@@ -471,7 +471,11 @@ CONFIG_HZ_250=y

 CONFIG_HZ=250

 CONFIG_SCHED_HRTICK=y

 CONFIG_KEXEC=y

-# CONFIG_KEXEC_FILE is not set

+CONFIG_KEXEC_FILE=y

+CONFIG_ARCH_HAS_KEXEC_PURGATORY=y

+CONFIG_KEXEC_SIG=y

+CONFIG_KEXEC_SIG_FORCE=y

+CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y

 CONFIG_CRASH_DUMP=y

 CONFIG_PHYSICAL_START=0x1000000

 CONFIG_RELOCATABLE=y

@@ -659,6 +663,7 @@ CONFIG_AS_TPAUSE=y

 #

 CONFIG_CRASH_CORE=y

 CONFIG_KEXEC_CORE=y

+CONFIG_HAVE_IMA_KEXEC=y

 CONFIG_HOTPLUG_SMT=y

 CONFIG_GENERIC_ENTRY=y

 CONFIG_KPROBES=y

@@ -6096,6 +6101,7 @@ CONFIG_INTEGRITY_PLATFORM_KEYRING=y

 CONFIG_LOAD_UEFI_KEYS=y

 CONFIG_INTEGRITY_AUDIT=y

 CONFIG_IMA=y

+# CONFIG_IMA_KEXEC is not set

 CONFIG_IMA_MEASURE_PCR_IDX=10

 CONFIG_IMA_LSM_RULES=y

 CONFIG_IMA_NG_TEMPLATE=y

@@ -6108,6 +6114,7 @@ CONFIG_IMA_DEFAULT_HASH="sha256"

