kernel: bump to v6.18.x (LTS)

Bump both the kernel and kernel-confidential versions from v6.12.x and
v6.16.x to v6.18.4, aligning with the new LTS release.

Kernel 6.18 introduced several configuration changes that required
updates to our kernel config fragments:

* CRYPTO_FIPS dependencies changed:
  - In 6.12: depended on !CRYPTO_MANAGER_DISABLE_TESTS
  - In 6.18: now depends on CRYPTO_SELFTESTS (which requires EXPERT)
  Added CONFIG_EXPERT=y and CONFIG_CRYPTO_SELFTESTS=y to crypto.conf
  to satisfy the new dependency chain.
  * CONFIG_EXPERT is a naughty one, as it disables / enables a bunch
    of things behind ones back, probably just to prove a point that
    it is for experts ;-) ... regardless, a reasonable amount of
    options had to be re-added in order to make sure anything ends
    up broken.

* Legacy iptables support:
  Kernel 6.18 requires explicit legacy xtables/iptables configs for
  IP_NF_* options. Added CONFIG_NETFILTER_XTABLES_LEGACY,
  CONFIG_IP_NF_IPTABLES_LEGACY, and CONFIG_IP6_NF_IPTABLES_LEGACY
  to netfilter.conf.

* Module signing dependencies:
  Added CONFIG_MODULES=y and other required dependencies to
  module_signing.conf to ensure MODULE_SIG can be properly enabled.

* Whitelist updates:
  - Added CONFIG_NF_CT_PROTO_DCCP (removed in 6.18+)
  - Added CONFIG_CRYPTO_SELFTESTS, CONFIG_NETFILTER_XTABLES_LEGACY,
    CONFIG_IP_NF_IPTABLES_LEGACY, CONFIG_IP6_NF_IPTABLES_LEGACY
    (added in 6.18+, not present in older kernels like 6.12)

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>

tools/packaging/kernel/configs/fragments/arm64/crypto.conf

@@ -3,4 +3,3 @@
 CONFIG_ARM64_CRYPTO=y
 CONFIG_CRYPTO_AES_ARM64=y
 CONFIG_CRYPTO_AES_ARM64_CE=y
-CONFIG_CRYPTO_SHA256_ARM64=y

tools/packaging/kernel/configs/fragments/common/crypto.conf

@@ -13,8 +13,46 @@ CONFIG_DECOMPRESS_GZIP=y
 CONFIG_CRYPTO_USER_API=y
 CONFIG_CRYPTO_USER_API_HASH=y
 CONFIG_CRYPTO_SHA256=y
+# CRYPTO_FIPS dependencies (required in 6.18+)
+# CRYPTO_FIPS -> CRYPTO_SELFTESTS -> EXPERT
+CONFIG_EXPERT=y
+CONFIG_CRYPTO_SELFTESTS=y
 CONFIG_CRYPTO_FIPS=y
 CONFIG_CRYPTO_ANSI_CPRNG=y
+# EXPERT disables many options by default - restore common ones:
+# (Architecture-specific options are in x86_64/crypto.conf and arm64/crypto.conf)
+CONFIG_PCI_QUIRKS=y
+CONFIG_ZONE_DMA=y
+CONFIG_BUG=y
+CONFIG_IO_URING=y
+CONFIG_PCIEASPM=y
+CONFIG_FW_LOADER=y
+CONFIG_KALLSYMS=y
+CONFIG_MEMBARRIER=y
+CONFIG_COREDUMP=y
+CONFIG_ELF_CORE=y
+CONFIG_ADVISE_SYSCALLS=y
+CONFIG_CACHESTAT_SYSCALL=y
+CONFIG_RSEQ=y
+CONFIG_SECRETMEM=y
+CONFIG_VT=y
+CONFIG_RANDOMIZE_KSTACK_OFFSET=y
+CONFIG_ALLOW_DEV_COREDUMP=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_CRC_OPTIMIZATIONS=y
+CONFIG_XZ_DEC_X86=y
+CONFIG_XZ_DEC_POWERPC=y
+CONFIG_XZ_DEC_ARM=y
+CONFIG_XZ_DEC_ARMTHUMB=y
+CONFIG_XZ_DEC_ARM64=y
+CONFIG_XZ_DEC_SPARC=y
+CONFIG_XZ_DEC_RISCV=y
+CONFIG_DEBUG_BUGVERBOSE=y
+CONFIG_SLUB_DEBUG=y
+CONFIG_DEBUG_MEMORY_INIT=y
+CONFIG_STACKTRACE=y
 
