Skip to content

[CIQ 6.18] Rebase to v6.18.6 #828

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bmastbergen merged 9 commits into from
Jan 22, 2026
Merged

[CIQ 6.18] Rebase to v6.18.6 #828

bmastbergen merged 9 commits into from
Jan 22, 2026

Conversation

@ciq-kernel-automation
Copy link

@ciq-kernel-automation ciq-kernel-automation bot commented Jan 21, 2026
edited by bmastbergen
Loading

https://ciqinc.atlassian.net/browse/KERNEL-425

Automated Rebase to v6.18.6

Config Changes

None

Build Log

/__w/kernel-src-tree/kernel-src-tree/kernel-src-tree
Running make mrproper...
  CLEAN   scripts/basic
  CLEAN   scripts/kconfig
  CLEAN   include/config include/generated .config .config.old
[TIMER]{MRPROPER}: 3s
x86_64 architecture detected, copying config
'ciq/configs/kernel-x86_64.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-automation_tmp_ciq-6.18.y-next-d6e39b3366a6"
Making olddefconfig
--
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#
Starting Build
  WRAP    arch/x86/include/generated/uapi/asm/bpf_perf_event.h
  GEN     arch/x86/include/generated/asm/orc_hash.h
  WRAP    arch/x86/include/generated/uapi/asm/errno.h
  WRAP    arch/x86/include/generated/uapi/asm/fcntl.h
  WRAP    arch/x86/include/generated/uapi/asm/ioctl.h
--
  LD [M]  net/qrtr/qrtr-mhi.ko
  LD [M]  virt/lib/irqbypass.ko
  BTF [M] net/qrtr/qrtr-mhi.ko
  BTF [M] virt/lib/irqbypass.ko
  BTF [M] net/mac80211/mac80211.ko
[TIMER]{BUILD}: 2128s
Making Modules
  SYMLINK /lib/modules/6.18.6-automation_tmp_ciq-6.18.y-next-d6e39b3366a6+/build
  INSTALL /lib/modules/6.18.6-automation_tmp_ciq-6.18.y-next-d6e39b3366a6+/modules.order
  INSTALL /lib/modules/6.18.6-automation_tmp_ciq-6.18.y-next-d6e39b3366a6+/modules.builtin
  INSTALL /lib/modules/6.18.6-automation_tmp_ciq-6.18.y-next-d6e39b3366a6+/modules.builtin.modinfo
--
  STRIP   /lib/modules/6.18.6-automation_tmp_ciq-6.18.y-next-d6e39b3366a6+/kernel/net/qrtr/qrtr-mhi.ko
  STRIP   /lib/modules/6.18.6-automation_tmp_ciq-6.18.y-next-d6e39b3366a6+/kernel/virt/lib/irqbypass.ko
  SIGN    /lib/modules/6.18.6-automation_tmp_ciq-6.18.y-next-d6e39b3366a6+/kernel/net/qrtr/qrtr-mhi.ko
  SIGN    /lib/modules/6.18.6-automation_tmp_ciq-6.18.y-next-d6e39b3366a6+/kernel/virt/lib/irqbypass.ko
  DEPMOD  /lib/modules/6.18.6-automation_tmp_ciq-6.18.y-next-d6e39b3366a6+
[TIMER]{MODULES}: 11s
Making Install
  INSTALL /boot
dracut: WARNING: running in hostonly mode in a container!!
[TIMER]{INSTALL}: 15s
Skipping kABI check
Setting Default Kernel to /boot/vmlinuz-6.18.6-automation_tmp_ciq-6.18.y-next-d6e39b3366a6+ and Index to 0

Testing

Selftests passed: 576 tests
Previous: 578 tests (PR #802)

Artifacts

bmastbergen and others added 9 commits January 21, 2026 16:09
@bmastbergen @github-actions
Add CIQ configs
25be618 
Adding configs based of Fedora-ARK default config from 6.18.2.
@bmastbergen @github-actions
Add initial CIQ config tweaks
877e548 
We are modifying these with the following configs where available
CONFIG_MODIFY_LDT_SYSCALL=n
CONFIG_LEGACY_VSYSCALL_NONE=n
These options are for old software support which adds performance
overhead and potential attack surfaces with go against the CIQ LT
kernels priority of performance and security.