 # CONFIG_IMA_WRITE_POLICY is not set

 CONFIG_IMA_READ_POLICY=y

 # CONFIG_IMA_APPRAISE is not set

+# CONFIG_IMA_ARCH_POLICY is not set

 CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y

 CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y

 # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set

@@ -6180,8 +6187,8 @@ CONFIG_CRYPTO_MANAGER2=y

 # CONFIG_CRYPTO_USER is not set

 # CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set

 # CONFIG_CRYPTO_MANAGER_EXTRA_TESTS is not set

-CONFIG_CRYPTO_GF128MUL=m

-CONFIG_CRYPTO_NULL=m

+CONFIG_CRYPTO_GF128MUL=y

+CONFIG_CRYPTO_NULL=y

 CONFIG_CRYPTO_NULL2=y

 # CONFIG_CRYPTO_PCRYPT is not set

 CONFIG_CRYPTO_CRYPTD=m

@@ -6196,9 +6203,9 @@ CONFIG_CRYPTO_SIMD=m

 #

 CONFIG_CRYPTO_RSA=y

 # CONFIG_CRYPTO_DH is not set

-CONFIG_CRYPTO_ECC=m

-CONFIG_CRYPTO_ECDH=m

-CONFIG_CRYPTO_ECDSA=m

+CONFIG_CRYPTO_ECC=y

+CONFIG_CRYPTO_ECDH=y

+CONFIG_CRYPTO_ECDSA=y

 # CONFIG_CRYPTO_ECRDSA is not set

 # CONFIG_CRYPTO_SM2 is not set

 # CONFIG_CRYPTO_CURVE25519 is not set

@@ -6232,9 +6239,9 @@ CONFIG_CRYPTO_DES=y

 CONFIG_CRYPTO_ARC4=m

 # CONFIG_CRYPTO_CHACHA20 is not set

 CONFIG_CRYPTO_CBC=y

-CONFIG_CRYPTO_CFB=m

-CONFIG_CRYPTO_CTR=m

-CONFIG_CRYPTO_CTS=m

+CONFIG_CRYPTO_CFB=y

+CONFIG_CRYPTO_CTR=y

+CONFIG_CRYPTO_CTS=y

 CONFIG_CRYPTO_ECB=y

 # CONFIG_CRYPTO_HCTR2 is not set

 # CONFIG_CRYPTO_KEYWRAP is not set

@@ -6249,8 +6256,8 @@ CONFIG_CRYPTO_XTS=y

 #

 # CONFIG_CRYPTO_AEGIS128 is not set

 # CONFIG_CRYPTO_CHACHA20POLY1305 is not set

-CONFIG_CRYPTO_CCM=m

-CONFIG_CRYPTO_GCM=m

+CONFIG_CRYPTO_CCM=y

+CONFIG_CRYPTO_GCM=y

 CONFIG_CRYPTO_SEQIV=m

 CONFIG_CRYPTO_ECHAINIV=m

 CONFIG_CRYPTO_ESSIV=m

@@ -6260,8 +6267,8 @@ CONFIG_CRYPTO_ESSIV=m

 # Hashes, digests, and MACs

 #

 CONFIG_CRYPTO_BLAKE2B=m

-CONFIG_CRYPTO_CMAC=m

-CONFIG_CRYPTO_GHASH=m

+CONFIG_CRYPTO_CMAC=y

+CONFIG_CRYPTO_GHASH=y

 CONFIG_CRYPTO_HMAC=y

 CONFIG_CRYPTO_MD4=m

 CONFIG_CRYPTO_MD5=y

@@ -6271,7 +6278,7 @@ CONFIG_CRYPTO_MD5=y

 CONFIG_CRYPTO_SHA1=y

 CONFIG_CRYPTO_SHA256=y

 CONFIG_CRYPTO_SHA512=y

-CONFIG_CRYPTO_SHA3=m

+CONFIG_CRYPTO_SHA3=y

 # CONFIG_CRYPTO_SM3_GENERIC is not set

 # CONFIG_CRYPTO_STREEBOG is not set

 # CONFIG_CRYPTO_VMAC is not set

@@ -6386,7 +6393,7 @@ CONFIG_X509_CERTIFICATE_PARSER=y

 # CONFIG_PKCS8_PRIVATE_KEY_PARSER is not set

 CONFIG_PKCS7_MESSAGE_PARSER=y

 # CONFIG_PKCS7_TEST_KEY is not set

-# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set

+CONFIG_SIGNED_PE_FILE_VERIFICATION=y

 # CONFIG_FIPS_SIGNATURE_SELFTEST is not set

 #

@@ -6396,7 +6403,7 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"

 CONFIG_MODULE_SIG_KEY_TYPE_RSA=y

 # CONFIG_MODULE_SIG_KEY_TYPE_ECDSA is not set

 CONFIG_SYSTEM_TRUSTED_KEYRING=y

-CONFIG_SYSTEM_TRUSTED_KEYS=""

+CONFIG_SYSTEM_TRUSTED_KEYS="photon_sb2020.pem"

 # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set

 # CONFIG_SECONDARY_TRUSTED_KEYRING is not set

 CONFIG_SYSTEM_BLACKLIST_KEYRING=y

@@ -445,7 +445,11 @@ CONFIG_HZ_250=y

 CONFIG_HZ=250

 CONFIG_SCHED_HRTICK=y

 # CONFIG_KEXEC is not set

-# CONFIG_KEXEC_FILE is not set

+CONFIG_KEXEC_FILE=y

+CONFIG_ARCH_HAS_KEXEC_PURGATORY=y

+CONFIG_KEXEC_SIG=y

+CONFIG_KEXEC_SIG_FORCE=y

+CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y

 CONFIG_CRASH_DUMP=y

 CONFIG_PHYSICAL_START=0x1000000

 CONFIG_RELOCATABLE=y

@@ -662,6 +666,8 @@ CONFIG_AS_TPAUSE=y

 #

 # General architecture-dependent options

 #

+CONFIG_CRASH_CORE=y

+CONFIG_KEXEC_CORE=y

 CONFIG_HOTPLUG_SMT=y

 CONFIG_GENERIC_ENTRY=y

 CONFIG_KPROBES=y

@@ -1858,6 +1864,7 @@ CONFIG_SYSFB_SIMPLEFB=y

 CONFIG_EFI_ESRT=y

 CONFIG_EFI_VARS_PSTORE=m

 # CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set

+CONFIG_EFI_RUNTIME_MAP=y

 # CONFIG_EFI_FAKE_MEMMAP is not set

 CONFIG_EFI_DXE_MEM_ATTRIBUTES=y

 CONFIG_EFI_RUNTIME_WRAPPERS=y

@@ -5303,7 +5310,7 @@ CONFIG_X509_CERTIFICATE_PARSER=y

 # CONFIG_PKCS8_PRIVATE_KEY_PARSER is not set

 CONFIG_PKCS7_MESSAGE_PARSER=y

 # CONFIG_PKCS7_TEST_KEY is not set

-# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set

+CONFIG_SIGNED_PE_FILE_VERIFICATION=y

 # CONFIG_FIPS_SIGNATURE_SELFTEST is not set

 #

@@ -5313,7 +5320,7 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"

 CONFIG_MODULE_SIG_KEY_TYPE_RSA=y

 # CONFIG_MODULE_SIG_KEY_TYPE_ECDSA is not set

 CONFIG_SYSTEM_TRUSTED_KEYRING=y

-CONFIG_SYSTEM_TRUSTED_KEYS=""

+CONFIG_SYSTEM_TRUSTED_KEYS="photon_sb2020.pem"

 # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set

 # CONFIG_SECONDARY_TRUSTED_KEYRING is not set

 # CONFIG_SYSTEM_BLACKLIST_KEYRING is not set

@@ -398,7 +398,9 @@ CONFIG_CC_HAVE_SHADOW_CALL_STACK=y

 CONFIG_PARAVIRT=y

 # CONFIG_PARAVIRT_TIME_ACCOUNTING is not set

 CONFIG_KEXEC=y

-# CONFIG_KEXEC_FILE is not set

+CONFIG_KEXEC_FILE=y

+CONFIG_KEXEC_SIG=y

+CONFIG_KEXEC_IMAGE_VERIFY_SIG=y

 CONFIG_CRASH_DUMP=y

 CONFIG_TRANS_TABLE=y

 CONFIG_HYPERVISOR_GUEST=y

@@ -631,6 +633,7 @@ CONFIG_KVM=y

 # General architecture-dependent options

 CONFIG_CRASH_CORE=y

 CONFIG_KEXEC_CORE=y

+CONFIG_HAVE_IMA_KEXEC=y

 CONFIG_ARCH_HAS_SUBPAGE_FAULTS=y

 CONFIG_KPROBES=y

 CONFIG_JUMP_LABEL=y

@@ -6992,6 +6995,7 @@ CONFIG_INTEGRITY_PLATFORM_KEYRING=y

 CONFIG_LOAD_UEFI_KEYS=y

 CONFIG_INTEGRITY_AUDIT=y

 CONFIG_IMA=y

+# CONFIG_IMA_KEXEC is not set

 CONFIG_IMA_MEASURE_PCR_IDX=10

 CONFIG_IMA_LSM_RULES=y

 CONFIG_IMA_NG_TEMPLATE=y

@@ -7004,6 +7008,7 @@ CONFIG_IMA_DEFAULT_HASH="sha256"

 # CONFIG_IMA_WRITE_POLICY is not set

 CONFIG_IMA_READ_POLICY=y

 # CONFIG_IMA_APPRAISE is not set

+# CONFIG_IMA_ARCH_POLICY is not set

 CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y

 CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y

 # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set

@@ -7269,7 +7274,7 @@ CONFIG_X509_CERTIFICATE_PARSER=y

 # CONFIG_PKCS8_PRIVATE_KEY_PARSER is not set

 CONFIG_PKCS7_MESSAGE_PARSER=y

 # CONFIG_PKCS7_TEST_KEY is not set

-# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set

+CONFIG_SIGNED_PE_FILE_VERIFICATION=y

 # CONFIG_FIPS_SIGNATURE_SELFTEST is not set

 # Certificates for signature checking

@@ -7277,7 +7282,7 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"

 CONFIG_MODULE_SIG_KEY_TYPE_RSA=y

 # CONFIG_MODULE_SIG_KEY_TYPE_ECDSA is not set

 CONFIG_SYSTEM_TRUSTED_KEYRING=y

-CONFIG_SYSTEM_TRUSTED_KEYS=""

+CONFIG_SYSTEM_TRUSTED_KEYS="photon_sb2020.pem"

 # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set

 # CONFIG_SECONDARY_TRUSTED_KEYRING is not set

 CONFIG_SYSTEM_BLACKLIST_KEYRING=y

@@ -16,7 +16,7 @@

 Summary:        Kernel

 Name:           linux-rt

 Version:        6.1.41

-Release:        3%{?kat_build:.kat}%{?dist}

+Release:        4%{?kat_build:.kat}%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org

 Group:          System Environment/Kernel

@@ -67,6 +67,8 @@ Source19:        spec_install_post.inc

 Source20:       %{name}-dracut.conf

+Source21:       photon_sb2020.pem

+

 # common

 Patch0: net-Double-tcp_mem-limits.patch

 Patch1: SUNRPC-xs_bind-uses-ip_local_reserved_ports.patch

@@ -336,6 +338,7 @@ popd

 %build

 make %{?_smp_mflags} mrproper

+cp %{SOURCE21} photon_sb2020.pem

 %ifarch x86_64

 cp %{SOURCE1} .config

@@ -517,6 +520,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 %{_usrsrc}/linux-headers-%{uname_r}

 %changelog

+* Wed Nov 22 2023 Kuntal Nayak <nkuntal@vmware.com> 6.1.41-4

+- Enable Kconfig CONFIG_KEXEC_FILE for kexec signature verify

 * Wed Nov 22 2023 Srish Srinivasan <ssrish@vmware.com> 6.1.41-3

 - Enable CONFIG_DEBUG_INFO_BTF=y

 * Wed Nov 22 2023 Ajay Kaher <akaher@vmware.com> 6.1.41-2

@@ -16,7 +16,7 @@

 Summary:        Kernel

 Name:           linux-secure

 Version:        6.1.41

-Release:        2%{?kat_build:.kat}%{?dist}

+Release:        3%{?kat_build:.kat}%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org

