%global security_hardening none
Summary: Kernel
Name: linux-secure
Version: 4.9.101
Release: 1%{?kat_build:.%kat_build}%{?dist}
License: GPLv2
URL: http://www.kernel.org/
Group: System Environment/Kernel
Vendor: VMware, Inc.
Distribution: Photon
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz
%define sha1 linux=12b399649df63355823d482fd91711b1be3e7f1b
Source1: config-secure
Source2: aufs4.9.tar.gz
%define sha1 aufs=ebe716ce4b638a3772c7cd3161abbfe11d584906
Source3: initramfs.trigger
# common
Patch0: x86-vmware-read-tsc_khz-only-once-at-boot-time.patch
Patch1: x86-vmware-use-tsc_khz-value-for-calibrate_cpu.patch
Patch2: x86-vmware-add-basic-paravirt-ops-support.patch
Patch3: x86-vmware-add-paravirt-sched-clock.patch
Patch4: x86-vmware-log-kmsg-dump-on-panic.patch
Patch5: double-tcp_mem-limits.patch
Patch6: linux-4.9-sysctl-sched_weighted_cpuload_uses_rla.patch
Patch7: linux-4.9-watchdog-Disable-watchdog-on-virtual-machines.patch
Patch9: SUNRPC-Do-not-reuse-srcport-for-TIME_WAIT-socket.patch
Patch10: SUNRPC-xs_bind-uses-ip_local_reserved_ports.patch
Patch11: vsock-transport-for-9p.patch
Patch12: x86-vmware-sta.patch
# secure
Patch13: 0001-NOWRITEEXEC-and-PAX-features-MPROTECT-EMUTRAMP.patch
Patch14: 0002-Added-rap_plugin.patch
Patch15: 0003-Added-PAX_RANDKSTACK.patch
# HyperV Patches
Patch16: 0004-vmbus-Don-t-spam-the-logs-with-unknown-GUIDs.patch
Patch17: 0005-Drivers-hv-utils-Fix-the-mapping-between-host-versio.patch
Patch18: 0006-Drivers-hv-vss-Improve-log-messages.patch
Patch19: 0007-Drivers-hv-vss-Operation-timeouts-should-match-host-.patch
Patch20: 0008-Drivers-hv-vmbus-Use-all-supported-IC-versions-to-ne.patch
Patch21: 0009-Drivers-hv-Log-the-negotiated-IC-versions.patch
Patch22: 0010-vmbus-fix-missed-ring-events-on-boot.patch
Patch23: 0011-vmbus-remove-goto-error_clean_msglist-in-vmbus_open.patch
Patch24: 0012-vmbus-dynamically-enqueue-dequeue-the-channel-on-vmb.patch
Patch26: 0014-hv_sock-introduce-Hyper-V-Sockets.patch
#FIPS patches - allow some algorithms
Patch27: 0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch
Patch28: 0002-allow-also-ecb-cipher_null.patch
Patch29: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
# Fix CVE-2017-1000252
Patch31: kvm-dont-accept-wrong-gsi-values.patch
Patch32: vmxnet3-avoid-xmit-reset-due-to-a-race-in-vmxnet3.patch
Patch33: vmxnet3-use-correct-flag-to-indicate-LRO-feature.patch
Patch34: netfilter-ipset-pernet-ops-must-be-unregistered-last.patch
Patch35: vmxnet3-fix-incorrect-dereference-when-rxvlan-is-disabled.patch
# Fixes for CVE-2018-1000026
Patch36: 0001-net-create-skb_gso_validate_mac_len.patch
Patch37: 0002-bnx2x-disable-GSO-where-gso_size-is-too-big-for-hard.patch
# Fix for CVE-2017-18216
Patch39: 0001-ocfs2-subsystem.su_mutex-is-required-while-accessing.patch
# Fix for CVE-2018-8043
Patch40: 0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch
# Fix for CVE-2018-8087
Patch41: 0001-mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new.patch
# Fix for CVE-2017-18241
Patch42: 0001-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_control.patch
