Merge pull request #2300 from flatcar/ader1990/linux_kernel_6_10

Upgrade Linux kernel from 6.6 to 6.12

changelog/updates/2025-04-25-kernel-6.12.md

@@ -0,0 +1 @@
+- Linux [6.12.20](https://lwn.net/Articles/1015185/) (includes [6.12.19](https://lwn.net/Articles/1014045/), [6.12.18](https://lwn.net/Articles/1013397/), [6.12.17](https://lwn.net/Articles/1012191/), [6.12.16](https://lwn.net/Articles/1011265/), [6.12.15](https://lwn.net/Articles/1010623/), [6.12.14](https://lwn.net/Articles/1010356/), [6.12.13](https://lwn.net/Articles/1008643/), [6.12.12](https://lwn.net/Articles/1007440/), [6.12.11](https://lwn.net/Articles/1006009/), [6.12.10](https://lwn.net/Articles/1005382/), [6.12.9](https://lwn.net/Articles/1004549/), [6.12.8](https://lwn.net/Articles/1003985/), [6.12.7](https://lwn.net/Articles/1003608/), [6.12.6](https://lwn.net/Articles/1002918/), [6.12.5](https://lwn.net/Articles/1002176/), [6.12.4](https://lwn.net/Articles/1001437/), [6.12.3](https://lwn.net/Articles/1001203/), [6.12.2](https://lwn.net/Articles/1000872/), [6.12.1](https://lwn.net/Articles/999108/), [6.12](https://lwn.net/Articles/998490/))

sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/files/hv_fcopy_uio_daemon.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Hyper-V FCOPY UIO daemon
+ConditionPathExists=/sys/bus/vmbus/devices/eb765408-105f-49b6-b4aa-c123b64d17d4/uio
+
+[Service]
+ExecStart=/usr/bin/hv_fcopy_uio_daemon --no-daemon
+
+[Install]
+WantedBy=multi-user.target

sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-9999.ebuild

@@ -13,20 +13,19 @@ if [[ "${PV}" == 9999 ]]; then
 fi
 
 src_compile() {
-    # Build hv_vss_daemon, hv_kvp_daemon, hv_fcopy_daemon 
+    # Build hv_vss_daemon, hv_kvp_daemon, hv_fcopy_daemon
     kmake tools/hv
 }
 
 src_install() {
-    dobin "${S}/build/tools/hv/hv_fcopy_daemon"
+    local -a HV_DAEMONS=(hv_vss_daemon hv_kvp_daemon hv_fcopy_daemon hv_fcopy_uio_daemon)
-    dobin "${S}/build/tools/hv/hv_kvp_daemon"
+    local HV_DAEMON
-    dobin "${S}/build/tools/hv/hv_vss_daemon"
+    for HV_DAEMON in "$HV_DAEMONS[@]"
-
+    do
-    systemd_dounit "${FILESDIR}/hv_fcopy_daemon.service"
+        if [ -f "${S}/build/tools/hv/${HV_DAEMON}" ]; then
-    systemd_dounit "${FILESDIR}/hv_kvp_daemon.service"
+            dobin "${S}/build/tools/hv/${HV_DAEMON}"
-    systemd_dounit "${FILESDIR}/hv_vss_daemon.service"
+            systemd_dounit "${FILESDIR}/${HV_DAEMON}.service"
-
+            systemd_enable_service "multi-user.target" "${HV_DAEMON}.service"
-    systemd_enable_service "multi-user.target" "hv_fcopy_daemon.service"
+        fi
-    systemd_enable_service "multi-user.target" "hv_kvp_daemon.service"
+    done
-    systemd_enable_service "multi-user.target" "hv_vss_daemon.service"
 }

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-6.12

@@ -12,7 +12,6 @@ CONFIG_ACPI_IPMI=m
 CONFIG_ACPI_PCI_SLOT=y
 CONFIG_ACPI_PROCESSOR_AGGREGATOR=y
 CONFIG_AMD_IOMMU=y
-CONFIG_AMD_IOMMU_V2=m
 CONFIG_AQTION=m
 CONFIG_ARCH_MEMORY_PROBE=y
 CONFIG_AUTOFS_FS=y

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-6.12

@@ -32,7 +32,6 @@ CONFIG_CRYPTO_SHA1_ARM64_CE=y
 CONFIG_CRYPTO_SHA2_ARM64_CE=y
 # CONFIG_DEBUG_PREEMPT is not set
 CONFIG_DM_DEBUG=y
-CONFIG_FB_ARMCLCD=y
 CONFIG_GPIO_PL061=y
 CONFIG_GPIO_XGENE=y
 CONFIG_GPIO_XGENE_SB=y