 Group:          System Environment/Kernel

@@ -59,6 +59,8 @@ Source28: testmgr_fips_canister_wrapper.c

 Source29: spec_install_post.inc

 Source30: %{name}-dracut.conf

+Source31:       photon_sb2020.pem

+

 # common

 Patch0:  net-Double-tcp_mem-limits.patch

 Patch1:  SUNRPC-xs_bind-uses-ip_local_reserved_ports.patch

@@ -101,6 +103,7 @@ Patch42: 0001-kernel-lockdown-when-UEFI-secure-boot-enabled.patch

 Patch51: 0002-NOWRITEEXEC-and-PAX-features-MPROTECT-EMUTRAMP.patch

 Patch52: 0003-gcc-rap-plugin-with-kcfi.patch

 Patch53: 0004-Fix-PAX-function-pointer-overwritten-for-tasklet-cal.patch

+Patch54: fix-warn-definition.patch

 # SEV-ES, TDX

 %ifarch x86_64

@@ -229,7 +232,7 @@ The kernel fips-canister

 %endif

 #Secure

-%autopatch -p1 -m50 -M53

+%autopatch -p1 -m50 -M54

 %ifarch x86_64

 #SEV-ES, TDX

@@ -256,6 +259,7 @@ The kernel fips-canister

 %build

 make %{?_smp_mflags} mrproper

 cp %{SOURCE1} .config

+cp %{SOURCE31} photon_sb2020.pem

 %if 0%{?fips}

 cp ../fips-canister-%{fips_canister_version}/fips_canister.o \

    ../fips-canister-%{fips_canister_version}/fips_canister_wrapper.c \

@@ -424,6 +428,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 %endif

 %changelog

+* Wed Nov 22 2023 Kuntal Nayak <nkuntal@vmware.com> 6.1.41-3

+- Enable Kconfig CONFIG_KEXEC_FILE for kexec signature verify

 * Wed Nov 22 2023 Ajay Kaher <akaher@vmware.com> 6.1.41-2

 - Fix: unconditional preserve CR4.MCE

 * Wed Nov 22 2023 Ashwin Dayanand Kamat <kashwindayan@vmware.com> 6.1.41-1

new file mode 100644

@@ -0,0 +1,62 @@

+From 2c3dd15357b628de25b2dd2ffeab55f5b2837f68 Mon Sep 17 00:00:00 2001

+From: Kuntal Nayak <nkuntal@vmware.com>

+Date: Mon, 7 Aug 2023 23:57:44 +0000

+Subject: [PATCH] fix conflicting definition of warn()

+

+RAP uses function signature (ret type, args) to create hash objects

+during compilation. arch/x86/purgatory/ has two definitions

+of warn() and generates two __rap_hash_warn. This results

+in failure of linking 'purgatory'. Please find details of

+conflicting objects below.

+

+#  nm purgatory.o | grep warn

+0000000000000170 T __cfi_warn

+000000006c29e01a A __rap_hash_warn

+0000000000000179 T warn

+

+# nm string.o | grep warn

+0000000058cf6023 A __rap_hash_warn

+                 U warn

+

+Fixing the definition used by 'string' to create matching

+signature of warn function for the directory.

+

+Modifying the definition in 'string' because it uses __putstr

+having <const char *> argument.

+arch/x86/boot/compressed/misc.h:56

+void __putstr(const char *s);

+

+---

+ arch/x86/boot/compressed/error.c | 2 +-

+ arch/x86/boot/compressed/error.h | 2 +-

+ 2 files changed, 2 insertions(+), 2 deletions(-)

+

+diff --git a/arch/x86/boot/compressed/error.c b/arch/x86/boot/compressed/error.c

+index c881878e5..ce5ed7d82 100644

+--- a/arch/x86/boot/compressed/error.c

+@@ -7,7 +7,7 @@

+ #include "misc.h"

+ #include "error.h"

+ 

+-void warn(char *m)

++void warn(const char *m)

+ {

+ 	error_putstr("\n\n");

+ 	error_putstr(m);

+diff --git a/arch/x86/boot/compressed/error.h b/arch/x86/boot/compressed/error.h

+index 1de582118..87062dea9 100644

+--- a/arch/x86/boot/compressed/error.h

+@@ -4,7 +4,7 @@

+ 

+ #include <linux/compiler.h>

+ 

+-void warn(char *m);

++void warn(const char *m);

+ void error(char *m) __noreturn;

+ 

+ #endif /* BOOT_COMPRESSED_ERROR_H */

+-- 

+2.39.0

+