# Fix for CVE-2017-18224
Patch43: 0001-ocfs2-ip_alloc_sem-should-be-taken-in-ocfs2_get_bloc.patch
# For Spectre
Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch
Patch53: 0142-bpf-prevent-speculative-execution-in-eBPF-interprete.patch
Patch54: 0143-x86-bpf-jit-prevent-speculative-execution-when-JIT-i.patch
Patch55: 0144-uvcvideo-prevent-speculative-execution.patch
Patch56: 0145-carl9170-prevent-speculative-execution.patch
Patch57: 0146-p54-prevent-speculative-execution.patch
Patch58: 0147-qla2xxx-prevent-speculative-execution.patch
Patch59: 0148-cw1200-prevent-speculative-execution.patch
Patch60: 0149-Thermal-int340x-prevent-speculative-execution.patch
Patch61: 0150-ipv4-prevent-speculative-execution.patch
Patch62: 0151-ipv6-prevent-speculative-execution.patch
Patch64: 0153-net-mpls-prevent-speculative-execution.patch
Patch65: 0154-udf-prevent-speculative-execution.patch
Patch66: 0155-userns-prevent-speculative-execution.patch
# Fix CVE-2018-3639 (Speculative Store Bypass)
Patch201: 0001-x86-amd-don-t-set-X86_BUG_SYSRET_SS_ATTRS-when-runni.patch
Patch202: 0002-x86-nospec-Simplify-alternative_msr_write.patch
Patch203: 0003-x86-bugs-Concentrate-bug-detection-into-a-separate-f.patch
Patch204: 0004-x86-bugs-Concentrate-bug-reporting-into-a-separate-f.patch
Patch205: 0005-x86-bugs-Read-SPEC_CTRL-MSR-during-boot-and-re-use-r.patch
Patch206: 0006-x86-bugs-KVM-Support-the-combination-of-guest-and-ho.patch
Patch207: 0007-x86-bugs-Expose-sys-.-spec_store_bypass.patch
Patch208: 0008-x86-cpufeatures-Add-X86_FEATURE_RDS.patch
Patch209: 0009-x86-bugs-Provide-boot-parameters-for-the-spec_store_.patch
Patch210: 0010-x86-bugs-intel-Set-proper-CPU-features-and-setup-RDS.patch
Patch211: 0011-x86-bugs-Whitelist-allowed-SPEC_CTRL-MSR-values.patch
Patch212: 0012-x86-bugs-AMD-Add-support-to-disable-RDS-on-Fam-15-16.patch
Patch213: 0013-x86-KVM-VMX-Expose-SPEC_CTRL-Bit-2-to-the-guest.patch
Patch214: 0014-x86-speculation-Create-spec-ctrl.h-to-avoid-include-.patch
Patch215: 0015-prctl-Add-speculation-control-prctls.patch
Patch216: 0016-x86-process-Optimize-TIF-checks-in-__switch_to_xtra.patch
Patch217: 0017-x86-process-Correct-and-optimize-TIF_BLOCKSTEP-switc.patch
Patch218: 0018-x86-process-Optimize-TIF_NOTSC-switch.patch
Patch219: 0019-x86-process-Allow-runtime-control-of-Speculative-Sto.patch
Patch220: 0020-x86-speculation-Add-prctl-for-Speculative-Store-Bypa.patch
Patch221: 0021-nospec-Allow-getting-setting-on-non-current-task.patch
Patch222: 0022-proc-Provide-details-on-speculation-flaw-mitigations.patch
Patch223: 0023-seccomp-Enable-speculation-flaw-mitigations.patch
Patch224: 0024-x86-bugs-Make-boot-modes-__ro_after_init.patch
Patch225: 0025-prctl-Add-force-disable-speculation.patch
Patch226: 0026-seccomp-Use-PR_SPEC_FORCE_DISABLE.patch
Patch227: 0027-seccomp-Add-filter-flag-to-opt-out-of-SSB-mitigation.patch
Patch228: 0028-seccomp-Move-speculation-migitation-control-to-arch-.patch
Patch229: 0029-x86-speculation-Make-seccomp-the-default-mode-for-Sp.patch
Patch230: 0030-x86-bugs-Rename-_RDS-to-_SSBD.patch
