Import initial dist-git for 6.18.19

[bmastbergen]

This is the initial dist-git import for CLK 6.18

In the case of CLK 6.12, we started with the dist-git from a kernel already released using the kernel-pkg src-git setup, and then iterated on top of that. The PR for that can be seen here: #959

Since we haven't released a CLK 6.18 build yet, I did the following to land at the initial dist-git import in this PR:

• Locally created a kernel-pkg branch (ciq-pkg-6.18.y) based off of the fedora-6.18 branch of kernel-ark. Remember that the ciq-pkg-6.12.y branch of kernel-pkg was based off of the fedora-6.12 branch of kernel-ark.
• Applied all of the same changes to ciq-pkg-6.18.y that we applied to ciq-pkg-6.12.y
• Ran make -C ciq dist-srpm to build an srpm using that branch
• Extracted that srpm to get our initial SOURCES and SPECS
• Added them to ciq-6.18.y branch of kernel-src-tree
• Integrated all of the feedback generated during the CLK 6.12 import process from PR 959

So, the spec for this branch differs from the spec in the ciq-6.12.y branch in the same ways that the spec template differs between the fedora-6.12 and fedora-6.18 branches in kernel-ark. But, the CIQ specific tweaks should be the same.

I have verified that building and installing rpms using this branch works the same as it does for the current ciq-6.12.y branch.

Building looks like this:

mkdir build_files
git clone --branch {bmastbergen}_ciq-6.18.y --depth 1 https://github.com/ctrliq/kernel-src-tree
cd kernel-src-tree
./ciq/SOURCES/generate_tarball.sh
mock -v -r ~/ciq/mock-configs/ciq-kernel-9-x86_64.cfg --resultdir=../build_files --buildsrpm --sources=./ciq/SOURCES --spec=./ciq/SPECS/kernel.spec
mock -v -r ~/ciq/mock-configs/ciq-kernel-9-x86_64.cfg --resultdir=../build_files ../build_files/*.src.rpm

I then uploaded the resulting RPMs to a VM and verified I could install and boot them

[brett@clk-test ~]$ uname -a
Linux clk-test 6.18.19-1.test.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Mar 23 16:06:46 EDT 2026 x86_64 x86_64 x86_64 GNU/Linux

As with that PR, the goal here is to have a starting point for doing CLK 6.18 releases. I am sure there are improvements and cleanups we can do to improve the spec and process going forward. But the goal of this PR is to end up with something that we can build, sign, and release kernels with. So keep that in mind when reviewing.

[PlaidCat]

Could you post for PR summary the clif notes evidence of the build process and testing?

[bmastbergen]

Could you post for PR summary the clif notes evidence of the build process and testing?

Done

[elguero]

Looking good. Noticed some things around the SBAT.

[elguero]

This file is new. I wonder if Claude was trying to help with adding macros here... not seeing this upstream.

Should be:

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
kernel.clk,1,CIQ,kernel-core,@KVER,mailto:secureboot@ciq.com

[bmastbergen]

Updated. See if it looks right now. Thanks!

[elguero]

kernel-uki-virt-addons.clk,1,CIQ,kernel-uki-virt-addons,@KVER,mailto:secureboot@ciq.com

The reason for clk is that this is product name. If we ever needed to revoke the cert or put this on the denylist, we can target this specific product build.

[bmastbergen]

Updated. See if it looks right now. Thanks!

[elguero]

kernel-uki-virt.clk,1,CIQ,kernel-uki-virt,@KVER,mailto:secureboot@ciq.com

[bmastbergen]

Updated. See if it looks right now. Thanks!

[PlaidCat]

Test?
Also is there a specific reason we can't make these expanded:?
%define pkgrelease 1.test to %define pkgrelease 1.%{?buildid} ???
Not sure if @jdieter or @skip77 have thoughts on this?

1.1.0.0

do we need the .0.0?? this doesn't seem useful
I would read this as 6.18.19-1.1 so its closer to a normal CentOS like build number?

also these defines are just super sloppy (this isn't a CIQ issue but wow)

should this me more dynamic and less repeated numbers?

[bmastbergen]

ah, good catch on the test. Will fix it to match 6.12 for now.

Most of this stuff is just how I found it in the exploded 6.12 spec, so happy to change it to whatever makes the most sense.

[PlaidCat]

FYI to other reviewers I asked claude to sturctural changes between the 6.12 and 6.18 fedora-ark changes

  Version string inconsistency: buildid is .test and pkgrelease is 1.test, but tarfile_release is 6.18.19-1.1.0.0.el9_clk (still has 1.1.0.0). In 6.12 these were consistent
  (1.1.0.0 everywhere). The RPM will be kernel-6.18.19-1.test.el9 but the source tarball name has 1.1.0.0. Not a build-breaker (Brett confirmed it builds/boots), but worth
  reconciling for production.

  Duplicate %define in toolsonly block: with_selftests 0 and with_vdso_install 0 are each defined twice in the with_toolsonly section. Harmless but sloppy upstream.

