kernel: enable xfrm_interface (#15463)

rlmenge · web-flow · commit 5e5723deb98c · 2026-01-16T15:43:32.000-08:00
This PR enables Linux XFRM interfaces to allow creating xfrmN devices for IPsec policy routing and namespace/VRF separation. It turns on CONFIG_XFRM_INTERFACE in the kernel config (module autoloads on use). No behavior change by default; it simply unlocks IPsec scenarios that require if_id steering.

Impact: none for existing users; new capability for per-tenant/VRF IPsec paths
diff --git a/SPECS-EXTENDED/kernel-ipe/config b/SPECS-EXTENDED/kernel-ipe/config
@@ -1170,7 +1170,7 @@ CONFIG_XFRM_OFFLOAD=y
 CONFIG_XFRM_ALGO=m
 CONFIG_XFRM_USER=m
 # CONFIG_XFRM_USER_COMPAT is not set
-# CONFIG_XFRM_INTERFACE is not set
+CONFIG_XFRM_INTERFACE=m
 CONFIG_XFRM_SUB_POLICY=y
 CONFIG_XFRM_MIGRATE=y
 CONFIG_XFRM_STATISTICS=y
diff --git a/SPECS-EXTENDED/kernel-ipe/kernel-ipe.signatures.json b/SPECS-EXTENDED/kernel-ipe/kernel-ipe.signatures.json
@@ -1,7 +1,7 @@
 {
   "Signatures": {
     "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b",
-    "config": "aa0bcbcfdf1efad62ff548f0da276966f117405d972233580a8c9e3a22a5ae10",
+    "config": "c5a9f5ed9cd1300d10dc5c353f29cf3c0d81f55a5bb1a7cc77b46e7480b834bf",
     "config_aarch64": "afd473ab5c76245d5e4455b408a981865511a226a87146210cad12edc0c67865",
     "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985",
     "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98",
diff --git a/SPECS-EXTENDED/kernel-ipe/kernel-ipe.spec b/SPECS-EXTENDED/kernel-ipe/kernel-ipe.spec
@@ -33,7 +33,7 @@
 Summary:        Linux Kernel
 Name:           kernel-ipe
 Version:        6.6.119.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -460,6 +460,9 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Fri Jan 16 2026 Rachel Menge <rachelmenge@microsoft.com> - 6.6.119.3-3
+- Enable XFRM_INTERFACE
+
 * Thu Jan 08 2026 Rachel Menge <rachelmenge@microsoft.com> - 6.6.119.3-2
 - Enable CONFIG_INET_DIAG_DESTROY
 
diff --git a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec
@@ -7,7 +7,7 @@
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-64k-signed-%{buildarch}
 Version:        6.6.119.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -105,6 +105,9 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %exclude /module_info.ld
 
 %changelog
+* Fri Jan 16 2026 Rachel Menge <rachelmenge@microsoft.com> - 6.6.119.3-3
+- Bump release to match kernel,kernel-ipe
+
 * Thu Jan 08 2026 Rachel Menge <rachelmenge@microsoft.com> - 6.6.119.3-2
 - Bump release to match kernel,kernel-ipe,kernel-64k
 
diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec
@@ -10,7 +10,7 @@
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
 Version:        6.6.119.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -145,6 +145,9 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %exclude /module_info.ld
 
 %changelog
+* Fri Jan 16 2026 Rachel Menge <rachelmenge@microsoft.com> - 6.6.119.3-3
+- Bump release to match kernel,kernel-ipe
+
 * Thu Jan 08 2026 Rachel Menge <rachelmenge@microsoft.com> - 6.6.119.3-2
 - Bump release to match kernel,kernel-ipe,kernel-64k
 
diff --git a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec
@@ -6,7 +6,7 @@
 Summary:        Signed Unified Kernel Image for %{buildarch} systems
 Name:           kernel-uki-signed-%{buildarch}
 Version:        6.6.119.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -68,6 +68,9 @@ popd
 /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi
 
 %changelog
+* Fri Jan 16 2026 Rachel Menge <rachelmenge@microsoft.com> - 6.6.119.3-3
+- Bump release to match kernel,kernel-ipe
+
 * Thu Jan 08 2026 Rachel Menge <rachelmenge@microsoft.com> - 6.6.119.3-2
 - Bump release to match kernel,kernel-ipe,kernel-64k
 
diff --git a/SPECS/kernel-64k/kernel-64k.spec b/SPECS/kernel-64k/kernel-64k.spec
@@ -27,7 +27,7 @@
 Summary:        Linux Kernel
 Name:           kernel-64k
 Version:        6.6.119.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -380,6 +380,9 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Fri Jan 16 2026 Rachel Menge <rachelmenge@microsoft.com> - 6.6.119.3-3
+- Bump release to match kernel,kernel-ipe
+
 * Thu Jan 08 2026 Rachel Menge <rachelmenge@microsoft.com> - 6.6.119.3-2
 - Enable CONFIG_INET_DIAG_DESTROY
 
diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec
@@ -14,7 +14,7 @@
 Summary:        Linux API header files
 Name:           kernel-headers
 Version:        6.6.119.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -75,6 +75,9 @@ done
 %endif
 