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12

@@ -171,6 +171,7 @@ CONFIG_DNS_RESOLVER=y
 CONFIG_DRM=m
 CONFIG_DRM_VIRTIO_GPU=m
 CONFIG_DST_CACHE=y
+# CONFIG_DRM_FBDEV_EMULATION is not set
 CONFIG_DUMMY=m
 CONFIG_DYNAMIC_DEBUG=y
 CONFIG_E100=m
@@ -496,6 +497,7 @@ CONFIG_MMC_BLOCK_MINORS=16
 CONFIG_MMC_SDHCI=m
 CONFIG_MMC_SDHCI_PCI=m
 CONFIG_MODULES=y
+CONFIG_MODULE_COMPRESS=y
 CONFIG_MODULE_COMPRESS_XZ=y
 CONFIG_MODULE_SIG=y
 CONFIG_MODULE_SIG_KEY="${MODULE_SIGNING_KEY_DIR}/certs/modules.pem"
@@ -600,7 +602,6 @@ CONFIG_NET_ACT_CTINFO=m
 CONFIG_NET_ACT_GACT=m
 CONFIG_NET_ACT_GATE=m
 CONFIG_NET_ACT_IFE=m
-CONFIG_NET_ACT_IPT=m
 CONFIG_NET_ACT_MIRRED=m
 CONFIG_NET_ACT_MPLS=m
 CONFIG_NET_ACT_NAT=m

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest

@@ -1,2 +1,2 @@
-DIST linux-6.6.tar.xz 140064536 BLAKE2B 5f02fd8696d42f7ec8c5fbadec8e7270bdcfcb1f9844a6c4db3e1fd461c93ce1ccda650ca72dceb4890ebcbbf768ba8fba0bce91efc49fbd2c307b04e95665f2 SHA512 458b2c34d46206f9b4ccbac54cc57aeca1eaecaf831bc441e59701bac6eadffc17f6ce24af6eadd0454964e843186539ac0d63295ad2cc32d112b60360c39a35
+DIST linux-6.12.tar.xz 147906904 BLAKE2B b2ec2fc69218cacabbbe49f78384a5d259ca581b717617c12b000b16f4a4c59ee348ea886b37147f5f70fb9a7a01c1e2c8f19021078f6b23f5bc62d1c48d5e5e SHA512 a37b1823df7b4f72542f689b65882634740ba0401a42fdcf6601d9efd2e132e5a7650e70450ba76f6cd1f13ca31180f2ccee9d54fe4df89bc0000ade4380a548
-DIST patch-6.6.89.xz 4243548 BLAKE2B a4cf3341e453548a9369ed19fbe07deca183bd5786790161e68bb28340925b351d9046bd8db6fe85836ddff5b82facc85c4fc4fab0e73d2e5837c35672b982f7 SHA512 0642eb456df63bd4f3ab501ca93792e80e6807eef5e8b4dae8bd8a75c3e58397104828c8320994244ab03a62b7f46fa3c476ca8ac42ed7d8f6c8290b5ec6c560
+DIST patch-6.12.20.xz 1432116 BLAKE2B cc42fce6584baa82dcf513e62433a61b8d90562648f64d7795e58ec3de0c5449b3685e05a0cb0f9c46b08faa7edf6d6b7edd3520fbc1fabbbb5b8fba2d528299 SHA512 a1568d4233d900f95fa4394147acdc37498582b050fd6a111506f680636b50b6725bf99d76f4f3613d5af5e50d3e46929d718dae3a59f2174ff53477bef83825

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.20.ebuild

@@ -36,10 +36,11 @@ IUSE=""
 # local patches overlap with the upstream patch.
 UNIPATCH_LIST="
 	${PATCH_DIR}/z0001-kbuild-derive-relative-path-for-srctree-from-CURDIR.patch \
-	${PATCH_DIR}/z0002-revert-pahole-flags.patch \
+	${PATCH_DIR}/z0002-pahole-support-reproducible-builds.patch \
 	${PATCH_DIR}/z0003-Revert-x86-boot-Remove-the-bugger-off-message.patch \
-	${PATCH_DIR}/z0004-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch \
+	${PATCH_DIR}/z0004-efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch \
-	${PATCH_DIR}/z0005-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch \
+	${PATCH_DIR}/z0005-efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch \
-	${PATCH_DIR}/z0006-mtd-phram-slram-Disable-when-the-kernel-is-locked-do.patch \
+	${PATCH_DIR}/z0006-mtd-disable-slram-and-phram-when-locked-down.patch \
-	${PATCH_DIR}/z0007-arm64-add-kernel-config-option-to-lock-down-when-in-.patch \
+	${PATCH_DIR}/z0007-arm64-add-kernel-config-option-to-lock-down-when.patch \
+	${PATCH_DIR}/z0008-tools-hv-fix-cross-compilation-for-ARM64.patch \
 "

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0002-pahole-support-reproducible-builds.patch

@@ -0,0 +1,26 @@
+From 9faff3734e6456e7927c0914829a4764ec9f1b44 Mon Sep 17 00:00:00 2001
+From: Adrian Vladu <avladu@cloudbasesolutions.com>
+Date: Tue, 17 Sep 2024 13:44:14 +0000
+Subject: [PATCH] pahole: support reproducible builds
+
+---
+ scripts/Makefile.btf | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/scripts/Makefile.btf b/scripts/Makefile.btf
+index 2d6e5ed9081e..b2f88b0fcf37 100644
+--- a/scripts/Makefile.btf
++++ b/scripts/Makefile.btf
+@@ -23,6 +23,9 @@ else
+ # Switch to using --btf_features for v1.26 and later.
+ pahole-flags-$(call test-ge, $(pahole-ver), 126)  = -j --btf_features=encode_force,var,float,enum64,decl_tag,type_tag,optimized_func,consistent_func
+ 
++# Support reproducible builds.
++pahole-flags-$(call test-ge, $(pahole-ver), 127)  = -j --btf_features=encode_force,var,float,enum64,decl_tag,type_tag,optimized_func,consistent_func,reproducible_build
++
+ endif
+ 
+ pahole-flags-$(CONFIG_PAHOLE_HAS_LANG_EXCLUDE)		+= --lang_exclude=rust
+-- 
+2.34.1
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0004-efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch

@@ -1,8 +1,7 @@
-From 1e2ffbec195c89d887bc088691ebb19c9173ecad Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Mon, 18 Feb 2019 12:45:03 +0000
-Subject: [PATCH 1/4] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot
+Subject: [28/30] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
- mode
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a5d70c55c603233c192b375f72116a395909da28
 
 UEFI machines can be booted in Secure Boot mode.  Add an EFI_SECURE_BOOT
 flag that can be passed to efi_enabled() to find out whether secure boot is
@@ -26,15 +25,13 @@ cc: linux-efi@vger.kernel.org
  arch/x86/kernel/setup.c           | 14 +----------
  drivers/firmware/efi/Makefile     |  1 +
  drivers/firmware/efi/secureboot.c | 39 +++++++++++++++++++++++++++++++
- include/linux/efi.h               | 17 ++++++++------
+ include/linux/efi.h               | 16 ++++++++-----
- 4 files changed, 51 insertions(+), 20 deletions(-)
+ 4 files changed, 51 insertions(+), 19 deletions(-)
  create mode 100644 drivers/firmware/efi/secureboot.c
 
-diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index eb129277dcdd..7c4a6697e39d 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1190,19 +1190,7 @@ void __init setup_arch(char **cmdline_p)
+@@ -1193,19 +1193,7 @@ void __init setup_arch(char **cmdline_p)
  	/* Allocate bigger log buffer */
  	setup_log_buf(1);
  
@@ -55,11 +52,9 @@ index eb129277dcdd..7c4a6697e39d 100644
  
  	reserve_initrd();
  
-diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile
-index e489fefd23da..f2dfae764fb5 100644
 --- a/drivers/firmware/efi/Makefile
 +++ b/drivers/firmware/efi/Makefile
-@@ -25,6 +25,7 @@ subdir-$(CONFIG_EFI_STUB)		+= libstub
+@@ -25,6 +25,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP)		+= fake_m
  obj-$(CONFIG_EFI_BOOTLOADER_CONTROL)	+= efibc.o
  obj-$(CONFIG_EFI_TEST)			+= test/
  obj-$(CONFIG_EFI_DEV_PATH_PARSER)	+= dev-path-parser.o
@@ -67,9 +62,6 @@ index e489fefd23da..f2dfae764fb5 100644
  obj-$(CONFIG_APPLE_PROPERTIES)		+= apple-properties.o
  obj-$(CONFIG_EFI_RCI2_TABLE)		+= rci2-table.o
  obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE)	+= embedded-firmware.o
-diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
-new file mode 100644
-index 000000000000..b6620669e32b
 --- /dev/null
 +++ b/drivers/firmware/efi/secureboot.c
 @@ -0,0 +1,39 @@
@@ -112,11 +104,9 @@ index 000000000000..b6620669e32b
 +		}
 +	}
 +}
-diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 80b21d1c6eaf..d267ddba8369 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -871,6 +871,14 @@ extern int __init efi_setup_pcdp_console(char *);
+@@ -871,6 +871,14 @@ extern int __init efi_setup_pcdp_console
  #define EFI_MEM_ATTR		10	/* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
  #define EFI_MEM_NO_SOFT_RESERVE	11	/* Is the kernel configured to ignore soft reservations? */
  #define EFI_PRESERVE_BS_REGIONS	12	/* Are EFI boot-services memory segments available? */
@@ -131,7 +121,7 @@ index 80b21d1c6eaf..d267ddba8369 100644
  
  #ifdef CONFIG_EFI
  /*
-@@ -895,6 +903,7 @@ static inline bool efi_rt_services_supported(unsigned int mask)
+@@ -895,6 +903,7 @@ static inline bool efi_rt_services_suppo
  	return (efi.runtime_supported_mask & mask) == mask;
  }
  extern void efi_find_mirror(void);
@@ -139,7 +129,7 @@ index 80b21d1c6eaf..d267ddba8369 100644
  #else
  static inline bool efi_enabled(int feature)
  {
-@@ -914,6 +923,7 @@ static inline bool efi_rt_services_supported(unsigned int mask)
+@@ -914,6 +923,7 @@ static inline bool efi_rt_services_suppo
  }
  
  static inline void efi_find_mirror(void) {}
@@ -147,7 +137,7 @@ index 80b21d1c6eaf..d267ddba8369 100644
  #endif
  
  extern int efi_status_to_err(efi_status_t status);
-@@ -1133,13 +1143,6 @@ static inline bool efi_runtime_disabled(void) { return true; }
+@@ -1133,13 +1143,6 @@ static inline bool efi_runtime_disabled(
  extern void efi_call_virt_check_flags(unsigned long flags, const void *caller);
  extern unsigned long efi_call_virt_save_flags(void);
  
@@ -161,6 +151,3 @@ index 80b21d1c6eaf..d267ddba8369 100644
  static inline
  enum efi_secureboot_mode efi_get_secureboot_mode(efi_get_variable_t *get_var)
  {
--- 
-2.39.2
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0005-efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch

@@ -1,7 +1,6 @@
-From fa96a2ef86466da0a43756ee39ce3b1cb555a55a Mon Sep 17 00:00:00 2001
 From: Ben Hutchings <ben@decadent.org.uk>
 Date: Tue, 10 Sep 2019 11:54:28 +0100
-Subject: [PATCH 2/4] efi: Lock down the kernel if booted in secure boot mode
+Subject: efi: Lock down the kernel if booted in secure boot mode
 
 Based on an earlier patch by David Howells, who wrote the following
 description:
@@ -18,18 +17,16 @@ help text for LOCK_DOWN_IN_EFI_SECURE_BOOT was adjusted to mention that
 lockdown is triggered in integrity mode (https://bugs.debian.org/1025417)]
 Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
 ---
- arch/x86/kernel/setup.c           |  4 ++--
+ arch/x86/kernel/setup.c           |    4 ++--
- drivers/firmware/efi/secureboot.c |  5 +++++
+ drivers/firmware/efi/secureboot.c |    3 +++
- include/linux/security.h          |  6 ++++++
+ include/linux/security.h          |    6 ++++++
- security/lockdown/Kconfig         | 15 +++++++++++++++
+ security/lockdown/Kconfig         |   15 +++++++++++++++
- security/lockdown/lockdown.c      |  2 +-
+ security/lockdown/lockdown.c      |    2 +-
- 5 files changed, 29 insertions(+), 3 deletions(-)
+ 5 files changed, 27 insertions(+), 3 deletions(-)
 
-diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 7c4a6697e39d..04e73973098e 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1028,6 +1028,8 @@ void __init setup_arch(char **cmdline_p)
+@@ -904,6 +904,8 @@ void __init setup_arch(char **cmdline_p)
  	if (efi_enabled(EFI_BOOT))
  		efi_init();
  
