kernel: correct stale config_aarch64 source signature#17370
Draft
Copilot wants to merge 9 commits into
Draft
Conversation
microsoft-github-policy-service
Bot
added
security
3.0-dev
The x86_64 kernel config has had CONFIG_RDS disabled since 5.4.23-11 (May 2020), but the aarch64 config retained CONFIG_RDS=m, CONFIG_RDS_TCP=m, and CONFIG_RDS_RDMA=m. This was an oversight in the original change which predated full aarch64 support in CBL-Mariner, and has persisted across every kernel rebase since. Align aarch64 with x86_64. RDS (Oracle Reliable Datagram Sockets) has no expected use in Azure Linux guest workloads, and recent CVEs in the RDS zerocopy send path (e.g. PinTheft LPE disclosed 2026-05-19) reinforce that the protocol should not be reachable on hosts that don't need it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: dethoma <11412958+dethoma@users.noreply.github.com>
Agent-Logs-Url: https://github.com/microsoft/azurelinux/sessions/3248fcc9-0a83-4171-ab2c-16d383ac50e4 Co-authored-by: dethoma <11412958+dethoma@users.noreply.github.com>
Extend the RDS disable from the base kernel spec to the three other aarch64 kernel variants that retained CONFIG_RDS=m: kernel-64k (large-page ARM kernel), kernel-hwe (hardware-enablement kernel), and kernel-mshv (Microsoft Hypervisor root kernel). Their x86_64 configs all had RDS already disabled (except kernel-64k which is aarch64-only); this is the same 6-year-old config divergence reflected across the kernel family. Mitigates exposure to RDS-specific LPEs such as PinTheft (oss-security 2026/05/19) on every Azure Linux 3.0 aarch64 kernel variant. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: dethoma <11412958+dethoma@users.noreply.github.com>
…lement Same entanglement-rule satisfaction commit Copilot did for the kernel/kernel-uki/kernel-64k/kernel-headers/*-signed family, but for the kernel-hwe and kernel-mshv variants whose siblings I missed when I bumped just the base spec releases. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: dethoma <11412958+dethoma@users.noreply.github.com>
…kernel-hwe
The CVE fix in this PR (CONFIG_RDS disable on aarch64) trips
check-kernel-configs because it modifies kernel-64k/config_aarch64
and kernel-hwe/config_aarch64. That checker re-validates the WHOLE
config against azl3-os-required-kernel-configs.json on any change,
not just the diff, so it surfaces 11 pre-existing drifts that have
nothing to do with RDS:
kernel-64k:
CONFIG_IKCONFIG_PROC
kernel-hwe:
CONFIG_IKCONFIG_PROC, CONFIG_IP_VS_DEBUG,
CONFIG_NETFILTER_XT_TARGET_NOTRACK, CONFIG_NFT_DUP_NETDEV,
CONFIG_NFT_FWD_NETDEV, CONFIG_NFT_REJECT_NETDEV,
CONFIG_NF_CT_NETLINK_HELPER, CONFIG_NF_DUP_NETDEV,
CONFIG_SENSORS_MLXREG_FAN, CONFIG_VIRTIO_CONSOLE
Document each as an explicit override matching the value already
present in the spec config_aarch64. Justification cites this PR and
notes the drift is pre-existing so it can be investigated and either
ratified or fixed by the kernel-64k/kernel-hwe owners in a follow-up.
This unblocks the security fix without us silently changing 11
unrelated configs.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: dethoma <11412958+dethoma@users.noreply.github.com>
Match the kernel-headers Release: 1->2 bump that Copilot's entanglement-fix commit (6f147b7) applied to SPECS/kernel-headers. The toolchain and pkggen_core manifests pin exact RPM filenames and must track release bumps in kernel-headers (and its cross variant on x86_64). Affected manifests: toolkit/resources/manifests/package/pkggen_core_aarch64.txt toolkit/resources/manifests/package/pkggen_core_x86_64.txt toolkit/resources/manifests/package/toolchain_aarch64.txt toolkit/resources/manifests/package/toolchain_x86_64.txt Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: dethoma <11412958+dethoma@users.noreply.github.com>
…IO_CONSOLE I had two override values inverted in commit a39c466. kernel-hwe's actual config_aarch64 has: CONFIG_NFT_DUP_NETDEV=m (I had set the override to 'y') CONFIG_VIRTIO_CONSOLE=y (I had set the override to 'm') Correct both to match the actual config. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: dethoma <11412958+dethoma@users.noreply.github.com>
Agent-Logs-Url: https://github.com/microsoft/azurelinux/sessions/4644267a-b248-4420-8f4c-27dc97dd899b Co-authored-by: dethoma <11412958+dethoma@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix failing GitHub Actions job 'Source Signature Check (SPECS)'
kernel: correct stale config_aarch64 source signature
May 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
GitHub Actions job
Source Signature Check (SPECS)failed becauseSPECS/kernel/kernel.signatures.jsoncarried a stale SHA256 forSPECS/kernel/config_aarch64. This updates the recorded source signature to match the checked-in kernel config used by the PR.Change Log
26135884499, job76870875247:SPECS/kernel/config_aarch64hash did not match the value recorded inSPECS/kernel/kernel.signatures.json.config_aarch64entry inSPECS/kernel/kernel.signatures.json; no spec content or package payload changes.input-srpms/ Source Signature Check.{ "Signatures": { "config_aarch64": "423d1dc2a276d717d7ad81712e79b4596ca1bceebb6ba2c7eed7ea8f591f1b7e" } }Does this affect the toolchain?
NO
Associated issues
None.
Links to CVEs
None.
Test Methodology
26135884499/ job76870875247.SPECS/kernel/config_aarch64SHA256 now matchesSPECS/kernel/kernel.signatures.json.Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
mariner3dailydevrepo.blob.core.windows.net/usr/bin/wget wget -O lkg-3.0-dev.json -nv REDACTED(dns block)If you need me to access, download, or install something from one of these locations, you can either: