Introduce kernel-64k (microsoft#11078)

kernel-64k is a new aarch64 kernel which has 64k page sizes. kernel-64k contains a config_aarch64 which differs from the kernel in that it sets CONFIG_ARM64_64K_PAGES. This offering is to help with HPC scenarios. The kernel package will still be offered and will retain the default 4k page size. Co-authored-by: Christopher Co <[email protected]>
archana25-ms · Dec 3, 2024 · a8970d5 · a8970d5
1 parent f49c769
commit a8970d5
Show file tree

Hide file tree

Showing 15 changed files with 14,411 additions and 2 deletions.
diff --git a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
diff --git a/LICENSES-AND-NOTICES/SPECS/data/licenses.json b/LICENSES-AND-NOTICES/SPECS/data/licenses.json
@@ -2256,6 +2256,7 @@
                 "kata-packages-uvm",
                 "keda",
                 "keras",
+                "kernel-64k-signed",
                 "kernel-signed",
                 "kernel-uki",
                 "kernel-uki-signed",
@@ -2753,6 +2754,7 @@
                 "kbd",
                 "keepalived",
                 "kernel",
+                "kernel-64k",
                 "kernel-headers",
                 "kernel-mshv",
                 "kernel-rt",

diff --git a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec
@@ -0,0 +1,111 @@
+%global debug_package %{nil}
+%global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh
+%ifarch aarch64
+%global buildarch aarch64
+%endif
+%define uname_r %{version}-%{release}
+Summary:        Signed Linux Kernel for %{buildarch} systems
+Name:           kernel-64k-signed-%{buildarch}
+Version:        6.6.57.1
+Release:        5%{?dist}
+License:        GPLv2
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
+Group:          System Environment/Kernel
+URL:            https://github.com/microsoft/CBL-Mariner-Linux-Kernel
+# This package's "version" and "release" must reflect the unsigned version that
+# was signed.
+# An important consequence is that when making a change to this package, the
+# unsigned version/release must be increased to keep the two versions consistent.
+# Ideally though, this spec will not change much or at all, so the version will
+# just track the unsigned package's version/release.
+#
+# To populate these sources:
+#   1. Build the unsigned packages as normal
+#   2. Sign the desired binary
+#   3. Place the unsigned package and signed binary in this spec's folder
+#   4. Build this spec
+Source0:        kernel-64k-%{version}-%{release}.%{buildarch}.rpm
+Source1:        vmlinuz-%{uname_r}
+Source2:        sha512hmac-openssl.sh
+BuildRequires:  cpio
+BuildRequires:  grub2-rpm-macros
+BuildRequires:  openssl
+BuildRequires:  sed
+%{?grub2_configuration_requires}
+
+%description
+This package contains the Linux kernel package with kernel signed with the production key
+
+%package -n     kernel-64k
+Summary:        Linux Kernel
+Group:          System Environment/Kernel
+Requires:       filesystem
+Requires:       kmod
+Requires(post): coreutils
+Requires(postun): coreutils
+
+%description -n kernel-64k
+The kernel package contains the signed Linux kernel.
+
+%prep
+
+%build
+mkdir rpm_contents
+pushd rpm_contents
+
+# This spec's whole purpose is to inject the signed kernel binary
+rpm2cpio %{SOURCE0} | cpio -idmv
+cp %{SOURCE1} ./boot/vmlinuz-%{uname_r}
+
+popd
+
+%install
+pushd rpm_contents
+
+# Don't use * wildcard. It does not copy over hidden files in the root folder...
+cp -rp ./. %{buildroot}/
+
+popd
+
+# Recalculate sha512hmac for FIPS
+%{sha512hmac} %{buildroot}/boot/vmlinuz-%{uname_r} | sed -e "s,$RPM_BUILD_ROOT,," > %{buildroot}/boot/.vmlinuz-%{uname_r}.hmac
+cp %{buildroot}/boot/.vmlinuz-%{uname_r}.hmac %{buildroot}/lib/modules/%{uname_r}/.vmlinuz.hmac
+
+%triggerin -n kernel-64k -- initramfs
+mkdir -p %{_localstatedir}/lib/rpm-state/initramfs/pending
+touch %{_localstatedir}/lib/rpm-state/initramfs/pending/%{uname_r}
+echo "initrd generation of kernel %{uname_r} will be triggered later" >&2
+
+%triggerun -n kernel-64k -- initramfs
+rm -rf %{_localstatedir}/lib/rpm-state/initramfs/pending/%{uname_r}
+rm -rf /boot/initramfs-%{uname_r}.img
+echo "initrd of kernel %{uname_r} removed" >&2
+
+%postun -n kernel-64k
+%grub2_postun
+
+%post -n kernel-64k
+/sbin/depmod -a %{uname_r}
+%grub2_post
+
+%files -n kernel-64k
+%defattr(-,root,root)
+%license COPYING
+/boot/System.map-%{uname_r}
+/boot/config-%{uname_r}
+/boot/vmlinuz-%{uname_r}
+/boot/.vmlinuz-%{uname_r}.hmac
+%defattr(0644,root,root)
+/lib/modules/%{uname_r}/*
+/lib/modules/%{uname_r}/.vmlinuz.hmac
+%exclude /lib/modules/%{uname_r}/build
+%exclude /lib/modules/%{uname_r}/kernel/drivers/gpu
+%exclude /lib/modules/%{uname_r}/kernel/sound
+%exclude /module_info.ld
+
+%changelog
+* Thu Nov 07 2024 Rachel Menge <[email protected]> - 6.6.57.1-5
+- Original version for Azure Linux
+- Starting with release 5 to align with kernel release.
+- License verified
diff --git a/SPECS-SIGNED/kernel-64k-signed/sha512hmac-openssl.sh b/SPECS-SIGNED/kernel-64k-signed/sha512hmac-openssl.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# Mocks sha512hmac using the openssl tool.
+# Only for use during RPM build.
+
+openssl sha512 -hmac FIPS-FTW-RHT2009 -hex "$1" | cut -f 2 -d ' ' | echo "$(cat -)  $1"