-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
With the recent CVE-2016-0728, I was quickly having a look at updating the different kernels we ship through the official images. Actually we only have two kernels : - - what I'd call the "generic" one (that can be used on multiple boards directly, and following the Fedora upstream kernel) - - the raspberrypi2 variant (built from sources located at https://github.com/raspberrypi/linux)
I've built (and tested locally those myself) the following updated kernels (including patches for CVE-2016-0728) : - - kernel-4.3.3-200.el7.armv7hl.rpm (updating kernel-4.2.3-200.el7.armv7hl.rpm) - - raspberrypi2-kernel-4.1.16-v7+.1.20160125gitab2b2e0.el7.armv7hl.rpm (for rpi2, obviously, updating raspberrypi2-kernel-4.1.11-v7+.1.20151021git4047fe2.el7.armv7hl.rpm)
One important thing is that actually we still lack an automatic update process, something I'd like to work (with you ?) in the following days/weeks. But you can already test the updated/unsigned kernels (feedback wanted !)
- - create the /etc/yum.repos.d/ .repo file pointing to corresponding repo, depending on your board : - http://dev.centos.org/centos/7/kernel/armhfp/kernel-generic/ - http://dev.centos.org/centos/7/kernel/armhfp/kernel-rpi2/ as an example, here is how it would look like :
[kernel-generic] name=armhfp kernel generic baseurl=http://dev.centos.org/centos/7/kernel/armhfp/kernel-generic/ gpgcheck=0 enabled=1
or
[kernel-rpi2] name=armhfp rpi2 kernel baseurl=http://dev.centos.org/centos/7/kernel/armhfp/kernel-rpi2/ gpgcheck=0 enabled=1
- - now "yum clean all ; yum update"
- - as the current call to "/bin/kernel-install add" (from systemd shipped with CentOS 7) doesn't cover - in the whole chain- armhfp, one then needs to build the initramfs + modify boot config
rpi2 : - dracut /boot/initramfs-4.1.16-v7+.1.20160125gitab2b2e0.el7.img 4.1.16-v7+.1.20160125gitab2b2e0.el7 - systemctl reboot
generic : - dracut /boot/initramfs-4.3.3-200.el7.armv7hl.img 4.3.3-200.el7.armv7hl - edit /boot/extlinux.conf to modify the kernel/initrd - systemctl reboot
Thanks for the testers, and after we can edit the wiki page, and start working on a script that would automate all that.
Cheers, - -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab