%global security_hardening none Summary: Kernel Name: linux-aws Version: 4.9.80 Release: 1%{?kat_build:.%kat_build}%{?dist} License: GPLv2 URL: http://www.kernel.org/ Group: System Environment/Kernel Vendor: VMware, Inc. Distribution: Photon Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz %define sha1 linux=1e815669d45b0e0ebfa14bfa9823e9795274f067 Source1: config-aws Source2: initramfs.trigger %define ena_version 1.1.3 Source3: https://github.com/amzn/amzn-drivers/archive/ena_linux_1.1.3.tar.gz %define sha1 ena_linux=84138e8d7eb230b45cb53835edf03ca08043d471 # common Patch0: x86-vmware-read-tsc_khz-only-once-at-boot-time.patch Patch1: x86-vmware-use-tsc_khz-value-for-calibrate_cpu.patch Patch2: x86-vmware-add-basic-paravirt-ops-support.patch Patch3: x86-vmware-add-paravirt-sched-clock.patch Patch4: x86-vmware-log-kmsg-dump-on-panic.patch Patch5: double-tcp_mem-limits.patch Patch6: linux-4.9-sysctl-sched_weighted_cpuload_uses_rla.patch Patch7: linux-4.9-watchdog-Disable-watchdog-on-virtual-machines.patch Patch9: SUNRPC-Do-not-reuse-srcport-for-TIME_WAIT-socket.patch Patch10: SUNRPC-xs_bind-uses-ip_local_reserved_ports.patch Patch11: vsock-transport-for-9p.patch Patch12: x86-vmware-sta.patch #HyperV patches Patch13: 0004-vmbus-Don-t-spam-the-logs-with-unknown-GUIDs.patch Patch14: 0005-Drivers-hv-utils-Fix-the-mapping-between-host-versio.patch Patch15: 0006-Drivers-hv-vss-Improve-log-messages.patch Patch16: 0007-Drivers-hv-vss-Operation-timeouts-should-match-host-.patch Patch17: 0008-Drivers-hv-vmbus-Use-all-supported-IC-versions-to-ne.patch Patch18: 0009-Drivers-hv-Log-the-negotiated-IC-versions.patch Patch19: 0010-vmbus-fix-missed-ring-events-on-boot.patch Patch20: 0011-vmbus-remove-goto-error_clean_msglist-in-vmbus_open.patch Patch21: 0012-vmbus-dynamically-enqueue-dequeue-the-channel-on-vmb.patch Patch23: 0014-hv_sock-introduce-Hyper-V-Sockets.patch #FIPS patches - allow some algorithms Patch24: 0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch Patch25: 0002-allow-also-ecb-cipher_null.patch Patch26: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch # Fix CVE-2017-1000252 Patch28: kvm-dont-accept-wrong-gsi-values.patch # Fix CVE-2017-8824 Patch29: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch Patch32: revert-SMB-validate-negotiate-even-if-signing-off.patch # For Spectre Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch Patch53: 0142-bpf-prevent-speculative-execution-in-eBPF-interprete.patch Patch54: 0143-x86-bpf-jit-prevent-speculative-execution-when-JIT-i.patch Patch55: 0144-uvcvideo-prevent-speculative-execution.patch Patch56: 0145-carl9170-prevent-speculative-execution.patch Patch57: 0146-p54-prevent-speculative-execution.patch Patch58: 0147-qla2xxx-prevent-speculative-execution.patch Patch59: 0148-cw1200-prevent-speculative-execution.patch Patch60: 0149-Thermal-int340x-prevent-speculative-execution.patch Patch61: 0150-ipv4-prevent-speculative-execution.patch Patch62: 0151-ipv6-prevent-speculative-execution.patch Patch63: 0152-fs-prevent-speculative-execution.patch Patch64: 0153-net-mpls-prevent-speculative-execution.patch Patch65: 0154-udf-prevent-speculative-execution.patch Patch66: 0155-userns-prevent-speculative-execution.patch Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch Patch68: 0170-x86-syscall-Clear-unused-extra-registers-on-32-bit-c.patch %if 0%{?kat_build:1} Patch1000: %{kat_build}.patch %endif BuildRequires: bc BuildRequires: kbd BuildRequires: kmod-devel BuildRequires: glib-devel BuildRequires: xerces-c-devel BuildRequires: xml-security-c-devel BuildRequires: libdnet-devel BuildRequires: libmspack-devel BuildRequires: Linux-PAM-devel BuildRequires: openssl-devel BuildRequires: procps-ng-devel BuildRequires: audit-devel Requires: filesystem kmod Requires(post):(coreutils or toybox) %define uname_r %{version}-%{release}-aws %description The Linux package contains the Linux kernel. %package devel Summary: Kernel Dev