Patch231: 0031-proc-Use-underscores-for-SSBD-in-status.patch
Patch232: 0032-Documentation-spec_ctrl-Do-some-minor-cleanups.patch
Patch233: 0033-x86-bugs-Fix-__ssb_select_mitigation-return-type.patch
Patch234: 0034-x86-bugs-Make-cpu_show_common-static.patch
Patch235: 0035-x86-bugs-Fix-the-parameters-alignment-and-missing-vo.patch
Patch236: 0036-x86-cpu-Make-alternative_msr_write-work-for-32-bit-c.patch
Patch237: 0037-KVM-SVM-Move-spec-control-call-after-restore-of-GS.patch
Patch238: 0038-x86-speculation-Use-synthetic-bits-for-IBRS-IBPB-STI.patch
Patch239: 0039-x86-cpufeatures-Disentangle-MSR_SPEC_CTRL-enumeratio.patch
Patch240: 0040-x86-cpufeatures-Disentangle-SSBD-enumeration.patch
Patch241: 0041-x86-cpu-AMD-Fix-erratum-1076-CPB-bit.patch
Patch242: 0042-x86-cpufeatures-Add-FEATURE_ZEN.patch
Patch243: 0043-x86-speculation-Handle-HT-correctly-on-AMD.patch
Patch244: 0044-x86-bugs-KVM-Extend-speculation-control-for-VIRT_SPE.patch
Patch245: 0045-x86-speculation-Add-virtualized-speculative-store-by.patch
Patch246: 0046-x86-speculation-Rework-speculative_store_bypass_upda.patch
Patch247: 0047-x86-bugs-Unify-x86_spec_ctrl_-set_guest-restore_host.patch
Patch248: 0048-x86-bugs-Expose-x86_spec_ctrl_base-directly.patch
Patch249: 0049-x86-bugs-Remove-x86_spec_ctrl_set.patch
Patch250: 0050-x86-bugs-Rework-spec_ctrl-base-and-mask-logic.patch
Patch251: 0051-x86-speculation-KVM-Implement-support-for-VIRT_SPEC_.patch
Patch252: 0052-KVM-SVM-Implement-VIRT_SPEC_CTRL-support-for-SSBD.patch
Patch253: 0053-x86-bugs-Rename-SSBD_NO-to-SSB_NO.patch
# NSX requirements (should be removed)
Patch99: LKCM.patch
%if 0%{?kat_build:1}
Patch1000: %{kat_build}.patch
%endif
BuildRequires: bc
BuildRequires: kbd
BuildRequires: kmod-devel
BuildRequires: glib-devel
BuildRequires: xerces-c-devel
BuildRequires: xml-security-c-devel
BuildRequires: libdnet-devel
BuildRequires: libmspack-devel
BuildRequires: Linux-PAM-devel
BuildRequires: openssl-devel
BuildRequires: procps-ng-devel
Requires: filesystem kmod
Requires(post):(coreutils or toybox)
%define uname_r %{version}-%{release}-secure
%description
Security hardened Linux kernel.
%package lkcm
Summary: LKCM module
Group: System Environment/Kernel
Requires: %{name} = %{version}-%{release}
%description lkcm
The Linux package contains the LKCM driver module
%package devel
Summary: Kernel Dev
Group: System Environment/Kernel
Requires: python2 gawk
Requires: %{name} = %{version}-%{release}
%description devel
The Linux package contains the Linux kernel dev files
%package docs
Summary: Kernel docs
Group: System Environment/Kernel
Requires: python2
Requires: %{name} = %{version}-%{release}
%description docs
The Linux package contains the Linux kernel doc files
%prep
%setup -q -n linux-%{version}
%setup -D -b 2 -n linux-%{version}
# apply aufs patch
patch -p1 < ../aufs4-standalone-aufs4.9/aufs4-kbuild.patch
patch -p1 < ../aufs4-standalone-aufs4.9/aufs4-base.patch
patch -p1 < ../aufs4-standalone-aufs4.9/aufs4-mmap.patch
patch -p1 < ../aufs4-standalone-aufs4.9/aufs4-standalone.patch
cp -a ../aufs4-standalone-aufs4.9/Documentation/ .
