init commit

cpupower.config

@@ -0,0 +1,3 @@
+# See 'cpupower help' and cpupower(1) for more info
+CPUPOWER_START_OPTS="frequency-set -g performance"
+CPUPOWER_STOP_OPTS="frequency-set -g ondemand"

cpupower.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Configure CPU power related settings
+After=syslog.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=/etc/sysconfig/cpupower
+ExecStart=/usr/bin/cpupower $CPUPOWER_START_OPTS
+ExecStop=/usr/bin/cpupower $CPUPOWER_STOP_OPTS
+
+[Install]
+WantedBy=multi-user.target

filter-aarch64.sh

@@ -0,0 +1,18 @@
+#! /bin/bash
+
+# This is the aarch64 override file for the core/drivers package split.  The
+# module directories listed here and in the generic list in filter-modules.sh
+# will be moved to the resulting kernel-modules package for this arch.
+# Anything not listed in those files will be in the kernel-core package.
+#
+# Please review the default list in filter-modules.sh before making
+# modifications to the overrides below.  If something should be removed across
+# all arches, remove it in the default instead of per-arch.
+
+driverdirs="atm auxdisplay bcma bluetooth firewire fmc infiniband isdn leds media memstick message mmc mtd mwave nfc ntb pcmcia platform power ssb staging tty uio uwb w1"
+
+ethdrvs="3com adaptec arc alteon atheros broadcom cadence calxeda chelsio cisco dec dlink emulex icplus marvell micrel myricom neterion nvidia oki-semi packetengines qlogic rdc renesas sfc silan sis smsc stmicro sun tehuti ti via wiznet xircom"
+
+drmdrvs="amd arm bridge ast exynos hisilicon i2c imx mgag200 meson msm nouveau panel radeon rockchip tegra sun4i tinydrm vc4"
+
+singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qedi qla1280 9pnet_rdma rpcrdma nvmet-rdma nvme-rdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject target_core_user sbp_target cxgbit iw_cxgb3 iw_cxgb4 cxgb3i cxgb3i cxgb3i_ddp cxgb4i chcr chtls"