Group: System Environment/Kernel Obsoletes: linux-dev Requires: %{name} = %{version}-%{release} Requires: python2 gawk %description devel The Linux package contains the Linux kernel dev files %package drivers-gpu Summary: Kernel GPU Drivers Group: System Environment/Kernel Requires: %{name} = %{version}-%{release} %description drivers-gpu The Linux package contains the Linux kernel drivers for GPU %package sound Summary: Kernel Sound modules Group: System Environment/Kernel Requires: %{name} = %{version}-%{release} %description sound The Linux package contains the Linux kernel sound support %package docs Summary: Kernel docs Group: System Environment/Kernel Requires: python2 %description docs The Linux package contains the Linux kernel doc files %package oprofile Summary: Kernel driver for oprofile, a statistical profiler for Linux systems Group: System Environment/Kernel Requires: %{name} = %{version}-%{release} %description oprofile Kernel driver for oprofile, a statistical profiler for Linux systems %package tools Summary: This package contains the 'perf' performance analysis tools for Linux kernel Group: System/Tools Requires: %{name} = %{version}-%{release} Requires: audit %description tools This package contains the 'perf' performance analysis tools for Linux kernel. %prep %setup -q -n linux-%{version} %setup -D -b 3 -n linux-%{version} %patch0 -p1 %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 %patch12 -p1 %patch13 -p1 %patch14 -p1 %patch15 -p1 %patch16 -p1 %patch17 -p1 %patch19 -p1 %patch20 -p1 %patch21 -p1 %patch23 -p1 %patch24 -p1 %patch25 -p1 %patch26 -p1 %patch28 -p1 %patch29 -p1 %patch32 -p1 %patch52 -p1 %patch53 -p1 %patch54 -p1 %patch55 -p1 %patch56 -p1 %patch57 -p1 %patch58 -p1 %patch59 -p1 %patch60 -p1 %patch61 -p1 %patch62 -p1 %patch63 -p1 %patch64 -p1 %patch65 -p1 %patch66 -p1 %patch67 -p1 %patch68 -p1 %if 0%{?kat_build:1} %patch1000 -p1 %endif %build make mrproper cp %{SOURCE1} .config sed -i 's/CONFIG_LOCALVERSION="-aws"/CONFIG_LOCALVERSION="-%{release}-aws"/' .config make LC_ALL= oldconfig make VERBOSE=1 KBUILD_BUILD_VERSION="1-photon" KBUILD_BUILD_HOST="photon" ARCH="x86_64" %{?_smp_mflags} make -C tools perf # build ENA module bldroot=`pwd` pushd ../amzn-drivers-ena_linux_%{ena_version}/kernel/linux/ena make -C $bldroot M=`pwd` VERBOSE=1 modules %{?_smp_mflags} popd %define __modules_install_post \ for MODULE in `find %{buildroot}/lib/modules/%{uname_r} -name *.ko` ; do \ ./scripts/sign-file sha512 certs/signing_key.pem certs/signing_key.x509 $MODULE \ rm -f $MODULE.{sig,dig} \ xz $MODULE \ done \ %{nil} # We want to compress modules after stripping. Extra step is added to # the default __spec_install_post. %define __spec_install_post\ %{?__debug_package:%{__debug_install_post}}\ %{__arch_install_post}\ %{__os_install_post}\ %{__modules_install_post}\ %{nil} %install install -vdm 755 %{buildroot}/etc install -vdm 755 %{buildroot}/boot install -vdm 755 %{buildroot}%{_defaultdocdir}/%{name}-%{uname_r} install -vdm 755 %{buildroot}/etc/modprobe.d install -vdm 755 %{buildroot}/usr/src/%{name}-headers-%{uname_r} install -vdm 755 %{buildroot}/usr/lib/debug/lib/modules/%{uname_r} make INSTALL_MOD_PATH=%{buildroot} modules_install # install ENA module bldroot=`pwd` pushd ../amzn-drivers-ena_linux_%{ena_version}/kernel/linux/ena make -C $bldroot M=`pwd` INSTALL_MOD_PATH=%{buildroot} modules_install popd # Verify for build-id match # We observe different IDs sometimes # TODO: debug it ID1=`readelf -n vmlinux | grep "Build ID"` ./scripts/extract-vmlinux arch/x86/boot/bzImage > extracted-vmlinux ID2=`readelf -n extracted-vmlinux | grep "Build ID"` if [ "$ID1" != "$ID2" ] ; then echo "Build IDs do not match" echo $ID1 echo $ID2 exit 1 fi install -vm 644 arch/x86/boot/bzImage %{buildroot}/boot/vmlinuz-%{uname_r} # Restrict the permission on System.map-X file install -vm 400 System.map %{buildroot}/boot/System.map-%{uname_r} install -vm 644 .config %{buildroot}/boot/config-%{uname_r} cp -r Documentation/* %{buildroot}%{_defaultdocdir}/%{name}-%{uname_r} install -vm 644 vmlinux %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}/vmlinux-%{uname_r} # `perf test vmlinux` needs it ln -s vmlinux-%{uname_r} %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}/vmlinux cat > %{buildroot}/boot/%{name}-%{uname_r}.cfg << "EOF" # GRUB Environment Block photon_cmdline=init=/lib/systemd/systemd ro loglevel=3 quiet no-vmw-sta photon_linux=vmlinuz-%{uname_r} photon_initrd=initrd.img-%{uname_r} EOF # Register myself to initramfs mkdir -p %{buildroot}/%{_localstatedir}/lib/initramfs/kernel cat > %{buildroot}/%{_localstatedir}/lib/initramfs/kernel/%{uname_r} << "EOF" --add-drivers "tmem xen-scsifront xen-blkfront xen-acpi-processor xen-evtchn xen-gntalloc xen-gntdev xen-privcmd xen-pciback xenfs hv_utils hv_vmbus hv_storvsc hv_netvsc hv_sock hv_balloon cn" EOF # Cleanup dangling symlinks rm -rf %{buildroot}/lib/modules/%{uname_r}/source rm -rf %{buildroot}/lib/modules/%{uname_r}/build find . -name Makefile* -o -name Kconfig* -o -name *.pl | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/%{name}-headers-%{uname_r}' copy find arch/x86/include include scripts -type f | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/%{name}-headers-%{uname_r}' copy find $(find arch/x86 -name include -o -name scripts -type d) -type f | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/%{name}-headers-%{uname_r}' copy find arch/x86/include Module.symvers include scripts -type f | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/%{name}-headers-%{uname_r}' copy # CONFIG_STACK_VALIDATION=y requires objtool to build external modules install -vsm 755 tools/objtool/objtool %{buildroot}/usr/src/%{name}-headers-%{uname_r}/tools/objtool/ install -vsm 755 tools/objtool/fixdep %{buildroot}/usr/src/%{name}-headers-%{uname_r}/tools/objtool/ cp .config %{buildroot}/usr/src/%{name}-headers-%{uname_r} # copy .config manually to be where it's expected to be ln -sf "/usr/src/%{name}-headers-%{uname_r}" "%{buildroot}/lib/modules/%{uname_r}/build" find %{buildroot}/lib/modules -name '*.ko' -print0 | xargs -0 chmod u+x # disable (JOBS=1) parallel build to fix this issue: # fixdep: error opening depfile: ./.plugin_cfg80211.o.d: No such file or directory # Linux version that was affected is 4.4.26 make -C tools JOBS=1 DESTDIR=%{buildroot} prefix=%{_prefix} perf_install %include %{SOURCE2} %post /sbin/depmod -aq %{uname_r} ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg %post drivers-gpu /sbin/depmod -aq %{uname_r} %post sound /sbin/depmod -aq %{uname_r} %post oprofile /sbin/depmod -aq %{uname_r} %files %defattr(-,root,root) /boot/System.map-%{uname_r} /boot/config-%{uname_r} /boot/vmlinuz-%{uname_r} %config(noreplace) /boot/%{name}-%{uname_r}.cfg %config %{_localstatedir}/lib/initramfs/kernel/%{uname_r} /lib/firmware/* %defattr(0644,root,root) /lib/modules/%{uname_r}/* %exclude /lib/modules/%{uname_r}/build %exclude /lib/modules/%{uname_r}/kernel/drivers/gpu %exclude /lib/modules/%{uname_r}/kernel/sound %exclude /lib/modules/%{uname_r}/kernel/arch/x86/oprofile/ %files docs %defattr(-,root,root) %{_defaultdocdir}/%{name}-%{uname_r}/* %files devel %defattr(-,root,root) /lib/modules/%{uname_r}/build /usr/src/%{name}-headers-%{uname_r} %files drivers-gpu %defattr(-,root,root) %exclude /lib/modules/%{uname_r}/kernel/drivers/gpu/drm/cirrus/ /lib/modules/%{uname_r}/kernel/drivers/gpu %files sound %defattr(-,root,root) /lib/modules/%{uname_r}/kernel/sound %files oprofile %defattr(-,root,root) /lib/modules/%{uname_r}/kernel/arch/x86/oprofile/ %files tools %defattr(-,root,root) /usr/libexec %exclude %{_libdir}/debug /usr/lib64/traceevent %{_bindir} /etc/bash_completion.d/* /usr/share/perf-core/strace/groups/file /usr/share/doc/* %changelog * Mon Feb 05 2018 Srivatsa S. Bhat 4.9.80-1 - First build based on linux.spec and config. No AWS-specific patches yet.