Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kernel: Update to 5.10.192, 5.15.128, and 6.1.49 #3441

Merged
merged 4 commits into from
Sep 12, 2023
Merged

kernel: Update to 5.10.192, 5.15.128, and 6.1.49 #3441

merged 4 commits into from
Sep 12, 2023

Conversation

foersleo
Copy link
Contributor

@foersleo foersleo commented Sep 11, 2023
edited
Loading

Issue number: n/a

Description of changes:

Update kernels to latest AL kernels available in the repositories. With those updates we ingest upstream variants for the Zenbleed fix from #3300 for 5.10, so drop the downstream backports. We are further ingesting upstream variants for the AMD Div0 fix from #3373 for 5.10, 5.15, and 6.1, so drop the downstream backports for these as well.

In addition I did drop one downstream patch from Amazon Linux that seems to be an artifact of not properly cleaning up a downstream backport of a patch that landed in the upstream series for 5.10.

Testing done:

Sonobuoy quick test results show basic functionality:

]> kubectl get nodes -o wide
NAME                                              STATUS   ROLES    AGE     VERSION                INTERNAL-IP      EXTERNAL-IP    OS-IMAGE                                KERNEL-VERSION   CONTAINER-RUNTIME
ip-192-168-65-137.eu-central-1.compute.internal   Ready    <none>   3m24s   v1.23.17-eks-bbbebb8   192.168.65.137   3.75.171.224   Bottlerocket OS 1.15.0 (aws-k8s-1.23)   5.10.192         containerd://1.6.23+bottlerocket
ip-192-168-80-71.eu-central-1.compute.internal    Ready    <none>   2m34s   v1.28.1-eks-f0272c7    192.168.80.71    3.76.34.67     Bottlerocket OS 1.15.0 (aws-k8s-1.28)   6.1.49           containerd://1.6.23+bottlerocket
ip-192-168-89-142.eu-central-1.compute.internal   Ready    <none>   2m58s   v1.27.4-eks-cedffd4    192.168.89.142   3.121.74.166   Bottlerocket OS 1.15.0 (aws-k8s-1.27)   5.15.128         containerd://1.6.23+bottlerocket

]> sonobuoy run --mode=quick --wait
[...]
17:23:40             e2e                                            global   complete   passed   Passed:  1, Failed:  0, Remaining:  0
17:23:40    systemd-logs   ip-192-168-65-137.eu-central-1.compute.internal   complete   passed                                        
17:23:40    systemd-logs    ip-192-168-80-71.eu-central-1.compute.internal   complete   passed                                        
17:23:40    systemd-logs   ip-192-168-89-142.eu-central-1.compute.internal   complete   passed                                        
17:23:40 Sonobuoy has completed. Use `sonobuoy retrieve` to get results.

Config diff reports some changes:

config-aarch64-aws-dev-diff:      0 removed,   6 added,   1 changed
config-aarch64-aws-k8s-1.23-diff:         0 removed,   0 added,   0 changed
config-aarch64-aws-k8s-1.27-diff:         0 removed,   3 added,   0 changed
config-aarch64-metal-dev-diff:    0 removed,   6 added,   1 changed
config-x86_64-aws-dev-diff:       0 removed,   8 added,   1 changed
config-x86_64-aws-k8s-1.23-diff:          0 removed,   3 added,   0 changed
config-x86_64-aws-k8s-1.27-diff:          0 removed,   3 added,   0 changed
config-x86_64-metal-dev-diff:     0 removed,   8 added,   1 changed
config-x86_64-metal-k8s-1.23-diff:        0 removed,   3 added,   0 changed
config-x86_64-metal-k8s-1.27-diff:        0 removed,   3 added,   0 changed

The full diff-report can be found on Gist

common changes (x86_64):

  • ARCH_HAS_CPU_FINALIZE_INIT: Introduced upstream to clean up cpu initialization and set for x86 CPUs in v5.10.189, v5.15.125, and v6.1.44.
  • CPU_SRSO: Introduced as part of the upstream mitigation for speculative RAS overflow on AMD cpus in v5.10.189, v5.15.125, and v6.1.44
  • GDS_FORCE_MITIGATION: Introduced as part of the upstream mitigation for Gather Data Sampling hardware vulnerability in v5.10.189, v5.15.125, and v6.1.44

5.15 (aarch64):

  • ARM64_ERRATUM_2054223, ARM64_ERRATUM_2067961, ARM64_WORKAROUND_TSB_FLUSH_FAILURE: Introduced upstream to mitigate erratum on some ARM SoCs when flush trace fails in TSB instruction through v5.15.126

6.1: (common):

  • INTEGRITY_SIGNATURE, INTEGRITY_ASYMMETRIC_KEYS, INTEGRITY_PLATFORM_KEYRING, INTEGRITY_TRUSTED_KEYRING, LOAD_UEFI_KEYS, SIGNATURE: Amazon Linux adding support for loading signed modules. This should not be a problem for us.

6.1 (aarch64):

  • AMPERE_ERRATUM_AC03_CPU_38: Introduced upstream to mitigate erratum on AmpereOne where certain translation control registers did not follow the RES0 semantic through v6.1.43

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@foersleo
kernel-5.10: update to 5.10.192
c2d848c 
Rebase to Amazon Linux upstream version 5.10.192-182.736.amzn2.

Drop downstream backports of fixes for CVE-2023-20593 and CVE-2023-20588
as these are now included by the upstream base version.

Signed-off-by: Leonard Foerster <[email protected]>
@foersleo
kernel-5.10: Cleanup AL downstream patches
e7883c6 
We inherited some unnecessary and confusing patch as part of including
Amazon Linux' latest kernel updates. Clean this up. Details in the patch
itself.

Signed-off-by: Leonard Foerster <[email protected]>
@foersleo
kernel-5.15: update to 5.15.128
5ef1612 
Rebase to Amazon Linux upstream version 5.15.128-80.144.amzn2.

Drop downstream backports of fixes for CVE-2023-20588
as these are now included by the upstream base version.

Signed-off-by: Leonard Foerster <[email protected]>
@foersleo
kernel-6.1: update to 6.1.49
5544b6c 
Rebase to Amazon Linux upstream version 6.1.49-69.116.amzn2023.

Drop downstream backports of fixes for CVE-2023-20588
as these are now included by the upstream base version.

Signed-off-by: Leonard Foerster <[email protected]>
@foersleo
Copy link
Contributor Author

The lookaside cache is getting me again. I am currently uploading the new sources to there and will restart the runs once they are updated.

@foersleo foersleo merged commit 38b1c54 into bottlerocket-os:develop Sep 12, 2023
48 checks passed
@foersleo foersleo deleted the update_2023-09-08 branch September 12, 2023 13:28
@bcressey bcressey mentioned this pull request Sep 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcressey bcressey bcressey approved these changes

@markusboehme markusboehme markusboehme approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@foersleo @bcressey @markusboehme