filter-modules.sh

@@ -0,0 +1,169 @@
+#! /bin/bash
+#
+# Called as filter-modules.sh list-of-modules Arch
+
+# This script filters the modules into the kernel-core and kernel-modules
+# subpackages.  We list out subsystems/subdirs to prune from the installed
+# module directory.  What is left is put into the kernel-core package.  What is
+# pruned is contained in the kernel-modules package.
+#
+# This file contains the default subsys/subdirs to prune from all architectures.
+# If an architecture needs to differ, we source a per-arch filter-<arch>.sh file
+# that contains the set of override lists to be used instead.  If a module or
+# subsys should be in kernel-modules on all arches, please change the defaults
+# listed here.
+
+# Overrides is individual modules which need to remain in kernel-core due to deps.
+overrides="cec"
+
+# Set the default dirs/modules to filter out
+driverdirs="atm auxdisplay bcma bluetooth firewire fmc iio infiniband isdn leds media memstick mfd mmc mtd nfc ntb pcmcia platform power ssb staging tty uio uwb w1"
+
+chardrvs="mwave pcmcia"
+
+netdrvs="appletalk can dsa hamradio ieee802154 irda ppp slip usb wireless"
+
+ethdrvs="3com adaptec alteon amd aquantia atheros broadcom cadence calxeda chelsio cisco dec dlink emulex icplus marvell neterion nvidia oki-semi packetengines qlogic rdc renesas sfc silan sis smsc stmicro sun tehuti ti wiznet xircom"
+
+inputdrvs="gameport tablet touchscreen"
+
+scsidrvs="aacraid aic7xxx aic94xx be2iscsi bfa bnx2i bnx2fc csiostor cxgbi esas2r fcoe fnic hisi_sas isci libsas lpfc megaraid mpt2sas mpt3sas mvsas pm8001 qla2xxx qla4xxx sym53c8xx_2 ufs qedf"
+
+usbdrvs="atm image misc serial wusbcore"
+
+fsdrvs="affs befs cifs coda cramfs ecryptfs hfs hfsplus jfs minix ncpfs nilfs2 ocfs2 reiserfs romfs squashfs sysv ubifs ufs"
+
+netprots="6lowpan appletalk atm ax25 batman-adv bluetooth can dccp dsa ieee802154 irda l2tp mac80211 mac802154 mpls netrom nfc rds rfkill rose sctp smc wireless"
+
+drmdrvs="amd ast gma500 i2c i915 mgag200 nouveau radeon via "
+
+singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qedi qla1280 9pnet_rdma rpcrdma nvmet-rdma nvme-rdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject hid-sensor-hub target_core_user sbp_target cxgbit iw_cxgb3 iw_cxgb4 cxgb3i cxgb3i cxgb3i_ddp cxgb4i chcr chtls parport_serial ism regmap-sdw regmap-sdw-mbq arizona-micsupp hid-asus"
+
+# Grab the arch-specific filter list overrides
+source ./filter-$2.sh
+
+filter_dir() {
+	filelist=$1
+	dir=$2
+
+	grep -v -e "${dir}/" ${filelist} > ${filelist}.tmp
+
+	if [ $? -ne 0 ]
+	then
+		echo "Couldn't remove ${dir}.  Skipping."
+	else
+		grep -e "${dir}/" ${filelist} >> k-d.list
+		mv ${filelist}.tmp $filelist
+	fi
+	
+	return 0
+}
+
+filter_ko() {
+	filelist=$1
+	mod=$2
+
+	grep -v -e "${mod}.ko" ${filelist} > ${filelist}.tmp
+
+	if [ $? -ne 0 ]
+	then
+		echo "Couldn't remove ${mod}.ko  Skipping."
+	else
+		grep -e "${mod}.ko" ${filelist} >> k-d.list
+		mv ${filelist}.tmp $filelist
+	fi
+	
+	return 0
+}
+
+# Filter the drivers/ subsystems
+for subsys in ${driverdirs}
+do
+	filter_dir $1 drivers/${subsys}
+done
+
+# Filter the networking drivers
+for netdrv in ${netdrvs}
+do
+	filter_dir $1 drivers/net/${netdrv}
+done
+
+# Filter the char drivers
+for char in ${chardrvs}
+do
+	filter_dir $1 drivers/char/${char}
+done
+
+# Filter the ethernet drivers
+for eth in ${ethdrvs}
+do
+	filter_dir $1 drivers/net/ethernet/${eth}
+done
+
+# SCSI
+for scsi in ${scsidrvs}
+do
+	filter_dir $1 drivers/scsi/${scsi}
+done
+
+# Input
+for input in ${inputdrvs}
+do
+	filter_dir $1 drivers/input/${input}
+done
+
+# USB
+for usb in ${usbdrvs}
+do
+	filter_dir $1 drivers/usb/${usb}
+done
+
+# Filesystems
+for fs in ${fsdrvs}
+do
+	filter_dir $1 fs/${fs}
+done
+
+# Network protocols
+for prot in ${netprots}
+do
+	filter_dir $1 kernel/net/${prot}
+done
+
+# DRM
+for drm in ${drmdrvs}
+do
+	filter_dir $1 drivers/gpu/drm/${drm}
+done
+
+# Just kill sound.
+filter_dir $1 kernel/sound
+filter_dir $1 kernel/drivers/soundwire
+
+# Now go through and filter any single .ko files that might have deps on the
+# things we filtered above
+for mod in ${singlemods}
+do
+        filter_ko $1 ${mod}
+done
+
+# Now process the override list to bring those modules back into core
+for mod in ${overrides}
+do
+	grep -v -e "/${mod}.ko" k-d.list > k-d.list.tmp
+	if [ $? -ne 0 ]
+        then
+                echo "Couldn't save ${mod}.ko  Skipping."
+        else
+                grep -e "/${mod}.ko" k-d.list >> $filelist
+                mv k-d.list.tmp k-d.list
+        fi
+
+done
+
+# Go through our generated drivers list and remove the .ko files.  We'll
+# restore them later.
+for mod in `cat k-d.list`
+do
+	rm -rf $mod
+done

filter-x86_64.sh

@@ -0,0 +1,12 @@
+#! /bin/bash
+
+# This is the x86_64 override file for the core/drivers package split.  The
+# module directories listed here and in the generic list in filter-modules.sh
+# will be moved to the resulting kernel-modules package for this arch.
+# Anything not listed in those files will be in the kernel-core package.
+#
+# Please review the default list in filter-modules.sh before making
+# modifications to the overrides below.  If something should be removed across
+# all arches, remove it in the default instead of per-arch.
+
+# Defaults work so no need to override

