kernel-hwe: Introduce kernel-hwe and support files for building 6.12.40.1 (microsoft#13977)

Author: sidchintamaneni

LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md

@@ -2295,6 +2295,7 @@
                 "keda",
                 "keras",
                 "kernel-64k-signed",
+                "kernel-hwe-signed",
                 "kernel-mshv-signed",
                 "kernel-signed",
                 "kernel-uki",
@@ -2809,6 +2810,8 @@
                 "kernel",
                 "kernel-64k",
                 "kernel-headers",
+                "kernel-hwe",
+                "kernel-hwe-headers",
                 "kernel-ipe",
                 "kernel-lpg-innovate",
                 "kernel-mshv",

LICENSES-AND-NOTICES/SPECS/data/licenses.json

@@ -33,7 +33,7 @@
 Summary:        Linux Kernel
 Name:           kernel-ipe
 Version:        6.6.96.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -87,6 +87,7 @@ Conflicts:      kernel
 Conflicts:      kernel-64k
 Conflicts:      kernel-lpg-innovate
 Conflicts:      kernel-rt
+Conflicts:      kernel-hwe
 %{?grub2_configuration_requires}
 # When updating the config files it is important to sanitize them.
 # Steps for updating a config file:
@@ -459,6 +460,10 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Fri Aug 22 2025 Siddharth Chintamaneni <[email protected]> - 6.6.96.2-2
+- Added kernel-hwe as conflict.
+- Bump release to match kernel
+
 * Fri Aug 15 2025 CBL-Mariner Servicing Account <[email protected]> - 6.6.96.2-1
 - Auto-upgrade to 6.6.96.2
 

SPECS-EXTENDED/kernel-ipe/kernel-ipe.spec

@@ -29,7 +29,7 @@
 Summary:        Linux Kernel
 Name:           kernel-lpg-innovate
 Version:        6.6.89.2
-Release:        1002%{?dist}
+Release:        1003%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -80,6 +80,7 @@ Conflicts:      kernel
 Conflicts:      kernel-64k
 Conflicts:      kernel-ipe
 Conflicts:      kernel-rt
+Conflicts:      kernel-hwe
 %{?grub2_configuration_requires}
 # When updating the config files it is important to sanitize them.
 # Steps for updating a config file:
@@ -469,6 +470,9 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Fri Aug 22 2025 Siddharth Chintamaneni <[email protected]> - 6.6.89.2-1003
+- Introducing kernel-hwe
+
 * Wed 11 Jun 2025 Harshit Gupta <[email protected]> - 6.6.89.2-1002
 - Add Conflicts with other kernels
 - Rename bpftool and python3-perf to be kernel specific

SPECS-EXTENDED/kernel-lpg-innovate/kernel-lpg-innovate.spec

@@ -25,7 +25,7 @@
 Summary:        Realtime Linux Kernel
 Name:           kernel-rt
 Version:        6.6.85.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -80,6 +80,7 @@ Conflicts:      kernel
 Conflicts:      kernel-64k
 Conflicts:      kernel-ipe
 Conflicts:      kernel-lpg-innovate
+Conflicts:      kernel-hwe
 ExclusiveArch:  x86_64
 # When updating the config files it is important to sanitize them.
 # Steps for updating a config file:
@@ -425,6 +426,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Fri Aug 22 2025 Siddharth Chintamaneni <[email protected]> - 6.6.85.1-3
+- Introducing kernel-hwe
+
 * Tue Jun 10 2025 Harshit Gupta <[email protected]> - 6.6.85.1-2
 - Rename bpftool and python3-perf to be kernel specific
 

SPECS-EXTENDED/kernel-rt/kernel-rt.spec

@@ -7,7 +7,7 @@
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-64k-signed-%{buildarch}
 Version:        6.6.96.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -105,6 +105,9 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %exclude /module_info.ld
 
 %changelog
+* Fri Aug 22 2025 Siddharth Chintamaneni <[email protected]> - 6.6.96.2-2
+- Bump release to match kernel
+
 * Fri Aug 15 2025 CBL-Mariner Servicing Account <[email protected]> - 6.6.96.2-1
 - Auto-upgrade to 6.6.96.2
 

SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec

@@ -0,0 +1,101 @@
+%global debug_package %{nil}
+%global buildarch aarch64
+%define uname_r %{version}-%{release}
+Summary:        Signed Linux Kernel for %{buildarch} systems
+Name:           kernel-hwe-signed-%{buildarch}
+Version:        6.12.40.1
+Release:        1%{?dist}
+License:        GPLv2
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
+Group:          System Environment/Kernel
+URL:            https://github.com/microsoft/CBL-Mariner-Linux-Kernel
+# This package's "version" and "release" must reflect the unsigned version that
+# was signed.
+# An important consequence is that when making a change to this package, the
+# unsigned version/release must be increased to keep the two versions consistent.
+# Ideally though, this spec will not change much or at all, so the version will
+# just track the unsigned package's version/release.
+#
+# To populate these sources:
+#   1. Build the unsigned packages as normal
+#   2. Sign the desired binary
+#   3. Place the unsigned package and signed binary in this spec's folder
+#   4. Build this spec
+Source0:        kernel-hwe-%{version}-%{release}.%{buildarch}.rpm
+Source1:        vmlinuz-%{uname_r}
+ExclusiveArch:  aarch64
+BuildRequires:  cpio
+BuildRequires:  grub2-rpm-macros
+BuildRequires:  openssl
+BuildRequires:  sed
+%{?grub2_configuration_requires}
+
+%description
+This package contains the Linux kernel package with kernel signed with the production key
+
+%package -n     kernel-hwe
+Summary:        Linux Kernel
+Group:          System Environment/Kernel
+Requires:       filesystem
+Requires:       kmod
+Requires(post): coreutils
+Requires(postun): coreutils
+
+%description -n kernel-hwe
+The kernel package contains the signed Linux kernel.
+
+%prep
+
+%build
+mkdir rpm_contents
+pushd rpm_contents
+
+# This spec's whole purpose is to inject the signed kernel binary
+rpm2cpio %{SOURCE0} | cpio -idmv
+cp %{SOURCE1} ./boot/vmlinuz-%{uname_r}
+
+popd
+
+%install
+pushd rpm_contents
+
+# Don't use * wildcard. It does not copy over hidden files in the root folder...
+cp -rp ./. %{buildroot}/
+
+popd
+
+%triggerin -n kernel-hwe -- initramfs
+mkdir -p %{_localstatedir}/lib/rpm-state/initramfs/pending
+touch %{_localstatedir}/lib/rpm-state/initramfs/pending/%{uname_r}
+echo "initrd generation of kernel %{uname_r} will be triggered later" >&2
+
+%triggerun -n kernel-hwe -- initramfs
+rm -rf %{_localstatedir}/lib/rpm-state/initramfs/pending/%{uname_r}
+rm -rf /boot/initramfs-%{uname_r}.img
+echo "initrd of kernel %{uname_r} removed" >&2
+
+%postun -n kernel-hwe
+%grub2_postun
+
+%post -n kernel-hwe
+/sbin/depmod -a %{uname_r}
+%grub2_post
+
+%files -n kernel-hwe
+%defattr(-,root,root)
+%license COPYING
+/boot/System.map-%{uname_r}
+/boot/config-%{uname_r}
+/boot/vmlinuz-%{uname_r}
+%defattr(0644,root,root)
+/lib/modules/%{uname_r}/*
+%exclude /lib/modules/%{uname_r}/build
+%exclude /lib/modules/%{uname_r}/kernel/drivers/gpu
+%exclude /lib/modules/%{uname_r}/kernel/sound
+%exclude /module_info.ld
+
+%changelog
+* Fri Aug 15 2025 Siddharth Chintamaneni <[email protected]> - 6.12.40.1-1
+- Original version for Azure Linux
+- License verified

SPECS-SIGNED/kernel-hwe-signed/kernel-hwe-signed.spec

@@ -10,7 +10,7 @@
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
 Version:        6.6.96.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -145,6 +145,9 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %exclude /module_info.ld
 
 %changelog
+* Fri Aug 22 2025 Siddharth Chintamaneni <[email protected]> - 6.6.96.2-2
+- Bump release to match kernel
+
 * Fri Aug 15 2025 CBL-Mariner Servicing Account <[email protected]> - 6.6.96.2-1
 - Auto-upgrade to 6.6.96.2
 

SPECS-SIGNED/kernel-signed/kernel-signed.spec

@@ -6,7 +6,7 @@
 Summary:        Signed Unified Kernel Image for %{buildarch} systems
 Name:           kernel-uki-signed-%{buildarch}
 Version:        6.6.96.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -68,6 +68,9 @@ popd
 /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi
 
 %changelog
+* Fri Aug 22 2025 Siddharth Chintamaneni <[email protected]> - 6.6.96.2-2
+- Bump release to match kernel
+
 * Fri Aug 15 2025 CBL-Mariner Servicing Account <[email protected]> - 6.6.96.2-1
 - Auto-upgrade to 6.6.96.2
 

SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec

@@ -27,7 +27,7 @@
 Summary:        Linux Kernel
 Name:           kernel-64k
 Version:        6.6.96.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -76,6 +76,7 @@ Conflicts:      kernel
 Conflicts:      kernel-ipe
 Conflicts:      kernel-lpg-innovate
 Conflicts:      kernel-rt
+Conflicts:      kernel-hwe
 %{?grub2_configuration_requires}
 # When updating the config files it is important to sanitize them.
 # Steps for updating a config file:
@@ -379,6 +380,9 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Fri Aug 22 2025 Siddharth Chintamaneni <[email protected]> - 6.6.96.2-2
+- Bump release to match kernel
+
 * Fri Aug 15 2025 CBL-Mariner Servicing Account <[email protected]> - 6.6.96.2-1
 - Auto-upgrade to 6.6.96.2