cp -a ../aufs4-standalone-aufs4.9/fs/ .
cp ../aufs4-standalone-aufs4.9/include/uapi/linux/aufs_type.h include/uapi/linux/
cat >> %{SOURCE1} << "EOF"
CONFIG_AUFS_FS=m
CONFIG_AUFS_BRANCH_MAX_127=y
# CONFIG_AUFS_BRANCH_MAX_511 is not set
# CONFIG_AUFS_BRANCH_MAX_1023 is not set
# CONFIG_AUFS_BRANCH_MAX_32767 is not set
CONFIG_AUFS_SBILIST=y
# CONFIG_AUFS_HNOTIFY is not set
# CONFIG_AUFS_EXPORT is not set
# CONFIG_AUFS_XATTR is not set
# CONFIG_AUFS_FHSM is not set
# CONFIG_AUFS_RDU is not set
# CONFIG_AUFS_SHWH is not set
# CONFIG_AUFS_BR_RAMFS is not set
# CONFIG_AUFS_BR_FUSE is not set
CONFIG_AUFS_BDEV_LOOP=y
# CONFIG_AUFS_DEBUG is not set
EOF
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch16 -p1
%patch17 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1
%patch39 -p1
%patch40 -p1
%patch41 -p1
%patch42 -p1
%patch43 -p1
# spectre
%patch52 -p1
%patch53 -p1
%patch54 -p1
%patch55 -p1
%patch56 -p1
%patch57 -p1
%patch58 -p1
%patch59 -p1
%patch60 -p1
%patch61 -p1
%patch62 -p1
%patch64 -p1
%patch65 -p1
%patch66 -p1
# secure
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch201 -p1
%patch202 -p1
%patch203 -p1
%patch204 -p1
%patch205 -p1
%patch206 -p1
%patch207 -p1
%patch208 -p1
%patch209 -p1
%patch210 -p1
%patch211 -p1
%patch212 -p1
%patch213 -p1
%patch214 -p1
%patch215 -p1
%patch216 -p1
%patch217 -p1
%patch218 -p1
%patch219 -p1
%patch220 -p1
%patch221 -p1
%patch222 -p1
%patch223 -p1
%patch224 -p1
%patch225 -p1
%patch226 -p1
%patch227 -p1
%patch228 -p1
%patch229 -p1
%patch230 -p1
%patch231 -p1
%patch232 -p1
%patch233 -p1
%patch234 -p1
%patch235 -p1
%patch236 -p1
%patch237 -p1
%patch238 -p1
%patch239 -p1
%patch240 -p1
%patch241 -p1
%patch242 -p1
%patch243 -p1
%patch244 -p1
%patch245 -p1
%patch246 -p1
%patch247 -p1
%patch248 -p1
%patch249 -p1
%patch250 -p1
%patch251 -p1
%patch252 -p1
%patch253 -p1
pushd ..
%patch99 -p0
popd
%if 0%{?kat_build:1}
%patch1000 -p1
%endif
%build
# patch vmw_balloon driver
sed -i 's/module_init/late_initcall/' drivers/misc/vmw_balloon.c
make mrproper
cp %{SOURCE1} .config
sed -i 's/CONFIG_LOCALVERSION="-secure"/CONFIG_LOCALVERSION="-%{release}-secure"/' .config
make LC_ALL= oldconfig
make VERBOSE=1 KBUILD_BUILD_VERSION="1-photon" KBUILD_BUILD_HOST="photon" ARCH="x86_64" %{?_smp_mflags}
# build LKCM module
bldroot=`pwd`
pushd ../LKCM
make -C $bldroot M=`pwd` modules
popd
%define __modules_install_post \
for MODULE in `find %{buildroot}/lib/modules/%{uname_r} -name *.ko` ; do \
./scripts/sign-file sha512 certs/signing_key.pem certs/signing_key.x509 $MODULE \
rm -f $MODULE.{sig,dig} \
xz $MODULE \
done \
%{nil}
# __os_install_post strips signature from modules. We need to resign it again
# and then compress. Extra step is added to the default __spec_install_post.
%define __spec_install_post\
%{?__debug_package:%{__debug_install_post}}\
%{__arch_install_post}\
%{__os_install_post}\
%{__modules_install_post}\
%{nil}
%install
install -vdm 755 %{buildroot}/etc
install -vdm 755 %{buildroot}/boot
install -vdm 755 %{buildroot}%{_defaultdocdir}/linux-%{uname_r}
install -vdm 755 %{buildroot}/etc/modprobe.d
install -vdm 755 %{buildroot}/usr/src/linux-headers-%{uname_r}
make INSTALL_MOD_PATH=%{buildroot} modules_install
# install LKCM module
bldroot=`pwd`
pushd ../LKCM
make -C $bldroot M=`pwd` INSTALL_MOD_PATH=%{buildroot} modules_install
popd
cp -v arch/x86/boot/bzImage %{buildroot}/boot/vmlinuz-%{uname_r}
cp -v System.map %{buildroot}/boot/System.map-%{uname_r}
cp -v .config %{buildroot}/boot/config-%{uname_r}
cp -r Documentation/* %{buildroot}%{_defaultdocdir}/linux-%{uname_r}
install -vdm 755 %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}
cp -v vmlinux %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}/vmlinux-%{uname_r}
# Since we use compressed modules we cann't use load pinning,
# because .ko files will be loaded from the memory (LoadPin: obj=<unknown>)
cat > %{buildroot}/boot/linux-%{uname_r}.cfg << "EOF"
# GRUB Environment Block
photon_cmdline=init=/lib/systemd/systemd ro loglevel=3 quiet no-vmw-sta loadpin.enabled=0 slub_debug=P page_poison=1 slab_nomerge
photon_linux=vmlinuz-%{uname_r}
photon_initrd=initrd.img-%{uname_r}
EOF
# Register myself to initramfs
mkdir -p %{buildroot}/%{_localstatedir}/lib/initramfs/kernel
cat > %{buildroot}/%{_localstatedir}/lib/initramfs/kernel/%{uname_r} << "EOF"
--add-drivers "tmem xen-scsifront xen-blkfront xen-acpi-processor xen-evtchn xen-gntalloc xen-gntdev xen-privcmd xen-pciback xenfs hv_utils hv_vmbus hv_storvsc hv_netvsc hv_sock hv_balloon cn"
EOF
# cleanup dangling symlinks
rm -f %{buildroot}/lib/modules/%{uname_r}/source
rm -f %{buildroot}/lib/modules/%{uname_r}/build
# create /use/src/linux-headers-*/ content
find . -name Makefile* -o -name Kconfig* -o -name *.pl | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy
find arch/x86/include include scripts -type f | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy
find $(find arch/x86 -name include -o -name scripts -type d) -type f | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy
find arch/x86/include Module.symvers include scripts -type f | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy
# copy .config manually to be where it's expected to be
cp .config %{buildroot}/usr/src/linux-headers-%{uname_r}
# symling to the build folder
ln -sf /usr/src/linux-headers-%{uname_r} %{buildroot}/lib/modules/%{uname_r}/build
%include %{SOURCE3}
%post
/sbin/depmod -a %{uname_r}
ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
%post lkcm
/sbin/depmod -a %{uname_r}
%files
%defattr(-,root,root)
/boot/System.map-%{uname_r}
/boot/config-%{uname_r}
/boot/vmlinuz-%{uname_r}
%config(noreplace) /boot/linux-%{uname_r}.cfg
%config %{_localstatedir}/lib/initramfs/kernel/%{uname_r}
/lib/firmware/*
/lib/modules/*
%exclude /lib/modules/%{uname_r}/build
%exclude /usr/src
%exclude /lib/modules/%{uname_r}/extra/fips_lkcm.ko.xz
%files lkcm
%defattr(-,root,root)
/lib/modules/%{uname_r}/extra/fips_lkcm.ko.xz
%files docs
%defattr(-,root,root)
%{_defaultdocdir}/linux-%{uname_r}/*
%files devel
%defattr(-,root,root)
/lib/modules/%{uname_r}/build
/usr/src/linux-headers-%{uname_r}
%changelog
* Mon May 21 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.101-1
- Update to version 4.9.101 and fix CVE-2018-3639.