kvm_stat.logrotate

@@ -0,0 +1,11 @@
+/var/log/kvm_stat.csv {
+	size 10M
+	missingok
+	compress
+	maxage 30
+	rotate 5
+	nodateext
+	postrotate
+		/usr/bin/systemctl try-restart kvm_stat.service
+	endscript
+}

mod-denylist.sh

@@ -0,0 +1,164 @@
+#! /bin/bash
+# shellcheck disable=SC2164
+
+RpmDir=$1
+ModDir=$2
+Dir="$1/$2"
+# Note the list filename must have the format mod-[PACKAGE].list, for example,
+# mod-internal.list or mod-extra.list.  The PACKAGE is used to create a
+# override directory for the modules.
+List=$3
+Dest="$4"
+
+blacklist()
+{
+	cat > "$RpmDir/etc/modprobe.d/$1-blacklist.conf" <<-__EOF__
+	# This kernel module can be automatically loaded by non-root users. To
+	# enhance system security, the module is blacklisted by default to ensure
+	# system administrators make the module available for use as needed.
+	# See https://access.redhat.com/articles/3760101 for more details.
+	#
+	# Remove the blacklist by adding a comment # at the start of the line.
+	blacklist $1
+__EOF__
+}
+
+check_blacklist()
+{
+	mod=$(find "$RpmDir/$ModDir" -name "$1")
+	[ ! "$mod" ] && return 0
+	if modinfo "$mod" | grep -q '^alias:\s\+net-'; then
+		mod="${1##*/}"
+		mod="${mod%.ko*}"
+		echo "$mod has an alias that allows auto-loading. Blacklisting."
+		blacklist "$mod"
+	fi
+}
+
+find_depends()
+{
+	dep=$1
+	depends=$(modinfo "$dep" | sed -n -e "/^depends/ s/^depends:[ \t]*//p")
+	[ -z "$depends" ] && exit
+	for mod in ${depends//,/ }
+	do
+		match=$(grep "^$mod.ko" "$ListName")
+		[ -z "$match" ] && continue
+		# check if the module we are looking at is in mod-* too.
+		# if so we do not need to mark the dep as required.
+		mod2=${dep##*/}  # same as $(basename $dep), but faster
+		match2=$(grep "^$mod2" "$ListName")
+		if [ -n "$match2" ]
+		then
+			#echo $mod2 >> notreq.list
+			continue
+		fi
+		echo "$mod".ko >> req.list
+	done
+}
+
+foreachp()
+{
+	P=$(nproc)
+	bgcount=0
+	while read -r mod; do
+		$1 "$mod" &
+
+		bgcount=$((bgcount + 1))
+		if [ $bgcount -eq "$P" ]; then
+			wait -n
+			bgcount=$((bgcount - 1))
+		fi
+	done
+
+	wait
+}
+
+# Destination was specified on the command line
+test -n "$4" && echo "$0: Override Destination $Dest has been specified."
+
+pushd "$Dir"
+
+OverrideDir=$(basename "$List")
+OverrideDir=${OverrideDir%.*}
+OverrideDir=${OverrideDir#*-}
+mkdir -p "$OverrideDir"
+
+rm -rf modnames
+find . -name "*.ko" -type f > modnames
+# Look through all of the modules, and throw any that have a dependency in
+# our list into the list as well.
+rm -rf dep.list dep2.list
+rm -rf req.list req2.list
+touch dep.list req.list
+cp "$List" .
+
+# This variable needs to be exported because it is used in sub-script
+# executed by xargs
+ListName=$(basename "$List")
+export ListName
+
+foreachp find_depends < modnames
+
+sort -u req.list > req2.list
+sort -u "$ListName" > modules2.list
+join -v 1 modules2.list req2.list > modules3.list
+
+while IFS= read -r mod
+do
+    # get the path for the module
+    modpath=$(grep /"$mod" modnames)
+    [ -z "$modpath" ] && continue
+    echo "$modpath" >> dep.list
+done < modules3.list
+
+sort -u dep.list > dep2.list
+
+if [ -n "$Dest" ]; then
+    # now move the modules into the $Dest directory
+    while IFS= read -r mod
+    do
+	newpath=$(dirname "$mod" | sed -e "s/kernel\\//$Dest\//")
+	mkdir -p "$newpath"
+	mv "$mod" "$newpath"
+	echo "$mod" | sed -e "s/kernel\\//$Dest\//" | sed -e "s|^.|${ModDir}|g" >> "$RpmDir"/"$ListName"
+    done < dep2.list
+fi
+
+popd
+
+# If we're signing modules, we can't leave the .mod files for the .ko files
+# we've moved in .tmp_versions/.  Remove them so the Kbuild 'modules_sign'
+# target doesn't try to sign a non-existent file.  This is kinda ugly, but
+# so are the modules-* packages.
+
+while IFS= read -r mod
+do
+  modfile=$(basename "$mod" | sed -e 's/.ko/.mod/')
+  rm -f .tmp_versions/"$modfile"
+done < "$Dir"/dep2.list
+
+if [ -z "$Dest" ]; then
+	sed -e "s|^.|${ModDir}|g" "$Dir"/dep2.list > "$RpmDir/$ListName"
+	echo "./$RpmDir/$ListName created."
+	[ -d "$RpmDir/etc/modprobe.d/" ] || mkdir -p "$RpmDir/etc/modprobe.d/"
+	foreachp check_blacklist < "$List"
+fi
+
+# Many BIOS-es export a PNP-id which causes the floppy driver to autoload
+# even though most modern systems don't have a 3.5" floppy driver anymore
+# this replaces the old die_floppy_die.patch which removed the PNP-id from
+# the module
+
+floppylist=("$RpmDir"/"$ModDir"/kernel/drivers/block/floppy.ko*)
+if [[ -n ${floppylist[0]} && -f ${floppylist[0]} ]]; then
+     blacklist "floppy"
+fi
+
+# avoid an empty kernel-extra package
+echo "$ModDir/$OverrideDir" >> "$RpmDir/$ListName"
+
+pushd "$Dir"
+rm -f modnames dep.list dep2.list req.list req2.list
+rm -f "$ListName" modules2.list modules3.list
+popd

mod-extra.list

@@ -0,0 +1,192 @@
+6pack.ko
+a3d.ko
+act200l-sir.ko
+actisys-sir.ko
+adi.ko
+aer_inject.ko
+af_802154.ko
+affs.ko
+ali-ircc.ko
+analog.ko
+appletalk.ko
+atm.ko
+avma1_cs.ko
+avm_cs.ko
+avmfritz.ko
+ax25.ko
+b1.ko
+bas_gigaset.ko
+batman-adv.ko
+baycom_par.ko
+baycom_ser_fdx.ko
+baycom_ser_hdx.ko
+befs.ko
+bpqether.ko
+br2684.ko
+capi.ko
+c_can.ko
+c_can_platform.ko
+clip.ko
+cobra.ko
+coda.ko
+cuse.ko
+db9.ko
+dccp_diag.ko
+dccp_ipv4.ko
+dccp_ipv6.ko
+dccp.ko
+dccp_probe.ko
+diva_idi.ko
+divas.ko
+ds1wm.ko
+ds2482.ko
+ds2490.ko
+dss1_divert.ko
+elsa_cs.ko
+ems_pci.ko
+ems_usb.ko
+esd_usb2.ko
+esi-sir.ko
+gamecon.ko
+gf2k.ko
+gigaset.ko
+girbil-sir.ko
+grip.ko
+grip_mp.ko
+guillemot.ko
+hdlcdrv.ko
+hfc4s8s_l1.ko
+hfcmulti.ko
+hfcpci.ko
+hisax.ko
+hwa-rc.ko
+hysdn.ko
+i2400m.ko
+i2400m-sdio.ko
+i2400m-usb.ko
+ieee802154.ko
+iforce.ko
+interact.ko
+ipddp.ko
+ipx.ko
+isdn.ko
+joydump.ko
+kingsun-sir.ko
+ks959-sir.ko
+ksdazzle-sir.ko
+kvaser_pci.ko
+l2tp_core.ko
+l2tp_debugfs.ko
+l2tp_eth.ko
+l2tp_ip.ko
+l2tp_ip6.ko
+l2tp_netlink.ko
+l2tp_ppp.ko
+lec.ko
+ma600-sir.ko
+magellan.ko
+mcp2120-sir.ko
+mISDN_core.ko
+mISDN_dsp.ko
+mkiss.ko
+mptbase.ko
+mptctl.ko
+mptfc.ko
+nci.ko
+ncpfs.ko
+netjet.ko
+netrom.ko
+nfc.ko
+nilfs2.ko
+ocfs2_dlmfs.ko
+ocfs2_dlm.ko
+ocfs2.ko
+ocfs2_nodemanager.ko
+ocfs2_stackglue.ko
+ocfs2_stack_o2cb.ko
+ocfs2_stack_user.ko
+old_belkin-sir.ko
+orinoco_cs.ko
+orinoco.ko
+orinoco_nortel.ko
+orinoco_pci.ko
+orinoco_plx.ko
+orinoco_usb.ko
+plx_pci.ko
+pn_pep.ko
+pppoatm.ko
+rds.ko
+rds_rdma.ko
+rds_tcp.ko
+rose.ko
+sch_atm.ko
+sch_cbq.ko
+sch_choke.ko
+sch_drr.ko
+sch_dsmark.ko
+sch_gred.ko
+sch_mqprio.ko
+sch_multiq.ko
+sch_netem.ko
+sch_qfq.ko
+sch_red.ko
+sch_sfb.ko
+sch_teql.ko
+sctp.ko
+sctp_diag.ko
+sctp_probe.ko
+sidewinder.ko
+sja1000.ko
+sja1000_platform.ko
+slcan.ko
+slip.ko
+softing_cs.ko
+softing.ko
+spaceball.ko
+spaceorb.ko
+stinger.ko
+sysv.ko
+tcp_bic.ko
+tcp_highspeed.ko
+tcp_htcp.ko
+tcp_hybla.ko
+tcp_illinois.ko
+tcp_lp.ko
+tcp_scalable.ko
