Merge branch 'main' into feature/enable-rockchip-in-kernel

build_image

@@ -177,7 +177,8 @@ if [[ "${PROD_IMAGE}" -eq 1 ]]; then
   if [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]; then
     extract_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}"
   fi
-  if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} ]]; then
+  # TODO: Un-nobble this later when we have passed the shim review.
+  if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} ]]; then # && ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
     generate_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}"
   fi
   if [[ "${PROD_TAR}" -eq 1 ]]; then

build_library/build_image_util.sh

@@ -79,7 +79,9 @@ generate_update() {
   local devkey="/usr/share/update_engine/update-payload-key.key.pem"
 
   # Extract the partition if it isn't extracted already.
-  [[ -s ${update} ]] || extract_update "${image_name}" "${disk_layout}"
+  [[ -s ${update} ]] ||
+    "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \
+      extract "${BUILD_DIR}/${image_name}" "USR-A" "${update}"
 
   echo "Generating update payload, signed with a dev key"
   delta_generator \

changelog/updates/2024-12-28-linux-6.6.68-update.md

@@ -0,0 +1 @@
+- Linux ([6.6.68](https://lwn.net/Articles/1003609))

changelog/updates/2025-01-03-linux-6.6.69-update.md

@@ -0,0 +1 @@
+- Linux ([6.6.69](https://lwn.net/Articles/1003986))

ci-automation/sbsign_image.sh

@@ -82,14 +82,17 @@ function _sbsign_image_impl() {
     local sdk_image="$(docker_image_fullname "${sdk_name}" "${docker_sdk_vernum}")"
     echo "docker image rm -f '${sdk_image}'" >> ./ci-cleanup.sh
 
-    ./run_sdk_container -x ./ci-cleanup.sh -v "${FLATCAR_VERSION}" -U -C "${sdk_image}" \
+    local docker_vernum="$(vernum_to_docker_image_version "${FLATCAR_VERSION}")"
+    local sbsign_container="flatcar-sbsign-image-${arch}-${docker_vernum}"
+    ./run_sdk_container -x ./ci-cleanup.sh -n "${sbsign_container}" -v "${FLATCAR_VERSION}" -U -C "${sdk_image}" \
         ./sbsign_image --board="${arch}-usr" \
                        --group="${channel}" --version="${FLATCAR_VERSION}" \
                        --output_root="${CONTAINER_IMAGE_ROOT}" \
                        --only_store_compressed
 
     # Delete uncompressed generic image before signing and upload
-    rm "${images_local}/flatcar_production_image.bin"
+    # Also delete update image because it will be unchanged
+    rm "${images_local}"/flatcar_production_{image,update}.bin
     create_digests "${SIGNER}" "${images_local}"/*
     sign_artifacts "${SIGNER}" "${images_local}"/*
     copy_to_buildcache "${images_remote}"/ "${images_local}"/*

run_sdk_container

@@ -22,7 +22,7 @@ mounts=()
 
 usage() {
     echo "  Usage:"
-    echo "  $0 [-t] [-v <version>] [-V <SDK version>] [-a <amd64|arm64|all>] [-n <name> ] [-x <script>] [-C <custom-container>] [--rm] [-U] [-m <src>:<dest>] [<container-command>]"
+    echo "  $0 [-t] [-v <version>] [-V <SDK version>] [-a <amd64|arm64|all>] [-n <name> ] [-x <script>] [-C <custom-container>] [--rm] [-U] [-m <src>:<dest>] [--] [<container-command>]"
     echo "       Start an SDK container of a given SDK release version."
     echo "       This will create the container if it does not exist, otherwise start the existing container."
     echo "       If the container is already running then it will exec into the container."
@@ -49,6 +49,7 @@ usage() {
     echo "      -U             Do not update the versionfile. Instead, use the version from the versionfile as-is."
     echo "      -m <src>:<dest> - Mount local file or directory inside the container."
     echo "                     Can be specified multiple times."
+    echo "      --             Stop parsing options at this point, pass the rest as the container command."
     echo "      -h             Print this help."
     echo
 }
@@ -72,6 +73,8 @@ while [[ $# -gt 0 ]] ; do
         update_versionfile=
         shift;;
     -m) mounts+=( -v "$2" ); shift; shift;;
+    --) shift; break;;
+    -*) echo "Unknown flag ${1@Q}, use '-h' or '--help' for usage"; exit 1;;
     *) break;;
     esac
 done

sbsign_image

@@ -61,8 +61,11 @@ switch_to_strict_mode
 # Create the output directory and temporary mount points.
 mkdir -p "${BUILD_DIR}"
 