@@ -38,7 +35,7 @@ index 7c4a6697e39d..04e73973098e 100644
  	reserve_ibft_region();
  	x86_init.resources.dmi_setup();
  
-@@ -1190,8 +1192,6 @@ void __init setup_arch(char **cmdline_p)
+@@ -1070,8 +1072,6 @@ void __init setup_arch(char **cmdline_p)
  	/* Allocate bigger log buffer */
  	setup_log_buf(1);
  
@@ -47,8 +44,6 @@ index 7c4a6697e39d..04e73973098e 100644
  	reserve_initrd();
  
  	acpi_table_upgrade();
-diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
-index b6620669e32b..8f2554291fb1 100644
 --- a/drivers/firmware/efi/secureboot.c
 +++ b/drivers/firmware/efi/secureboot.c
 @@ -15,6 +15,7 @@
@@ -59,7 +54,7 @@ index b6620669e32b..8f2554291fb1 100644
  
  /*
   * Decide what to do when UEFI secure boot mode is enabled.
-@@ -28,6 +29,10 @@ void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
+@@ -28,6 +29,10 @@ void __init efi_set_secure_boot(enum efi
  			break;
  		case efi_secureboot_mode_enabled:
  			set_bit(EFI_SECURE_BOOT, &efi.flags);
@@ -70,19 +65,17 @@ index b6620669e32b..8f2554291fb1 100644
  			pr_info("Secure boot enabled\n");
  			break;
  		default:
-diff --git a/include/linux/security.h b/include/linux/security.h
-index 4bd0f6fc553e..08258ecbb5f9 100644
 --- a/include/linux/security.h
 +++ b/include/linux/security.h
-@@ -486,6 +486,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
+@@ -522,6 +522,7 @@ int security_inode_notifysecctx(struct i
  int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
  int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
  int security_locked_down(enum lockdown_reason what);
 +int lock_kernel_down(const char *where, enum lockdown_reason level);
- #else /* CONFIG_SECURITY */
+ int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,
- 
+ 		      void *val, size_t val_len, u64 id, u64 flags);
- static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
+ int security_bdev_alloc(struct block_device *bdev);
-@@ -1404,6 +1405,11 @@ static inline int security_locked_down(enum lockdown_reason what)
+@@ -1504,6 +1505,11 @@ static inline int security_locked_down(e
  {
  	return 0;
  }
@@ -91,14 +84,12 @@ index 4bd0f6fc553e..08258ecbb5f9 100644
 +{
 +	return -EOPNOTSUPP;
 +}
- #endif	/* CONFIG_SECURITY */
+ static inline int lsm_fill_user_ctx(struct lsm_ctx __user *uctx,
- 
+ 				    u32 *uctx_len, void *val, size_t val_len,
- #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
+ 				    u64 id, u64 flags)
-diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
-index e84ddf484010..4175b50b1e6e 100644
 --- a/security/lockdown/Kconfig
 +++ b/security/lockdown/Kconfig
-@@ -45,3 +45,18 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
+@@ -45,3 +45,18 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTI
  	 disabled.
  
  endchoice
@@ -117,11 +108,9 @@ index e84ddf484010..4175b50b1e6e 100644
 +
 +	  Enabling this option results in kernel lockdown being
 +	  triggered in integrity mode if EFI Secure Boot is set.
-diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
-index 68d19632aeb7..67cc9839952f 100644
 --- a/security/lockdown/lockdown.c
 +++ b/security/lockdown/lockdown.c
-@@ -23,7 +23,7 @@ static const enum lockdown_reason lockdown_levels[] = {LOCKDOWN_NONE,
+@@ -24,7 +24,7 @@ static const enum lockdown_reason lockdo
  /*
   * Put the kernel into lock-down mode.
   */
@@ -130,6 +119,3 @@ index 68d19632aeb7..67cc9839952f 100644
  {
  	if (kernel_locked_down >= level)
  		return -EPERM;
--- 
-2.39.2
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0006-mtd-disable-slram-and-phram-when-locked-down.patch