+tcp_vegas.ko
+tcp_veno.ko
+tcp_westwood.ko
+tcp_yeah.ko
+tekram-sir.ko
+tmdc.ko
+toim3232-sir.ko
+trancevibrator.ko
+turbografx.ko
+twidjoy.ko
+ubifs.ko
+ufs.ko
+umc.ko
+usbip-core.ko
+usbip-host.ko
+uwb.ko
+vcan.ko
+vhci-hcd.ko
+w1_bq27000.ko
+w1_ds2408.ko
+w1_ds2423.ko
+w1_ds2431.ko
+w1_ds2433.ko
+w1_ds2760.ko
+w1_ds2780.ko
+w1_ds2781.ko
+w1_ds28e04.ko
+w1_smem.ko
+w1_therm.ko
+w6692.ko
+walkera0701.ko
+wanrouter.ko
+warrior.ko
+whci.ko
+wire.ko
+yam.ko
+zhenhua.ko

mod-sign.sh

@@ -0,0 +1,37 @@
+#! /bin/bash
+
+# The modules_sign target checks for corresponding .o files for every .ko that
+# is signed. This doesn't work for package builds which re-use the same build
+# directory for every variant, and the .config may change between variants.
+# So instead of using this script to just sign lib/modules/$KernelVer/extra,
+# sign all .ko in the buildroot.
+
+# This essentially duplicates the 'modules_sign' Kbuild target and runs the
+# same commands for those modules.
+
+MODSECKEY=$1
+MODPUBKEY=$2
+moddir=$3
+
+modules=$(find "$moddir" -type f -name '*.ko')
+
+NPROC=$(nproc)
+[ -z "$NPROC" ] && NPROC=1
+
+# NB: this loop runs 2000+ iterations. Try to be fast.
+echo "$modules" | xargs -r -n16 -P $NPROC sh -c "
+for mod; do
+    ./scripts/sign-file sha256 $MODSECKEY $MODPUBKEY \$mod
+    rm -f \$mod.sig \$mod.dig
+done
+" DUMMYARG0   # xargs appends ARG1 ARG2..., which go into $mod in for loop.
+
+RANDOMMOD=$(echo "$modules" | sort -R | head -n 1)
+if [ "~Module signature appended~" != "$(tail -c 28 "$RANDOMMOD")" ]; then
+    echo "*****************************"
+    echo "*** Modules are unsigned! ***"
+    echo "*****************************"
+    exit 1
+fi
+
+exit 0

x509.genkey

@@ -0,0 +1,16 @@
+[ req ]
+default_bits = 3072
+distinguished_name = req_distinguished_name
+prompt = no
+x509_extensions = myexts
+
+[ req_distinguished_name ]
+O = Red Hat
+CN = Red Hat Enterprise Linux kernel signing key
+emailAddress = secalert@redhat.com
+
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid