50a9ff6df4
The kernel is moved ahead to version 3.10.0-693.21.1.el7 To summarize: CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' This is fixed by load fences and is "baked in" and cannot be turned off. CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' This is fixed by a combination of retpolines and IBPB, or IBRS+IBPB if on skylake. This requires a microcode change in the processors. This feature, if on, has a significant performance impact. It is assumed on unless turned off via the "nospectre_v2" bootarg. CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3' This is fixed by page table isolation using the Kaiser patches. This feature is assumed on unless turned off via the "nopti" bootarg. As of the commit date, we have changed the installer kickstarts to issue both "nopti nospectre_v2" bootargs to minimize realtime impacts by default. The customer will be able to optionally sacrifice performance for extra security at datafill time. Change-Id: Id7c99923f2ee2ee91f77c7bd9940e684eff8b476 Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
53 lines
2.1 KiB
Diff
53 lines
2.1 KiB
Diff
From 2e6ec030be15349b2f1491fb65009338c1a8775c Mon Sep 17 00:00:00 2001
|
|
Message-Id: <2e6ec030be15349b2f1491fb65009338c1a8775c.1522099419.git.Jim.Somerville@windriver.com>
|
|
In-Reply-To: <37dfb62264baec527d56aaf20db887840bec1ea1.1522099415.git.Jim.Somerville@windriver.com>
|
|
References: <37dfb62264baec527d56aaf20db887840bec1ea1.1522099415.git.Jim.Somerville@windriver.com>
|
|
From: Kam Nasim <kam.nasim@windriver.com>
|
|
Date: Mon, 25 Sep 2017 17:20:15 -0400
|
|
Subject: [PATCH 25/32] meta patch for Kernel IMA keyring changes
|
|
|
|
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
|
|
---
|
|
SPECS/kernel.spec | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
|
|
index f8a45ea..e72feaa 100644
|
|
--- a/SPECS/kernel.spec
|
|
+++ b/SPECS/kernel.spec
|
|
@@ -417,6 +417,7 @@ Patch1002: debrand-rh-i686-cpu.patch
|
|
# Not sure if we need to worry about numerical collisions between
|
|
# SourceX and PatchX, so let's not risk it
|
|
Source30000: kernel-3.10.0-x86_64.config.tis_extra
|
|
+Source30001: ima_signing_key.pub
|
|
|
|
# Titanium Cloud patches here.
|
|
Patch40001: Fix-compile-issue-when-transparent-hugepages-are-off.patch
|
|
@@ -447,6 +448,7 @@ Patch40030: nfsd-check-for-oversized-NFSv2-v3-arguments.patch
|
|
Patch40031: nfsd4-minor-NFSv2-v3-write-decoding-cleanup.patch
|
|
Patch40032: nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch
|
|
Patch40033: US101216-IMA-support-in-Titanium-kernel.patch
|
|
+Patch40036: US103091-IMA-System-Configuration.patch
|
|
|
|
BuildRoot: %{_tmppath}/kernel-%{KVRA}-root
|
|
|
|
@@ -798,6 +800,7 @@ ApplyOptionalPatch nfsd-check-for-oversized-NFSv2-v3-arguments.patch
|
|
ApplyOptionalPatch nfsd4-minor-NFSv2-v3-write-decoding-cleanup.patch
|
|
ApplyOptionalPatch nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch
|
|
ApplyOptionalPatch US101216-IMA-support-in-Titanium-kernel.patch
|
|
+ApplyOptionalPatch US103091-IMA-System-Configuration.patch
|
|
|
|
# Any further pre-build tree manipulations happen here.
|
|
|
|
@@ -926,6 +929,7 @@ BuildKernel() {
|
|
cp %{SOURCE12} . # extra_certificates
|
|
cp %{SOURCE15} . # rheldup3.x509
|
|
cp %{SOURCE16} . # rhelkpatch1.x509
|
|
+ cp %{SOURCE30001} . # ima_signing_key.pub
|
|
|
|
cp configs/$Config .config
|
|
|
|
--
|
|
1.8.3.1
|
|
|