The kernel-source repository contains sources, configuration files, package definitions and supporting scripts for the SUSE kernels.
The SUSE kernels are generated from the upstream Linux kernel sources found at https://kernel.org/, on top of which a number of patches are applied. The expanded kernel source tree is configured and built, resulting in a binary kernel.
Make sure you have the git and quilt tools installed.
Introduce yourself if you haven't done so already:
$ git config --global user.name "Your Name"
$ git config --global user.email your@email
If you omit the
--global option, the setting will only apply to this
Set up some Git hooks and helpers:
To hack on the kernel sources:
$ cd tmp/linux-$version-$branch
$ quilt new patches.suse/fix-foo-and-bar.patch
$ quilt edit some/file.c
$ quilt header -e # see next chapter
Refer to the Quilt documentation for details. When you are done, add the new
patch to an appropriate place in the
series.conf file and run
to commit it. Patches should be named such that they consist of alphanumeric
characters, '-' and '.'. Typically, patches are named by filtering the Subject
of the patch to a lower-case, dash-separated form like the one in the example
To build RPM packages:
This creates a source package in the kernel-source directory. Use
$ ./scripts/osc_wrapper [kernel-source/kernel-$flavor.spec]
to build a kernel package locally, or
$ ./scripts/osc_wrapper upload [--ibs]
to have all flavors and architectures built by the Open Build Service. The
--ibs option uses the SUSE internal instance.
Each patch must have an RFC822-style header that at a minimum describes what the patch does, who wrote it and who inside SUSE can be contacted about problems with the patch. The rules for patch headers are:
Each patch must have a From tag that identifies the author of the patch.
Each patch must have a Subject tag that briefly describes what the patch does. A brief summary that could appear in a change log makes the most sense in most cases.
Unless the author specified in the From tag has a @suse.com, @suse.de or @suse.cz address, the patch must include a Signed-off-by, Acked-by or Reviewed-by header which identifies the person in one of these domains who feels responsible for the patch inside the company.
The patch must include a Patch-mainline tag that identifies where the patch came from (for backports from mainline) or when it is expected to be added to mainline. The format is one of:
For backports from mainline:
Patch-mainline: <upstream version, for instance, "v6.5-rc7">
Git-commit: <git hash>
If the commit is from a maintainer repository or some other repository that isn't Linus's:
Patch-mainline: Queued in subsystem maintainer repository
Git-commit: <git hash>
If the patch is not upstream, depending on the situation:
Patch-mainline: Submitted, <timestamp - destination>
Patch-mainline: Not yet, <reason>
Patch-mainline: Never, <reason>
The patch should include a References tag that identifies the Bugzilla bug number, JIRA issue ID, etc. where the patch is discussed. Please prefix bugzilla.suse.com bug numbers with bsc# and JIRA issue IDs with jsc#. Make sure you specify a JIRA Implementation task when referencing JIRA features, not its Epic ID. Have a look at https://en.opensuse.org/openSUSE:Packaging_Patches_guidelines#Current_set_of_abbreviations for a full list of abbreviations.
The patch header should include a more extensive description of what the patch does, why and how. The idea is to allow others to quickly identify what each patch is about and to give enough information for reviewing.
More details about valid patch headers can be found in
scripts/patch-tag-template. The helper script
scripts/patch-tag can be used
for managing these tags. Documentation for
patch-tag can be found at the top
of the script itself.
Example usage of
$ cp scripts/patch-tag-template ~/.patchtag
[ Edit ~/.patchtag with any default values you want. ]
$ patch-tag -e file.diff
Example patch header:
From: Pablo Neira Ayuso <email@example.com>
Date: Tue, 15 Aug 2023 15:39:01 +0200
Subject: netfilter: nf_tables: GC transaction race with netns dismantle
References: CVE-2023-4563 bsc#1214727
Use maybe_get_net() since GC workqueue might race with netns exit path.
Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
Signed-off-by: Pablo Neira Ayuso <firstname.lastname@example.org>
Signed-off-by: Florian Westphal <email@example.com>
Acked-by: Michal Kubecek <firstname.lastname@example.org>
Patches added to the "sorted patches" section of
series.conf must be sorted
according to the upstream order of the commits that they backport.
After you've added a patch file to the main
patches.suse/ or a different patch
directory, and supplemented the required tags described in the section Patch
$ ./scripts/git_sort/series_insert.py <patch>
to insert an entry for a new patch file to the sorted section of
For more information, please read
Make sure that all patches still apply after your changes. One way of doing this
$ export SCRATCH_AREA=/var/tmp/scratch
Creating tree in /var/tmp/scratch/linux-5.14-SLE15-SP5
Cleaning up from previous run
Linking from /var/tmp/scratch/linux-5.14.orig
[ Tree: /var/tmp/scratch/linux-5.14-SLE15-SP5 ]
[ Generating Module.supported ]
[ Copying config/x86_64/default ]
Note the "Tree:" line output by the
sequence-patch.sh script which specifies
the location of the expanded kernel tree that is configured for local build.