+DISK_LAYOUT="${FLAGS_disk_layout:-base}"
+
 fix_mtab
-sbsign_prod_image "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${FLAGS_disk_layout:-base}"
+sbsign_prod_image "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}"
+generate_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}"
 
 echo "Done. ${FLATCAR_PRODUCTION_IMAGE_NAME} and associated files are now signed for Secure Boot in ${BUILD_DIR}."
 command_completed

sdk_container/.repo/manifests/mantle-container

@@ -1 +1 @@
-ghcr.io/flatcar/mantle:git-af7d6c16f4c5b22f309daefbed1eae968e9d2f67
+ghcr.io/flatcar/mantle:git-08b9b0ea99d42185e08ed881cdf6479d6f423b0f

sdk_container/.repo/manifests/version.txt

@@ -1,4 +1,4 @@
-FLATCAR_VERSION=4200.0.0+nightly-20251230-2100
-FLATCAR_VERSION_ID=4200.0.0
-FLATCAR_BUILD_ID="nightly-20251230-2100"
-FLATCAR_SDK_VERSION=4200.0.0+nightly-20251230-2100
+FLATCAR_VERSION=4211.0.0+nightly-20250110-2100
+FLATCAR_VERSION_ID=4211.0.0
+FLATCAR_BUILD_ID="nightly-20250110-2100"
+FLATCAR_SDK_VERSION=4211.0.0+nightly-20250110-2100

sdk_container/src/third_party/coreos-overlay/app-admin/locksmith/locksmith-9999.ebuild

@@ -9,7 +9,7 @@ inherit git-r3 systemd coreos-go
 if [[ "${PV}" == 9999 ]]; then
 	KEYWORDS="~amd64 ~arm64"
 else
-	EGIT_COMMIT="439d44f24b24f679d08f309399f6bb2f82614637" # flatcar-master
+	EGIT_COMMIT="ee644fc60a32af5fbc4e83c64fcc7ca0eadb9e3f" # flatcar-master
 	KEYWORDS="amd64 arm64"
 fi
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest

@@ -1 +1,2 @@
-DIST linux-6.12.tar.xz 147906904 BLAKE2B b2ec2fc69218cacabbbe49f78384a5d259ca581b717617c12b000b16f4a4c59ee348ea886b37147f5f70fb9a7a01c1e2c8f19021078f6b23f5bc62d1c48d5e5e SHA512 a37b1823df7b4f72542f689b65882634740ba0401a42fdcf6601d9efd2e132e5a7650e70450ba76f6cd1f13ca31180f2ccee9d54fe4df89bc0000ade4380a548
+DIST linux-6.12.tar.xz 147906904 BLAKE2B b2ec2fc69218cacabbbe49f78384a5d259ca581b717617c12b000b16f4a4c59ee348ea886b37147f5f70fb9a7a01c1e2c8f19021078f6b23f5bc62d1c48d5e5e SHA512 a37b1823df7b4f72542f689b65882634740ba0401a42fdcf6601d9efd2e132e5a7650e70450ba76f6cd1f13ca31180f2ccee9d54fe4df89bc0000ade4380a548
+

sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest

@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 591718 BLAKE2B cd53ee1575b57b03315f3e2b15f89a06fbc6711259ee7a82e1ca6f8970d8fdd183ea1f95f313b15f9f7f905c2c8641fa9ae9f0d8a12e8fedc6851ee3f7c15bbd SHA512 1cf337d112115a521c08a9fa208a2c60a1ef9651426b5a20b7ff05709eda7e21b384c627f1dedd2abb84476daf5fadea280b479585390abd903daec89814b24f
-TIMESTAMP 2024-12-01T06:40:23Z
+MANIFEST Manifest.files.gz 594915 BLAKE2B 220d9175cb1796cb5045abb4a1dd895efa478aa604a6eb3dde800553a73ce6b12ecf630b6574e1fc834659bac119417be17231464d8355e60ed5ed18f51b8044 SHA512 db425e75cb49a2ea05358c8e7f4e366d86628930a1e26279cb8287fe250565842ac004358a56986eb2aa4342ed7217cf30c8f78d97a02ed24483cca80fd1b2eb
+TIMESTAMP 2025-01-01T06:40:41Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmdMBNdfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmd042lfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klANZw/+KSWqV2sDOVWslomj90wmI4kWrUE4ZC46YZtvjGz4Faf9D8i9RzkuV9nB
-Lt6HhwNbrTFYYyFv0wAYLBUbNzQUDKl0KwOXs7SjRD+hV2lNRakA/dM1FbHsN0wF
-qUd+S3Slmis3NGaIQ5UstxqdG5wjZ04q6BnjdrA5Yaqxj+S8bS04D3HUr5jhKU8A
-vR9e7h6fkiABZW52mXVcBvqkSTmqrZcxGss3LpTiWU1VDcbFoVXcjsNQKYUEj9dt
-IgWaVX/LwVj3yPSI2TPF2PO8lenyiroADclFwXPHHyuDm6qxXb0v0nie3h4PuG5O
-yFVWmpLPkgdO2oCnJhh1W2sh+vu5iV4xnfoxT5U0BMp24s2wt2oKzPieJUhslk4s
-lINvCPAVF8VFwgvop3rdwvwQWE7yZCAZuKxD0Y6m8WORExR/MB33Qmc0gm7b6ksC
-yFG7AjN6y0qUd2yL1vpl9lvy4Rv0izZnVmuhd0+Jsq/8lgzY8+oiiZMzTxEc8Y/e
-8BcxWkB64/Sta0U+GYEYypxS2nPtPAb7BvPu1f2dyBEqO+vDRN5M+0LuhfucKDTo
-fuNw7Ri6zyv4thIvUJI7f54AHcGvAGmxQ+ObXHoHrBHtKacSXG6VF/P48rAwX165
-WblhbkW1T4kqLrUiFl/pt9BHP2zCXFkphVMrw4GJyp6KquSqfFA=
-=l52K
+klBoyg//VQm7GsyyuffSjKJO3H/YJF558ygX0IxnZPwgQweC9ERRd3NlONm2mlph
+TzmZhAC+PnRGN+QTZh3M/kNuxPytaf6bg9vSNs2v221CHcSqErbzbMAiDO8ZRPoj
+ToTfCC1jH2AoEAAmCWd120MK7nA1dzKx0DSvWhuTv02ssdS9Plj+SJ0SY6stjE3w
+vfyYTvVjsz90UppvVl9zdKPQa5st2ojC9/tJxCFEjTxV1ubGJDI/7TdArgyTTSDg
+rx4Bbc5su4ANjXbYHofhar2X0/YYF6l/bglDMhCJIn8OwOyzWqXufgrmhmnCrCgt
+V6FLxXqWimOmIiIL1YUwUgc3p0JYNuYAwGt5I6Tf/gX2h/4aHOxUvgDdvRf+hoUl
+9USr4sw5qovn+pFdDNwYrZ2+Uat83IYET85Mnlc8sqf3wH8I17lPKOzLtcgtkRND
+i062wD9kU6gCen6fM80vuW4k40UphiAkrLhy8nMaWjBBVbRdXpGddGdOuPk0yX+b
+g+qjOXnkY/rZPek+u0lpS1MPU661IFJgXQs9wFaV9++VXpcpVCyFoyUNhhaIxEH9
+KEQwa8bz2DkoBCeJMYjH3xigcXMavQ9KTrRqkl2lUk1tLf/dBwY3d7Ao8rpCkirO
+AF2w3sJ5hbD7PXm4OEDG3EYt1uQftsnV/UcNB26SVu8UT1tfmR0=
+=IQdp
 -----END PGP SIGNATURE-----