* Wed May 09 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.99-1
- Update to version 4.9.99
* Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.98-2
- Fix CVE-2017-18216, CVE-2018-8043, CVE-2018-8087, CVE-2017-18241,
- CVE-2017-18224.
* Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.98-1
- Update to version 4.9.98
* Wed May 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.97-3
- Fix CVE-2017-18255.
* Tue May 01 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.97-2
- Fix CVE-2018-1000026.
* Mon Apr 30 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.97-1
- Update to version 4.9.97. Apply 3rd vmxnet3 patch.
* Mon Apr 23 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.94-2
- Add full retpoline support by building with retpoline-enabled gcc.
* Wed Apr 18 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.94-1
- Update to version 4.9.94. Fix panic in ip_set.
* Mon Apr 02 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.92-1
- Update to version 4.9.92. Apply vmxnet3 patches.
* Tue Mar 27 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.90-1
- Update to version 4.9.90
* Thu Mar 22 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.89-1
- Update to version 4.9.89
* Mon Mar 19 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.80-2
- Extra hardening: slab_nomerge, disable /proc/kcore
* Mon Feb 05 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.80-1
- Update to version 4.9.80
* Wed Jan 31 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.79-1
- Update version to 4.9.79
* Fri Jan 26 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.78-1
- Update version to 4.9.78.
* Wed Jan 10 2018 Bo Gan <ganb@vmware.com> 4.9.76-1
- Version update
* Sun Jan 07 2018 Bo Gan <ganb@vmware.com> 4.9.75-3
- Second Spectre fix, clear user controlled registers upon syscall entry
* Sun Jan 07 2018 Bo Gan <ganb@vmware.com> 4.9.75-2
- Initial Spectre fix
* Fri Jan 05 2018 Bo Gan <ganb@vmware.com> 4.9.75-1
- Verion update (fix Intel Meltdown)
* Thu Jan 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.74-3
- Update vsock transport for 9p with newer version.
* Wed Jan 03 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.74-2
- Fix SMB3 mount regression.
* Tue Jan 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.74-1
- Version update
- Add patches to fix CVE-2017-8824, CVE-2017-17448 and CVE-2017-17450.
* Thu Dec 21 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.71-1
- Version update
* Mon Dec 04 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.66-1
- Version update
* Tue Nov 21 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.64-1
- Version update
* Wed Nov 08 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.60-2
- Update LKCM module
- Add -lkcm subpackage
* Mon Nov 06 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.60-1
- Version update
* Wed Oct 11 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.53-3
- Add patch "KVM: Don't accept obviously wrong gsi values via
KVM_IRQFD" to fix CVE-2017-1000252.
* Tue Oct 10 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.53-2
- Build hang (at make oldconfig) fix.
* Thu Oct 05 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.53-1
- Version update
* Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-3
- Allow privileged CLONE_NEWUSER from nested user namespaces.
* Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-2
- Fix CVE-2017-11472 (ACPICA: Namespace: fix operand cache leak)
* Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-1
- Version update
* Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-2
- Requires coreutils or toybox
* Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-1
- Fix CVE-2017-11600
* Tue Aug 22 2017 Anish Swaminathan <anishs@vmware.com> 4.9.43-2
- Add missing xen block drivers
* Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.43-1
- Version update
- [feature] new sysctl option unprivileged_userns_clone
* Wed Aug 09 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-2
- Fix CVE-2017-7542
- [bugfix] Added ccm,gcm,ghash,lzo crypto modules to avoid
panic on modprobe tcrypt
* Mon Aug 07 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-1
- Version update
* Fri Aug 04 2017 Bo Gan <ganb@vmware.com> 4.9.38-6
- Fix initramfs triggers
* Tue Aug 01 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-5
- Allow some algorithms in FIPS mode
- Reverts 284a0f6e87b0721e1be8bca419893902d9cf577a and backports
- bcf741cb779283081db47853264cc94854e7ad83 in the kernel tree
- Enable additional NF features
* Fri Jul 21 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-4
- Add patches in Hyperv codebase
* Fri Jul 21 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-3
- Add missing hyperv drivers
* Thu Jul 20 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.38-2
- Disable scheduler beef up patch
* Tue Jul 18 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.38-1
- Fix CVE-2017-11176 and CVE-2017-10911
* Fri Jul 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.34-3
- Remove aufs source tarballs from git repo
* Mon Jul 03 2017 Xiaolin Li <xiaolinl@vmware.com> 4.9.34-2
- Add libdnet-devel, kmod-devel and libmspack-devel to BuildRequires
* Wed Jun 28 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.34-1
- [feature] 9P FS security support
- [feature] DM Delay target support
- Fix CVE-2017-1000364 ("stack clash") and CVE-2017-9605
* Thu Jun 8 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.31-1
- Fix CVE-2017-8890, CVE-2017-9074, CVE-2017-9075, CVE-2017-9076
CVE-2017-9077 and CVE-2017-9242
- [feature] IPV6 netfilter NAT table support
* Fri May 26 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.30-1
- Fix CVE-2017-7487 and CVE-2017-9059
* Wed May 17 2017 Vinay Kulkarni <kulkarniv@vmware.com> 4.9.28-2
- Enable IPVLAN module.
* Tue May 16 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.28-1
- Version update
* Wed May 10 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.27-1
- Version update
* Sun May 7 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.26-1
- Version update
- Removed version suffix from config file name
* Thu Apr 27 2017 Bo Gan <ganb@vmware.com> 4.9.24-2
- Support dynamic initrd generation
* Tue Apr 25 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.24-1
- Fix CVE-2017-6874 and CVE-2017-7618.
- .config: build nvme and nvme-core in kernel.
* Tue Mar 21 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.13-3
- Added LKCM module
* Mon Mar 6 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.13-2
- .config: NSX requirements for crypto and netfilter
* Tue Feb 28 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.13-1
- Update to linux-4.9.13 to fix CVE-2017-5986 and CVE-2017-6074
- .config: disable XEN guest (needs rap_plugin verification)
* Wed Feb 22 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.9-2
- rap_plugin improvement: throw error on function type casting
function signatures were cleaned up using this feature.
- Added RAP_ENTRY for asm functions.
* Thu Feb 09 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.9-1
- Update to linux-4.9.9 to fix CVE-2016-10153, CVE-2017-5546,
CVE-2017-5547, CVE-2017-5548 and CVE-2017-5576.
- Added aufs support.
- Added PAX_RANDKSTACK feature.
- Extra func signatures cleanup to fix 1809717 and 1809722.
- .config: added CRYPTO_FIPS support.
* Tue Jan 10 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.2-1
- Update to linux-4.9.2 to fix CVE-2016-10088
- Rename package to linux-secure.
- Added KSPP cmdline params: slub_debug=P page_poison=1
* Mon Dec 19 2016 Xiaolin Li <xiaolinl@vmware.com> 4.9.0-2
- BuildRequires Linux-PAM-devel
* Mon Dec 12 2016 Alexey Makhalov <amakhalov@vmware.com> 4.9.0-1
- Update to linux-4.9.0
- Add paravirt stolen time accounting feature (from linux-esx),
but disable it by default (no-vmw-sta cmdline parameter)
- Use vmware_io_delay() to keep "void fn(void)" signature
* Wed Nov 30 2016 Alexey Makhalov <amakhalov@vmware.com> 4.8.0-2
- Expand `uname -r` with release number
- Resign and compress modules after stripping
- .config: add syscalls tracing support
- .config: add cgrup_hugetlb support
- .config: add netfilter_xt_{set,target_ct} support
- .config: add netfilter_xt_match_{cgroup,ipvs} support
- .config: disable /dev/mem
* Mon Oct 17 2016 Alexey Makhalov <amakhalov@vmware.com> 4.8.0-1
Initial commit.