@@ -1,7 +1,7 @@
-From bb8912cf807feab56cf8e924d33229d800ae71a6 Mon Sep 17 00:00:00 2001
 From: Ben Hutchings <ben@decadent.org.uk>
 Date: Fri, 30 Aug 2019 15:54:24 +0100
-Subject: [PATCH 3/4] mtd: phram,slram: Disable when the kernel is locked down
+Subject: mtd: phram,slram: Disable when the kernel is locked down
+Forwarded: https://lore.kernel.org/linux-security-module/20190830154720.eekfjt6c4jzvlbfz@decadent.org.uk/
 
 These drivers allow mapping arbitrary memory ranges as MTD devices.
 This should be disabled to preserve the kernel's integrity when it is
@@ -21,11 +21,9 @@ Cc: linux-mtd@lists.infradead.org
  drivers/mtd/devices/slram.c | 9 ++++++++-
  2 files changed, 13 insertions(+), 2 deletions(-)
 
-diff --git a/drivers/mtd/devices/phram.c b/drivers/mtd/devices/phram.c
-index 208bd4d871f4..30f84a91692d 100644
 --- a/drivers/mtd/devices/phram.c
 +++ b/drivers/mtd/devices/phram.c
-@@ -364,7 +364,11 @@ static int phram_param_call(const char *val, const struct kernel_param *kp)
+@@ -364,7 +364,11 @@ static int phram_param_call(const char *
  #endif
  }
  
@@ -38,8 +36,6 @@ index 208bd4d871f4..30f84a91692d 100644
  MODULE_PARM_DESC(phram, "Memory region to map. \"phram=<name>,<start>,<length>[,<erasesize>]\"");
  
  #ifdef CONFIG_OF
-diff --git a/drivers/mtd/devices/slram.c b/drivers/mtd/devices/slram.c
-index 28131a127d06..d92a2461e2ce 100644
 --- a/drivers/mtd/devices/slram.c
 +++ b/drivers/mtd/devices/slram.c
 @@ -43,6 +43,7 @@
@@ -77,6 +73,3 @@ index 28131a127d06..d92a2461e2ce 100644
  	while (map) {
  		devname = devstart = devlength = NULL;
  
--- 
-2.39.2
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0007-arm64-add-kernel-config-option-to-lock-down-when.patch

@@ -1,8 +1,8 @@
-From 8598238a38a333fed5ec0c8287f99813578370ab Mon Sep 17 00:00:00 2001
 From: Linn Crosetto <linn@hpe.com>
 Date: Tue, 30 Aug 2016 11:54:38 -0600
-Subject: [PATCH 4/4] arm64: add kernel config option to lock down when in
+Subject: arm64: add kernel config option to lock down when in Secure Boot mode
- Secure Boot mode
+Bug-Debian: https://bugs.debian.org/831827
+Forwarded: no
 
 Add a kernel configuration option to lock down the kernel, to restrict
 userspace's ability to modify the running kernel when UEFI Secure Boot is
@@ -32,17 +32,15 @@ Signed-off-by: Linn Crosetto <linn@hpe.com>
 [Salvatore Bonaccorso: Forward-ported to 5.10: f30f242fb131 ("efi: Rename
 arm-init to efi-init common for all arch") renamed arm-init.c to efi-init.c]
 ---
- drivers/firmware/efi/efi-init.c    |  5 ++++-
+ drivers/firmware/efi/efi-init.c    |    5 ++++-
- drivers/firmware/efi/fdtparams.c   | 12 +++++++++++-
+ drivers/firmware/efi/fdtparams.c   |   12 +++++++++++-
- drivers/firmware/efi/libstub/fdt.c |  6 ++++++
+ drivers/firmware/efi/libstub/fdt.c |    6 ++++++
- include/linux/efi.h                |  3 ++-
+ include/linux/efi.h                |    3 ++-
  4 files changed, 23 insertions(+), 3 deletions(-)
 
-diff --git a/drivers/firmware/efi/efi-init.c b/drivers/firmware/efi/efi-init.c
-index 59b0d7197b68..e63f8a82d9f4 100644
 --- a/drivers/firmware/efi/efi-init.c
 +++ b/drivers/firmware/efi/efi-init.c
-@@ -204,9 +204,10 @@ void __init efi_init(void)
+@@ -213,9 +213,10 @@ void __init efi_init(void)
  {
  	struct efi_memory_map_data data;
  	u64 efi_system_table;
@@ -54,7 +52,7 @@ index 59b0d7197b68..e63f8a82d9f4 100644
  	if (!efi_system_table)
  		return;
  
-@@ -228,6 +229,8 @@ void __init efi_init(void)
+@@ -237,6 +238,8 @@ void __init efi_init(void)
  		return;
  	}
  
@@ -63,8 +61,6 @@ index 59b0d7197b68..e63f8a82d9f4 100644
  	reserve_regions();
  	/*
  	 * For memblock manipulation, the cap should come after the memblock_add().
-diff --git a/drivers/firmware/efi/fdtparams.c b/drivers/firmware/efi/fdtparams.c
-index 0ec83ba58097..81a0ac408cf5 100644
 --- a/drivers/firmware/efi/fdtparams.c
 +++ b/drivers/firmware/efi/fdtparams.c
 @@ -16,6 +16,7 @@ enum {
@@ -75,7 +71,7 @@ index 0ec83ba58097..81a0ac408cf5 100644
  
  	PARAMCOUNT
  };
-@@ -26,6 +27,7 @@ static __initconst const char name[][22] = {
+@@ -26,6 +27,7 @@ static __initconst const char name[][22]
  	[MMSIZE] = "MemMap Size          ",
  	[DCSIZE] = "MemMap Desc. Size    ",
  	[DCVERS] = "MemMap Desc. Version ",
@@ -99,7 +95,7 @@ index 0ec83ba58097..81a0ac408cf5 100644
  		}
  	}
  };
-@@ -64,6 +68,11 @@ static int __init efi_get_fdt_prop(const void *fdt, int node, const char *pname,
+@@ -64,6 +68,11 @@ static int __init efi_get_fdt_prop(const
  	int len;
  	u64 val;
  
@@ -111,7 +107,7 @@ index 0ec83ba58097..81a0ac408cf5 100644
  	prop = fdt_getprop(fdt, node, pname, &len);
  	if (!prop)
  		return 1;
-@@ -81,7 +90,7 @@ static int __init efi_get_fdt_prop(const void *fdt, int node, const char *pname,
+@@ -81,7 +90,7 @@ static int __init efi_get_fdt_prop(const
  	return 0;
  }
  
@@ -120,7 +116,7 @@ index 0ec83ba58097..81a0ac408cf5 100644
  {
  	const void *fdt = initial_boot_params;
  	unsigned long systab;
-@@ -95,6 +104,7 @@ u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm)
+@@ -95,6 +104,7 @@ u64 __init efi_get_fdt_params(struct efi
  		[MMSIZE] = { &mm->size,		sizeof(mm->size) },
  		[DCSIZE] = { &mm->desc_size,	sizeof(mm->desc_size) },
  		[DCVERS] = { &mm->desc_version,	sizeof(mm->desc_version) },
@@ -128,11 +124,9 @@ index 0ec83ba58097..81a0ac408cf5 100644
  	};
  
  	BUILD_BUG_ON(ARRAY_SIZE(target) != ARRAY_SIZE(name));
-diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c
-index 6a337f1f8787..6c679da644dd 100644
 --- a/drivers/firmware/efi/libstub/fdt.c
 +++ b/drivers/firmware/efi/libstub/fdt.c
-@@ -132,6 +132,12 @@ static efi_status_t update_fdt(void *orig_fdt, unsigned long orig_fdt_size,
+@@ -132,6 +132,12 @@ static efi_status_t update_fdt(void *ori
  		}
  	}
  
@@ -145,20 +139,15 @@ index 6a337f1f8787..6c679da644dd 100644
  	/* Shrink the FDT back to its minimum size: */
  	fdt_pack(fdt);
  
-diff --git a/include/linux/efi.h b/include/linux/efi.h
-index d267ddba8369..fbce526768d3 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -756,7 +756,8 @@ extern void efi_mem_reserve(phys_addr_t addr, u64 size);
+@@ -764,7 +764,8 @@ extern int efi_mem_desc_lookup(u64 phys_
+ extern int __efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md);
+ extern void efi_mem_reserve(phys_addr_t addr, u64 size);
  extern int efi_mem_reserve_persistent(phys_addr_t addr, u64 size);
- extern void efi_initialize_iomem_resources(struct resource *code_resource,
- 		struct resource *data_resource, struct resource *bss_resource);
 -extern u64 efi_get_fdt_params(struct efi_memory_map_data *data);
 +extern u64 efi_get_fdt_params(struct efi_memory_map_data *data,
 +			      u32 *secure_boot);
  extern struct kobject *efi_kobj;
  
  extern int efi_reboot_quirk_mode;
--- 
-2.39.2
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0008-tools-hv-fix-cross-compilation-for-ARM64.patch

@@ -0,0 +1,35 @@
+From 0890eb69da82aec12518a5c2998afea467a0e9d7 Mon Sep 17 00:00:00 2001
+From: Adrian Vladu <avladu@cloudbasesolutions.com>
+Date: Thu, 19 Sep 2024 07:59:59 +0000
+Subject: [PATCH] tools: hv: fix cross-compilation for ARM64
+
+---
+ tools/hv/Makefile | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/hv/Makefile b/tools/hv/Makefile
+index 2e60e2c212cd..d72554cedbf6 100644
+--- a/tools/hv/Makefile
++++ b/tools/hv/Makefile
+@@ -2,7 +2,9 @@
+ # Makefile for Hyper-V tools
+ include ../scripts/Makefile.include
+ 
++ifeq ($(ARCH),)
+ ARCH := $(shell uname -m 2>/dev/null)
++endif
+ sbindir ?= /usr/sbin
+ libexecdir ?= /usr/libexec
+ sharedstatedir ?= /var/lib
+@@ -20,7 +22,7 @@ override CFLAGS += -O2 -Wall -g -D_GNU_SOURCE -I$(OUTPUT)include
+ override CFLAGS += -Wno-address-of-packed-member
+ 
+ ALL_TARGETS := hv_kvp_daemon hv_vss_daemon
+-ifneq ($(ARCH), aarch64)
++ifeq ($(filter $(ARCH),aarch64 arm64),)
+ ALL_TARGETS += hv_fcopy_uio_daemon
+ endif
+ ALL_PROGRAMS := $(patsubst %,$(OUTPUT)%,$(ALL_TARGETS))
+-- 
+2.34.1
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.6/z0002-revert-pahole-flags.patch

@@ -1,53 +0,0 @@
-diff --git a/init/Kconfig b/init/Kconfig
-index e173364abd6c..cdc35682e03b 100644
---- a/init/Kconfig
-+++ b/init/Kconfig
-@@ -1899,7 +1899,7 @@ config RUST
- 	depends on !GCC_PLUGINS
- 	depends on !RANDSTRUCT
- 	depends on !SHADOW_CALL_STACK
--	depends on !DEBUG_INFO_BTF || (PAHOLE_HAS_LANG_EXCLUDE && !LTO)
-+	depends on !DEBUG_INFO_BTF
- 	help
- 	  Enables Rust support in the kernel.
- 
-diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
-index da5513cfc125..f2b3aab6d4a1 100644
---- a/lib/Kconfig.debug
-+++ b/lib/Kconfig.debug
-@@ -394,15 +394,6 @@ config PAHOLE_HAS_BTF_TAG
- 	  btf_decl_tag) or not. Currently only clang compiler implements
- 	  these attributes, so make the config depend on CC_IS_CLANG.
- 
--config PAHOLE_HAS_LANG_EXCLUDE
--	def_bool PAHOLE_VERSION >= 124
--	help
--	  Support for the --lang_exclude flag which makes pahole exclude
--	  compilation units from the supplied language. Used in Kbuild to
--	  omit Rust CUs which are not supported in version 1.24 of pahole,
--	  otherwise it would emit malformed kernel and module binaries when
--	  using DEBUG_INFO_BTF_MODULES.
--
- config DEBUG_INFO_BTF_MODULES
- 	bool "Generate BTF type information for kernel modules"
- 	default y
-diff --git a/scripts/pahole-flags.sh b/scripts/pahole-flags.sh
-index 728d55190d97..c293941612e7 100755
---- a/scripts/pahole-flags.sh
-+++ b/scripts/pahole-flags.sh
-@@ -16,15 +16,5 @@ fi
- if [ "${pahole_ver}" -ge "121" ]; then
- 	extra_paholeopt="${extra_paholeopt} --btf_gen_floats"
- fi
--if [ "${pahole_ver}" -ge "122" ]; then
--	extra_paholeopt="${extra_paholeopt} -j"
--fi
--if [ "${pahole_ver}" -ge "124" ]; then
--	# see PAHOLE_HAS_LANG_EXCLUDE
--	extra_paholeopt="${extra_paholeopt} --lang_exclude=rust"
--fi
--if [ "${pahole_ver}" -ge "125" ]; then
--	extra_paholeopt="${extra_paholeopt} --skip_encoding_btf_inconsistent_proto --btf_gen_optimized"
--fi
- 
- echo ${extra_paholeopt}