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-01.xml

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202412-01">
+    <title>R: Arbitrary Code Execution</title>
+    <synopsis>A vulnerability has been discovered in R, which can lead to arbitrary code execution.</synopsis>
+    <product type="ebuild">R</product>
+    <announced>2024-12-07</announced>
+    <revised count="1">2024-12-07</revised>
+    <bug>930936</bug>
+    <access>local</access>
+    <affected>
+        <package name="dev-lang/R" auto="yes" arch="*">
+            <unaffected range="ge">4.4.1</unaffected>
+            <vulnerable range="lt">4.4.1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>R is a language and environment for statistical computing and graphics.</p>
+    </background>
+    <description>
+        <p>Deserialization of untrusted data can occur in the R statistical programming language, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.</p>
+    </description>
+    <impact type="high">
+        <p>Arbitrary code may be run when deserializing untrusted data.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All R users should upgrade to the latest version:</p>
+
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-lang/R-4.4.1"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-27322">CVE-2024-27322</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-12-07T08:53:34.596478Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-12-07T08:53:34.602412Z">graaff</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-02.xml

@@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202412-02">
+    <title>Cacti: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in Cacti, the worst of which can lead to privilege escalation.</synopsis>
+    <product type="ebuild">cacti</product>
+    <announced>2024-12-07</announced>
+    <revised count="1">2024-12-07</revised>
+    <bug>823788</bug>
+    <bug>834597</bug>
+    <bug>884799</bug>
+    <access>remote</access>
+    <affected>
+        <package name="net-analyzer/cacti" auto="yes" arch="*">
+            <unaffected range="ge">1.2.26</unaffected>
+            <vulnerable range="lt">1.2.26</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Cacti is a web-based network graphing and reporting tool.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in Cacti. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Cacti users should upgrade to the latest version:</p>
+
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=net-analyzer/cacti-1.2.26"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14424">CVE-2020-14424</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0730">CVE-2022-0730</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46169">CVE-2022-46169</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-48547">CVE-2022-48547</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-30534">CVE-2023-30534</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-31132">CVE-2023-31132</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39357">CVE-2023-39357</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39358">CVE-2023-39358</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39359">CVE-2023-39359</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39360">CVE-2023-39360</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39361">CVE-2023-39361</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39362">CVE-2023-39362</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39365">CVE-2023-39365</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39510">CVE-2023-39510</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39511">CVE-2023-39511</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39512">CVE-2023-39512</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39513">CVE-2023-39513</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39514">CVE-2023-39514</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39515">CVE-2023-39515</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39516">CVE-2023-39516</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-12-07T08:56:20.459772Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-12-07T08:56:20.462893Z">graaff</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-03.xml

@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202412-03">
+    <title>Asterisk: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation.</synopsis>
+    <product type="ebuild">asterisk</product>
+    <announced>2024-12-07</announced>
+    <revised count="1">2024-12-07</revised>
+    <bug>771318</bug>
+    <bug>803440</bug>
+    <bug>838391</bug>
+    <bug>884797</bug>
+    <bug>920026</bug>
+    <bug>937844</bug>
+    <bug>939159</bug>
+    <access>remote</access>
+    <affected>
+        <package name="net-misc/asterisk" auto="yes" arch="*">
+            <unaffected range="ge">18.24.3</unaffected>
+            <vulnerable range="lt">18.24.3</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Asterisk is an open source telephony engine and toolkit.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in Asterisk. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Asterisk users should upgrade to the latest version:</p>
+
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=net-misc/asterisk-18.24.3"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35776">CVE-2020-35776</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-26712">CVE-2021-26712</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-26713">CVE-2021-26713</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-26714">CVE-2021-26714</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-26717">CVE-2021-26717</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-26906">CVE-2021-26906</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31878">CVE-2021-31878</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32558">CVE-2021-32558</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-26498">CVE-2022-26498</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-26499">CVE-2022-26499</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-26651">CVE-2022-26651</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-37325">CVE-2022-37325</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42705">CVE-2022-42705</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42706">CVE-2022-42706</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-37457">CVE-2023-37457</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-49294">CVE-2023-49294</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-49786">CVE-2023-49786</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-12-07T08:58:41.628301Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-12-07T08:58:41.632180Z">graaff</metadata>
+</glsa>