CONFIG_LIVEPATCH=n
We do not have Live patching on for any road-map

CONFIG_WQ_POWER_EFFICIENT_DEFAULT=y
This should be enabled, it often improves performance funnily enough

CONFIG_PREEMPT_VOLUNTARY=y
CONFIG_HZ=100
These are set to increase throughput CONFIG_PREEMPT_VOLUNTARY=y
(default
Fedora config) but CONFIG_HZ=100 for higher throughput over the
x86_64
default of CONFIG_HZ=1000 which provides lower latency.

After modification 'make CROSS_COMPILE=./scripts/dummy-tools/' was
run
@PlaidCat @github-actions
github actions: Make Builds on Merge Request Work
723cc16 
Setting up the default build configs to ensure everything builds when we
update and rebase.
@github-actions
arm64: add kernel config option to lock down when in Secure Boot mode
bd82cbf 
jira LE-2629
feature Additional SecureBoot patches for dynamic lockdown
commit b24fbd012b781b752cc51d6ef1fe1c6d5875ae87
commit-source https://salsa.debian.org/kernel-team/linux.git
commit-patch-path debian/patches/features/all/lockdown
commit-info Checkout the commit sha above and move to the directory
            listed above to find Debian patches matching this commits
	    summary line.

Add a kernel configuration option to lock down the kernel, to restrict
userspace's ability to modify the running kernel when UEFI Secure Boot is
enabled. Based on the x86 patch by Matthew Garrett.

Determine the state of Secure Boot in the EFI stub and pass this to the
kernel using the FDT.

Signed-off-by: Linn Crosetto <linn@hpe.com>
[bwh: Forward-ported to 4.10: adjust context]
[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
[bwh: Forward-ported to 4.15 and lockdown patch set:
 - Pass result of efi_get_secureboot() in stub through to
   efi_set_secure_boot() in main kernel
 - Use lockdown API and naming]
[bwh: Forward-ported to 4.19.3: adjust context in update_fdt()]
[dannf: Moved init_lockdown() call after uefi_init(), fixing SB detection]
[bwh: Drop call to init_lockdown(), as efi_set_secure_boot() now calls this]
[bwh: Forward-ported to 5.6: efi_get_secureboot() no longer takes a
 sys_table parameter]
[bwh: Forward-ported to 5.7: EFI initialisation from FDT was rewritten, so:
 - Add Secure Boot mode to the parameter enumeration in fdtparams.c
 - Add a parameter to efi_get_fdt_params() to return the Secure Boot mode
 - Since Xen does not have a property name defined for Secure Boot mode,
   change efi_get_fdt_prop() to handle a missing property name by clearing
   the output variable]
[Salvatore Bonaccorso: Forward-ported to 5.10: f30f242 ("efi: Rename
arm-init to efi-init common for all arch") renamed arm-init.c to efi-init.c]

Signed-off-by: Jonathan Maple <jmaple@ciq.com>
@dhowells @github-actions
efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
59fdc5f 
jira LE-2629
feature Additional SecureBoot patches for dynamic lockdown
commit b24fbd012b781b752cc51d6ef1fe1c6d5875ae87
commit-source https://salsa.debian.org/kernel-team/linux.git
commit-patch-path debian/patches/features/all/lockdown
commit-info Checkout the commit sha above and move to the directory
            listed above to find Debian patches matching this commits
            summary line.
UEFI machines can be booted in Secure Boot mode.  Add an EFI_SECURE_BOOT
flag that can be passed to efi_enabled() to find out whether secure boot is
enabled.

Move the switch-statement in x86's setup_arch() that inteprets the
secure_boot boot parameter to generic code and set the bit there.

Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
cc: linux-efi@vger.kernel.org
[rperier: Forward-ported to 5.5:
 - Use pr_warn()
 - Adjust context]
[bwh: Forward-ported to 5.6: adjust context]
[bwh: Forward-ported to 5.7:
 - Use the next available bit in efi.flags
 - Adjust context]
Signed-off-by: Jonathan Maple <jmaple@ciq.com>

Revert "efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode"

This reverts commit 4047f887e98539d07d664eaa6699d9c8fb6c0ca4.
@bwhacks @github-actions
efi: Lock down the kernel if booted in secure boot mode
a12c9c3 
jira LE-2629
feature Additional SecureBoot patches for dynamic lockdown
commit b24fbd012b781b752cc51d6ef1fe1c6d5875ae87
commit-source https://salsa.debian.org/kernel-team/linux.git
commit-patch-path debian/patches/features/all/lockdown
commit-info Checkout the commit sha above and move to the directory
            listed above to find Debian patches matching this commits
            summary line.

Based on an earlier patch by David Howells, who wrote the following
description:

> UEFI Secure Boot provides a mechanism for ensuring that the firmware will
> only load signed bootloaders and kernels.  Certain use cases may also
> require that all kernel modules also be signed.  Add a configuration option
> that to lock down the kernel - which includes requiring validly signed
> modules - if the kernel is secure-booted.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
[Salvatore Bonaccorso: After fixing https://bugs.debian.org/956197 the
help text for LOCK_DOWN_IN_EFI_SECURE_BOOT was adjusted to mention that
lockdown is triggered in integrity mode (https://bugs.debian.org/1025417)]
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
Signed-off-by: Jonathan Maple <jmaple@ciq.com>
@bwhacks @github-actions
mtd: phram,slram: Disable when the kernel is locked down
47fa223 
jira LE-2629
feature Additional SecureBoot patches for dynamic lockdown
commit b24fbd012b781b752cc51d6ef1fe1c6d5875ae87
commit-source https://salsa.debian.org/kernel-team/linux.git
commit-patch-path debian/patches/features/all/lockdown
commit-info Checkout the commit sha above and move to the directory
            listed above to find Debian patches matching this commits
            summary line.

These drivers allow mapping arbitrary memory ranges as MTD devices.
This should be disabled to preserve the kernel's integrity when it is
locked down.

* Add the HWPARAM flag to the module parameters
* When slram is built-in, it uses __setup() to read kernel parameters,
  so add an explicit check security_locked_down() check

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Matthew Garrett <mjg59@google.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Joern Engel <joern@lazybastard.org>
Cc: linux-mtd@lists.infradead.org
Signed-off-by: Jonathan Maple <jmaple@ciq.com>
@vathpela @github-actions
Add efi_status_to_str() and rework efi_status_to_err().
2b72070 
jira LE-2629
feature Fedora EFI status status
ommit 7a60169d168d6aae70aca10b7b71070666068529
commit-source https://gitlab.com/cki-project/kernel-ark/

This adds efi_status_to_str() for use when printing efi_status_t
messages, and reworks efi_status_to_err() so that the two use a common
list of errors.

Upstream Status: RHEL only
Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Jonathan Maple <jmaple@ciq.com>
@github-actions
[CIQ] v6.18.3 - rebased configs
d6e39b3 
CONFIG_SPI_MICROCHIP_CORE is no longer a valid config option in 6.18.3
 spi: microchip: rename driver file and internal identifiers
 Upstream 71c814e
@bmastbergen bmastbergen changed the title TESTING TESTING TESTING [CIQ 6.18] Rebase to v6.18.6 [CIQ 6.18] Rebase to v6.18.6 Jan 21, 2026
PlaidCat
PlaidCat approved these changes Jan 21, 2026
View reviewed changes
Copy link
Collaborator

@PlaidCat PlaidCat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@bmastbergen bmastbergen requested a review from a team January 22, 2026 14:17
@bmastbergen bmastbergen merged commit d6e39b3 into ciq-6.18.y-next Jan 22, 2026
6 checks passed
@bmastbergen bmastbergen deleted the {automation_tmp}_ciq-6.18.y-next branch January 22, 2026 15:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@roxanan1996 roxanan1996 roxanan1996 approved these changes

@PlaidCat PlaidCat PlaidCat approved these changes

@bmastbergen bmastbergen Awaiting requested review from bmastbergen

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@roxanan1996 @PlaidCat @bmastbergen @dhowells @bwhacks @vathpela