream: b8abcba [CIQ] v6.12.37 - rebased configs CONFIG_MITIGATION_TSA set to yes to deal with AMD TSA hardware attacks x86/bugs: Add a Transient Scheduler Attacks mitigation Upstream: d8010d4 [CIQ] v6.12.42 - rebased configs VHOST_ENABLE_FORK_OWNER_CONTROL was added and defaults to y so all of our configs include it now vhost: Reintroduce kthread API and add mode selection Upstream: b2a3018 [CIQ] v6.12.44 - rebased configs Previously the aarch64 64k configs explicitly did not set DRM_XE. But now DRM_XE is marked as BROKEN if page size is not 4k, so DRM_XE is not set by default in these configs due to the 64k page size. Mark xe driver as BROKEN if kernel page size is not 4kBI Upstream: ec22f92 [CIQ] v6.12.47 - rebased configs CONFIG_MITIGATION_VMSCAPE is added and enabled for VMSCAPE attacks. x86/vmscape: Enable the mitigation Upstream commit 556c1ad
This is shown as an update for 6.12.61, but actually has nothing to do with the kernel version. The dwarves package in rocky 9 was upgraded to 1.30 which changes the detected pahole version to 130.
New config SND_SOC_NAU8325 was added. ASoC: nau8325: add missing build config Upstream: cd41d34
This kernel does not guarantee a stable kabi
This aligns module packaging with Rocky 9
The configs are already in ciq/configs, so no need to have another copy in SOURCES
We should be attributing CIQ as the signer of the kernel modules being built and signed during the kernel build and packaging process. This patch adds a 'x509.genkey.rocky' file which will be used when creating the ephemeral cert that is used for signing the kernel modules at build time. Signed-off-by: Michael L. Young <myoung@ciq.com> AUTODEL-1213
This got left behind because of .gitignore
…generate_tarball.sh
Rename spec file from kernel.spec to kernel-clk6.12.spec.
Introduce %{pkg_suffix} macro (clk%{patchversion}) and use it for:
- package_name: kernel-%{pkg_suffix}
- tool packages: perf, python3-perf, libperf, rtla, rv
Tool packages now named:
- perf-%{pkg_suffix}
- python3-perf-%{pkg_suffix}
- libperf-%{pkg_suffix}
- libperf-%{pkg_suffix}-devel
- rtla-%{pkg_suffix}
- rv-%{pkg_suffix}
- *-debuginfo variants
Each tool package includes:
- Provides: <original-name> = %{specrpmversion}-%{release}
- Conflicts: <original-name>
Adds Provides and Conflicts tags to kernel-clk6.12-* packages that
cannot be parallel installed with stock Rocky kernel packages:
- kernel-doc
- kernel-headers
- kernel-cross-headers
- kernel-debuginfo-common
- kernel-tools
- kernel-tools-libs
- kernel-tools-libs-devel
- kernel-selftests-internal
This allows these packages to satisfy dependencies for stock kernel
packages while preventing simultaneous installation with stock Rocky
kernel tools.
Remove gemini switch, which comes from kernel-ark and is part of their
solution for a kernel variant that should supplant the factory kernel.
Fix config file naming in %prep to use %{name} instead of hardcoded
'kernel' prefix.
Update generate_tarball.sh to reference kernel-clk6.12.spec.