  Residual with_ipaclones 0 at spec lines ~310 and ~469 — dead code since ipaclones is entirely removed in 6.18. Minor cleanup.

  Upstream Features New in 6.18 (not CIQ-specific, but noteworthy)

  - rt-64k variant: New kernel-rt-64k and kernel-rt-64k-debug packages (realtime ARM64 64k page-size)
  - riscv64 architecture added to ExclusiveArch
  - YNL (YAML Netlink) tools — new build/install section
  - modules-extra-matched meta-package replaces ipaclones-internal
  - kernel_variant_preun gains --entry-type flag for kernel-install
  - Selftests hugely expanded — ~30 new test categories
  - cpupower Python bindings via swig
  - libcpupower 0.0.1 → 1.0.1
  - initramfs reservation doubled from 20MB to 40MB
  - Config filenames now include specrpmversion
  - Rust now unconditional (+ rustfmt, clippy added)
  - LLVM=1 unconditional with clang (was only for LTO)
  - License gains (GPL-2.0-only OR GFDL-1.2-no-invariants-or-later)
  - Many new BuildRequires (see list in main review above)

  6.12 CIQ Items That Changed Form in 6.18 (by design, not gaps)

  These are things the CIQ-unique agent flagged as 6.12 CIQ customizations that are no longer applicable:

  ┌──────────────────────────────────────┬─────────────────────────────────┬─────────────────────────────────┐
  │            6.12 CIQ Item             │           6.18 Status           │             Reason              │
  ├──────────────────────────────────────┼─────────────────────────────────┼─────────────────────────────────┤
  │ kernel_ipaclones_package             │ Gone → modules-extra-matched    │ Upstream removed ipaclones      │
  ├──────────────────────────────────────┼─────────────────────────────────┼─────────────────────────────────┤
  │ kernel_kvm_package / kernel_kvm_post │ Gone (but macro still invoked!) │ Upstream removed rt-kvm         │
  ├──────────────────────────────────────┼─────────────────────────────────┼─────────────────────────────────┤
  │ Inline SBAT heredocs                 │ → External template files       │ Upstream architecture change    │
  ├──────────────────────────────────────┼─────────────────────────────────┼─────────────────────────────────┤
  │ dracut --uefi UKI build              │ → dracut + ukify build          │ Upstream pipeline change        │
  ├──────────────────────────────────────┼─────────────────────────────────┼─────────────────────────────────┤
  │ Hardcoded kernel- in Provides        │ → %{name}-                      │ Upstream templating improvement │
  ├──────────────────────────────────────┼─────────────────────────────────┼─────────────────────────────────┤
  │ klptestarches for livepatch tests    │ Removed                         │ Upstream removed                │
  ├──────────────────────────────────────┼─────────────────────────────────┼─────────────────────────────────┤
  │ merge.py stub                        │ → Full implementation           │ 6.18 actually uses it           │
  └──────────────────────────────────────┴─────────────────────────────────┴─────────────────────────────────┘

  None of these are gaps — they're expected evolution.

[PlaidCat]

Fedora-ark 6.18 pulled this into a generic ... this will improve our maintenance burden
https://gitlab.com/cki-project/kernel-ark/-/blob/fedora-6.18/redhat/rhel_files/def_variants.yaml.rhel?ref_type=heads#L21-L23

[PlaidCat]

This is also removed in the 6.18 fedora-ark for rhel
https://gitlab.com/cki-project/kernel-ark/-/commit/6f7cd68506a47c7751cf300ad76e0e7941bf98c9

and the KVM package does not exist in the spec we're shipping kernel_kvm_package

[PlaidCat]

There is a potential bug here apparently this modules sysetm here will blacklist any module that has an alias.
These should be dropped ... apparently they will fall through to modules-core now.

https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3712#note_2382602971

https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=241a94abcf465ba9363d93168da5ddd47002930

[PlaidCat]

We define this but it is no longer used because its hardcoded to CLK in the templates

these guys again
https://github.com/ctrliq/kernel-src-tree/pull/1009/changes#diff-1b025d92d4c560a6a79e3dfcd418772c0d2777020a3fe9f3ef33e7a459ee8e6dR2005-R2008

we can likely fix this later too

[elguero]

It is completely up to us. Since we are not building for multiple OSes like Fedora / CentOS / RHEL, we can remove this. Or if we think we will want to re-use this spec for other kernel products we build, we could just add it to the templates. I missed that we were actually setting this on the first pass.

Either way works.

[PlaidCat]

If you drop gating.yaml please make sure to remove it from here as well.

[PlaidCat]

This is a call out we need to go through a rebranding exercise for this and probably ciq-6.12.y

[elguero]

Agreed. Thought of that when I went through the first pass. There are tweaks that can be made to make this truly a CIQ product.

[elguero]

It is completely up to us. Since we are not building for multiple OSes like Fedora / CentOS / RHEL, we can remove this. Or if we think we will want to re-use this spec for other kernel products we build, we could just add it to the templates. I missed that we were actually setting this on the first pass.

Either way works.