kernel-source/patches/kernel.spec.patch - backupdr - Git at Google

 --- thirdparty/SPECS/kernel.spec	2022-06-08 15:20:05.813872246 +0000
 +++ kernel.spec	2022-06-08 15:22:00.662019559 +0000
 @@ -6,6 +6,7 @@
  %define dist .el7

  # % define buildid .local
 +%define buildid .actnfs_KNLSUFFIX

  # If there's no unversioned python, select version explicitly,
  # so it's possible to at least do rh-srpm.
 @@ -98,7 +99,7 @@
  # Set debugbuildsenabled to 1 for production (build separate debug kernels)
  #  and 0 for rawhide (all kernels are debug kernels).
  # See also 'make debug' and 'make release'. RHEL only ever does 1.
 -%define debugbuildsenabled 1
 +%define debugbuildsenabled 0

  %define with_gcov %{?_with_gcov:1}%{?!_with_gcov:0}

 @@ -464,6 +465,7 @@
  Patch1000: debrand-single-cpu.patch
  Patch1001: debrand-rh_taint.patch
  Patch1002: debrand-rh-i686-cpu.patch
 +Patch6666: nfscache.patch

  BuildRoot: %{_tmppath}/kernel-%{KVRA}-root

 @@ -807,6 +809,7 @@
  ApplyOptionalPatch debrand-single-cpu.patch
  ApplyOptionalPatch debrand-rh_taint.patch
  ApplyOptionalPatch debrand-rh-i686-cpu.patch
 +ApplyOptionalPatch nfscache.patch

  # Any further pre-build tree manipulations happen here.

 @@ -969,6 +972,17 @@
      %pesign -s -i $KernelImage.tmp -o $KernelImage.signed -a %{SOURCE15} -c %{SOURCE16} -n %{pesign_name_1}
      rm $KernelImage.tmp
      mv $KernelImage.signed $KernelImage
 +    sbattach --detach $KernelImage.oldsig --remove $KernelImage
 +    sbattach --remove $KernelImage
 +    kms_signer --project backupdr-build --location global \
 +    --keyring uefi-signing-prod --key db-signing --key-version 1 pkcs7 \
 +    --signing-cert /target/dbsign-v1.crt --input $KernelImage.oldsig \
 +    --output $KernelImage.newsig
 +    cp $KernelImage  $KernelImage.signed
 +    sbattach --attach $KernelImage.newsig $KernelImage.signed
 +    mv $KernelImage.signed $KernelImage
 +    rm -f $KernelImage.newsig
 +    rm -f $KernelImage.oldsig
  %endif
      $CopyKernel $KernelImage $RPM_BUILD_ROOT/%{image_install_path}/$InstallName-$KernelVer
      chmod 755 $RPM_BUILD_ROOT/%{image_install_path}/$InstallName-$KernelVer
 @@ -2067,6 +2070,9 @@
  - powerpc/rtas: Restrict RTAS requests from userspace (Aristeu Rozanski) [1906443] {CVE-2020-27777}
  - IB/mlx5: Fix initializing CQ fragments buffer (Alaa Hleihel) [1962499]

 +* Tue Aug 03 2021 Mark Woodward <woodwardm@google.com> [3.10.0-1160.36.2.el7]
 +- Backport fix for nfs cache
 +
  * Wed Jul 28 2021 Augusto Caringi <acaringi@redhat.com> [3.10.0-1160.39.1.el7]
  - netfilter: x_tables: fix compat match/target pad out-of-bound write (Florian Westphal) [1980489] {CVE-2021-22555}
  - Revert "be2net: disable bh with spin_lock in be_process_mcc" (Petr Oros) [1971744]
	--- thirdparty/SPECS/kernel.spec 2022-06-08 15:20:05.813872246 +0000
	+++ kernel.spec 2022-06-08 15:22:00.662019559 +0000
	@@ -6,6 +6,7 @@
	%define dist .el7

	# % define buildid .local
	+%define buildid .actnfs_KNLSUFFIX

	# If there's no unversioned python, select version explicitly,
	# so it's possible to at least do rh-srpm.
	@@ -98,7 +99,7 @@
	# Set debugbuildsenabled to 1 for production (build separate debug kernels)
	# and 0 for rawhide (all kernels are debug kernels).
	# See also 'make debug' and 'make release'. RHEL only ever does 1.
	-%define debugbuildsenabled 1
	+%define debugbuildsenabled 0

	%define with_gcov %{?_with_gcov:1}%{?!_with_gcov:0}

	@@ -464,6 +465,7 @@
	Patch1000: debrand-single-cpu.patch
	Patch1001: debrand-rh_taint.patch
	Patch1002: debrand-rh-i686-cpu.patch
	+Patch6666: nfscache.patch

	BuildRoot: %{_tmppath}/kernel-%{KVRA}-root

	@@ -807,6 +809,7 @@
	ApplyOptionalPatch debrand-single-cpu.patch
	ApplyOptionalPatch debrand-rh_taint.patch
	ApplyOptionalPatch debrand-rh-i686-cpu.patch
	+ApplyOptionalPatch nfscache.patch

	# Any further pre-build tree manipulations happen here.

	@@ -969,6 +972,17 @@
	%pesign -s -i $KernelImage.tmp -o $KernelImage.signed -a %{SOURCE15} -c %{SOURCE16} -n %{pesign_name_1}
	rm $KernelImage.tmp
	mv $KernelImage.signed $KernelImage
	+ sbattach --detach $KernelImage.oldsig --remove $KernelImage
	+ sbattach --remove $KernelImage
	+ kms_signer --project backupdr-build --location global \
	+ --keyring uefi-signing-prod --key db-signing --key-version 1 pkcs7 \
	+ --signing-cert /target/dbsign-v1.crt --input $KernelImage.oldsig \
	+ --output $KernelImage.newsig
	+ cp $KernelImage $KernelImage.signed
	+ sbattach --attach $KernelImage.newsig $KernelImage.signed
	+ mv $KernelImage.signed $KernelImage
	+ rm -f $KernelImage.newsig
	+ rm -f $KernelImage.oldsig
	%endif
	$CopyKernel $KernelImage $RPM_BUILD_ROOT/%{image_install_path}/$InstallName-$KernelVer
	chmod 755 $RPM_BUILD_ROOT/%{image_install_path}/$InstallName-$KernelVer
	@@ -2067,6 +2070,9 @@
	- powerpc/rtas: Restrict RTAS requests from userspace (Aristeu Rozanski) [1906443] {CVE-2020-27777}
	- IB/mlx5: Fix initializing CQ fragments buffer (Alaa Hleihel) [1962499]

	+* Tue Aug 03 2021 Mark Woodward <woodwardm@google.com> [3.10.0-1160.36.2.el7]
	+- Backport fix for nfs cache
	+
	* Wed Jul 28 2021 Augusto Caringi <acaringi@redhat.com> [3.10.0-1160.39.1.el7]
	- netfilter: x_tables: fix compat match/target pad out-of-bound write (Florian Westphal) [1980489] {CVE-2021-22555}
	- Revert "be2net: disable bh with spin_lock in be_process_mcc" (Petr Oros) [1971744]