Switch Module.symvers compression from the dynamic %compression macro (xz) to hardcoded gzip -c9, matching the upstream kernel spec. Also fixes the ghost file permissions from 0644 to 0600. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Jonathan Dieter <jdieter@ciq.com>
Inject +%{pkg_suffix} into KVERREL and the shell-level equivalents
(KernelVer, DevelDir, EXTRAVERSION) so that uname -r shows the CLK
kernel identity, e.g. 6.12.78-1.1.el9_ciq.x86_64+clk6.12.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Jonathan Dieter <jdieter@ciq.com>
- Consolidate version defines (kernel_major_minor, kernel_patch, buildid)
- Derive specversion, pkgrelease, tarfile_release from base defines
- Rework -default package with proper scriptlets and kernel-provider
- Convert tools subpackages to short form naming
- Bundle bindgen-cli for Rocky 9.6 builds
- Export GRUB_NON_STANDARD_KERNEL to prevent boot default hijacking
- Update generate_tarball.sh for new version scheme
Fix Provides/Requires to use %{name} instead of hardcoded kernel
Package names should use %{name} (kernel-clk6.12) instead of hardcoded
'kernel' in Provides and Requires to ensure dependency resolution works
correctly for CLK kernels.
Adds 'Provides: kernel = version' to base package for compatibility with packages depending on generic kernel capability.
Add versioned Provides for kernel-headers, kernel-devel, and kernel-devel-<arch> so the namespaced CLK packages satisfy the same dependency capabilities as stock Rocky kernel packages. Remove Conflicts on kernel-headers and kernel-cross-headers since the namespaced packages now provide those capabilities directly.
…ons, ipaclones
Replace remaining hardcoded 'kernel' references with %{name} in:
- kernel_kvm_package: Summary, Requires, Provides, %description
- uki-virt-addons: Requires
- kernel_ipaclones_package: Summary
- Add set -e so the script exits on any command failure - Add -f (--fail) to curl so HTTP errors are caught - Verify the downloaded crate against the known SHA256 from crates.io before extracting
cve-pre CVE-2026-43500 commit-author David Howells <dhowells@redhat.com> commit 24481a7 upstream-diff | Used rxrpc_skb_put_input instead of rxrpc_skb_put_response_copy when freeing the unshared skb copy. The upstream trace enum rxrpc_skb_put_response_copy was introduced in the upstream prerequisite commit 1f27401 ("rxrpc: Fix potential UAF after skb_unshare() failure"), but the 6.12 stable backport of that commit (bf20f46) correctly omitted it because no code in the tree used it at the time. rxrpc_skb_put_input is the enum used by the analogous unshare-copy-free pattern in call_event.c from the same backported series. The security operations that verify the RESPONSE packets decrypt bits of it in place - however, the sk_buff may be shared with a packet sniffer, which would lead to the sniffer seeing an apparently corrupt packet (actually decrypted). Fix this by handing a copy of the packet off to the specific security handler if the packet was cloned. Fixes: 17926a7 ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com Signed-off-by: David Howells <dhowells@redhat.com> cc: Marc Dionne <marc.dionne@auristor.com> cc: Jeffrey Altman <jaltman@auristor.com> cc: Simon Horman <horms@kernel.org> cc: linux-afs@lists.infradead.org cc: stable@kernel.org Link: https://patch.msgid.link/20260422161438.2593376-5-dhowells@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 24481a7) Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
cve CVE-2026-43500 commit-author Hyunwoo Kim <imv4bel@gmail.com> commit - commit-source https://lore.kernel.org/all/af2kdW2F1gJ9U-Gg@v4bel The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused. Fixes: d0d5c0c ("rxrpc: Use skb_unshare() rather than skb_cow_data()") Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com> Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
ciq-kernel-automation
Bot
added
the
created-by-kernelci
bmastbergen
force-pushed
the
{automation_tmp}_ciq-6.12.y-next
branch
from
fc9a091 to
f8d8986
Compare
Collaborator
|
/lt_rebase_merge |
Author
|
✅ LT Rebase Merge completed successfully Successfully completed LT 6.12 rebase merge Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/25584592687 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Dirtyfrag Exploit Run
Summary
This PR has been automatically created after successful completion of all CI stages.
Commit Message(s)
Test Results
✅ Build Stage
✅ Boot Verification
✅ Kernel Selftests
✅ LTP Results
🤖 This PR was automatically generated by GitHub Actions
Run ID: 25561665471