Please test-compile the kernel or even test-build kernel packages, depending on
the impact of your changes. Use
scripts/tar-up.sh for creating an OBS package
The kernel source tree that
scripts/sequence-patch.sh creates can be
test-compiled. Before that, make sure all prerequisites are installed. These
include libopenssl-devel, libelf-devel and dwarves. Have a look into
rpm/kernel-binary.spec.in for a complete list. Then, the compilation can be
done as follows:
$ cd /var/tmp/scratch/linux-5.14-SLE15-SP5
$ make oldconfig
When committing a patch series, try to make the series easily bisectable. In other words, when applying only the first x patches (1 <= x <= n, n being the number of patches in the series), the kernel should be still buildable and functional.
This means especially that just adding upstream patches unmodified to a series and doing a cleanup patch at the end of the series to ensure the kernel is buildable and functional is to be avoided. Each patch from upstream should be modified as required to fit into the kernel it is backported to, both for build time and runtime.
Applying all patches in the tree with
scripts/sequence-patch.sh can take
a significant amount of time. The
--rapid option is present to speed up the
process and tells the script to use Rapidquilt instead of the regular Quilt.
The Rapidquilt implementation applies patches in parallel and typically produces
an expanded tree in a fraction of the original time. A Rapidquilt package can be
obtained from https://download.opensuse.org/repositories/Kernel:/tools/.
SUSE kernel packages for various architectures and configurations are built from
the same sources. Each such kernel has its own configuration file in
config/$ARCH/$FLAVOR. Checks are in place that abort the kernel build when
those configuration files are missing necessary config options.
When adding patches that introduce new kernel config options, please also update all config files as follows:
$ cd /var/tmp/scratch/linux-5.14-SLE15-SP5
Every commit to the kernel source repository should be properly documented.
scripts/tar-up.sh obtains change descriptions from a Git commit log and
.changes files for use by the target RPM packages. All
commits which affect the kernel package have their description collected, only
changes modifying internals of the repository such as helper scripts are
When recording your changes to the repository, you should use
rather than running
git commit directly in order to produce a commit
description in the expected format.
All symbols that the kernel exports for use by modules and all symbols that modules export for use by other modules are associated with a so-called modversion. It is a checksum of the type of the symbol, including all sub-types involved. Symbols that a module imports are associated with the identical checksum.
When a module is loaded, the kernel makes sure that the checksums of the symbols imported by the module match the checksums of the target symbols. In case of a mismatch, the kernel rejects to load the module.
Kernel packages additionally set an RPM dependency in the form
ksym($FLAVOR:$SYMBOL) = $CHECKSUM for every exported/imported symbol.
A Provides dependency is present for each symbol exported by kernel binaries in
the package and a Requires dependency is recorded for each imported symbol. This
mechanism allows checking module dependencies early at the package installation
SUSE kernels maintain stable kABI during a lifetime of each service pack. An exported symbol can be changed only if a strong reason arises.
When building an RPM kernel package, the build logic checks the modversions of
the resulting kernel and compares them against the reference stored in
kabi/$ARCH/symtypes-$FLAVOR. If any updated
or removed symbol is found, the build reports an error and aborts. Symbols
explicitly ignored in
kabi/severities are excluded from this check. See
rpm/kabi.pl for details.
To update the reference files, use
$ ./scripts/update-symvers kernel-default-5.14.21-150500.55.31.1.x86_64.rpm \
Updating the kabi files is typically done by the branch maintainers. Please always ask them for permission before touching these files.
It might sometimes be needed to tolerate particular kernel ABI changes and not abort the build. At the same time, you may not want to update the reference symvers and symtypes files in order to monitor the relative changes.
A specific kernel can be marked so that kernel ABI changes are ignored. This is
done by creating a
kabi/$ARCH/ignore-$FLAVOR file, for example,
kabi/x86_64/ignore-default. The kernel ABI checks are still performed, but the
build does not abort if a problem is found. The content of the ignore file does
All kernel ABI changes in all kernel packages can be ignored by creating a file
IGNORE-KABI-BADNESS in the
kernel-source/ sub-directory of the
scripts/tar-up.sh creates. Doing this may occasionally be
necessary for PTF kernels.
At certain times during development, the kernel may include "embargoed" patches, which are patches that must not be made available to parties outside of SUSE before an agreed-upon time. Such patches usually have a date of publication that has been coordinated among Linux distributors and other stakeholders. These patches must not be committed to the usual branches, because these are pushed to a public mirror, but instead to a branch named with an _EMBARGO suffix, for example, SLE15-SP5_EMBARGO. The KOTD scripts will testbuild such branches but won't publish them. Once the fix becomes public, the branch needs to be merged back info the "mainline" branch.