 %changelog
+* Fri Jan 16 2026 Rachel Menge <rachelmenge@microsoft.com> - 6.6.119.3-3
+- Bump release to match kernel,kernel-ipe
+
 * Thu Jan 08 2026 Rachel Menge <rachelmenge@microsoft.com> - 6.6.119.3-2
 - Bump release to match kernel,kernel-ipe,kernel-64k
 
diff --git a/SPECS/kernel/config b/SPECS/kernel/config
@@ -1170,7 +1170,7 @@ CONFIG_XFRM_OFFLOAD=y
 CONFIG_XFRM_ALGO=m
 CONFIG_XFRM_USER=m
 # CONFIG_XFRM_USER_COMPAT is not set
-# CONFIG_XFRM_INTERFACE is not set
+CONFIG_XFRM_INTERFACE=m
 CONFIG_XFRM_SUB_POLICY=y
 CONFIG_XFRM_MIGRATE=y
 CONFIG_XFRM_STATISTICS=y
diff --git a/SPECS/kernel/kernel-uki.spec b/SPECS/kernel/kernel-uki.spec
@@ -13,7 +13,7 @@
 Summary:        Unified Kernel Image
 Name:           kernel-uki
 Version:        6.6.119.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -70,6 +70,9 @@ cp %{buildroot}/boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/boot/efi/EFI/Linu
 /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi
 
 %changelog
+* Fri Jan 16 2026 Rachel Menge <rachelmenge@microsoft.com> - 6.6.119.3-3
+- Bump release to match kernel,kernel-ipe
+
 * Thu Jan 08 2026 Rachel Menge <rachelmenge@microsoft.com> - 6.6.119.3-2
 - Bump release to match kernel,kernel-ipe,kernel-64k
 
diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json
@@ -1,7 +1,7 @@
 {
   "Signatures": {
     "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b",
-    "config": "aa0bcbcfdf1efad62ff548f0da276966f117405d972233580a8c9e3a22a5ae10",
+    "config": "c5a9f5ed9cd1300d10dc5c353f29cf3c0d81f55a5bb1a7cc77b46e7480b834bf",
     "config_aarch64": "afd473ab5c76245d5e4455b408a981865511a226a87146210cad12edc0c67865",
     "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985",
     "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98",
diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec
@@ -32,7 +32,7 @@
 Summary:        Linux Kernel
 Name:           kernel
 Version:        6.6.119.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -440,6 +440,9 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Fri Jan 16 2026 Rachel Menge <rachelmenge@microsoft.com> - 6.6.119.3-3
+- Enable XFRM_INTERFACE
+
 * Thu Jan 08 2026 Rachel Menge <rachelmenge@microsoft.com> - 6.6.119.3-2
 - Enable CONFIG_INET_DIAG_DESTROY
 
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -1,5 +1,5 @@
 filesystem-1.1-21.azl3.aarch64.rpm
-kernel-headers-6.6.119.3-2.azl3.noarch.rpm
+kernel-headers-6.6.119.3-3.azl3.noarch.rpm
 glibc-2.38-16.azl3.aarch64.rpm
 glibc-devel-2.38-16.azl3.aarch64.rpm
 glibc-i18n-2.38-16.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -1,5 +1,5 @@
 filesystem-1.1-21.azl3.x86_64.rpm
-kernel-headers-6.6.119.3-2.azl3.noarch.rpm
+kernel-headers-6.6.119.3-3.azl3.noarch.rpm
 glibc-2.38-16.azl3.x86_64.rpm
 glibc-devel-2.38-16.azl3.x86_64.rpm
 glibc-i18n-2.38-16.azl3.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -158,7 +158,7 @@ intltool-0.51.0-7.azl3.noarch.rpm
 itstool-2.0.7-1.azl3.noarch.rpm
 kbd-2.2.0-2.azl3.aarch64.rpm
 kbd-debuginfo-2.2.0-2.azl3.aarch64.rpm
-kernel-headers-6.6.119.3-2.azl3.noarch.rpm
+kernel-headers-6.6.119.3-3.azl3.noarch.rpm
 kmod-30-1.azl3.aarch64.rpm
 kmod-debuginfo-30-1.azl3.aarch64.rpm
 kmod-devel-30-1.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -165,8 +165,8 @@ intltool-0.51.0-7.azl3.noarch.rpm
 itstool-2.0.7-1.azl3.noarch.rpm
 kbd-2.2.0-2.azl3.x86_64.rpm
 kbd-debuginfo-2.2.0-2.azl3.x86_64.rpm
-kernel-cross-headers-6.6.119.3-2.azl3.noarch.rpm
-kernel-headers-6.6.119.3-2.azl3.noarch.rpm
+kernel-cross-headers-6.6.119.3-3.azl3.noarch.rpm
+kernel-headers-6.6.119.3-3.azl3.noarch.rpm
 kmod-30-1.azl3.x86_64.rpm
 kmod-debuginfo-30-1.azl3.x86_64.rpm
 kmod-devel-30-1.azl3.x86_64.rpm

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"Signatures": {`
`3`	`3`	`"azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b",`
`4`		`- "config": "aa0bcbcfdf1efad62ff548f0da276966f117405d972233580a8c9e3a22a5ae10",`
	`4`	`+ "config": "c5a9f5ed9cd1300d10dc5c353f29cf3c0d81f55a5bb1a7cc77b46e7480b834bf",`
`5`	`5`	`"config_aarch64": "afd473ab5c76245d5e4455b408a981865511a226a87146210cad12edc0c67865",`
`6`	`6`	`"cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985",`
`7`	`7`	`"cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98",`