 # IPsec and VXLAN crypto requirements
 CONFIG_CRYPTO_GCM=y

tools/packaging/kernel/configs/fragments/common/netfilter.conf

@@ -5,6 +5,12 @@
 
 CONFIG_NETFILTER=y
 CONFIG_NETFILTER_ADVANCED=y
+
+# Legacy xtables/iptables support (required by 6.18+ for IP_NF_* options)
+# This is needed to enable legacy iptables support
+CONFIG_NETFILTER_XTABLES_LEGACY=y
+CONFIG_IP_NF_IPTABLES_LEGACY=y
+CONFIG_IP6_NF_IPTABLES_LEGACY=y
 CONFIG_NETFILTER_INGRESS=y
 CONFIG_NETFILTER_NETLINK=y
 CONFIG_NETFILTER_FAMILY_ARP=y

tools/packaging/kernel/configs/fragments/common/signing/module_signing.conf

@@ -1,7 +1,14 @@
 # Module signing
+# Dependencies required for MODULE_SIG and SYSTEM_TRUSTED_KEYRING
+CONFIG_MODULES=y
+CONFIG_KEYS=y
+CONFIG_ASYMMETRIC_KEY_TYPE=y
+CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
+CONFIG_X509_CERTIFICATE_PARSER=y
+CONFIG_PKCS7_MESSAGE_PARSER=y
+CONFIG_SYSTEM_TRUSTED_KEYRING=y
+CONFIG_SYSTEM_TRUSTED_KEYS=""
 CONFIG_MODULE_SIG=y
 CONFIG_MODULE_SIG_FORCE=y
 CONFIG_MODULE_SIG_ALL=y
 CONFIG_MODULE_SIG_SHA512=y
-CONFIG_SYSTEM_TRUSTED_KEYS=""
-CONFIG_SYSTEM_TRUSTED_KEYRING=y

tools/packaging/kernel/configs/fragments/s390/crypto.conf

@@ -15,12 +15,6 @@ CONFIG_CRYPTO_HW=y
 CONFIG_ZCRYPT=y
 # Kernel API for protected key handling
 CONFIG_PKEY=y
-# s390 hardware accelerated implementation of the SHA-1 secure hash standard
-CONFIG_CRYPTO_SHA1_S390=y
-# s390 hardware accelerated implementation of the SHA256 secure hash standard
-CONFIG_CRYPTO_SHA256_S390=y
-# s390 hardware accelerated implementation of the SHA512 secure hash standard
-CONFIG_CRYPTO_SHA512_S390=y
 # s390 hardware accelerated implementation of the DES cipher algorithm (FIPS 46-2),
 # and Triple DES EDE (FIPS 46-3).
 CONFIG_CRYPTO_DES_S390=y
@@ -40,6 +34,5 @@ CONFIG_CRYPTO_SHA3_512_S390=y
 # Support for ChaCha stream cipher algorithms
 CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CHACHA20POLY1305=y
-CONFIG_CRYPTO_CHACHA_S390=y
 # When PKEY is enabled and dm-crypt wants to use protected keys
 CONFIG_CRYPTO_PAES_S390=y

tools/packaging/kernel/configs/fragments/whitelist.conf

@@ -42,3 +42,27 @@ CONFIG_BLK_DEV_WRITE_MOUNTED
 CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE
 CONFIG_MHP_DEFAULT_ONLINE_TYPE_ONLINE_AUTO
 CONFIG_CRYPTO_CRC32_S390
+# Removed in 6.18+ kernels
+CONFIG_NF_CT_PROTO_DCCP
+# Added in 6.18+ kernels (not present in older kernels)
+CONFIG_CRYPTO_SELFTESTS
+CONFIG_NETFILTER_XTABLES_LEGACY
+CONFIG_IP_NF_IPTABLES_LEGACY
+CONFIG_IP6_NF_IPTABLES_LEGACY
+CONFIG_CRC_OPTIMIZATIONS
+CONFIG_MTRR
+CONFIG_X86_PAT
+CONFIG_EARLY_PRINTK
+CONFIG_PCSPKR_PLATFORM
+CONFIG_X86_16BIT
+CONFIG_X86_ESPFIX64
+CONFIG_X86_UMIP
+CONFIG_MODIFY_LDT_SYSCALL
+CONFIG_X86_PM_TIMER
+CONFIG_ISA_DMA_API
+CONFIG_DMI
+CONFIG_VGA_ARB
+CONFIG_SERIAL_8250_PNP
+CONFIG_ZONE_DMA
+CONFIG_SECRETMEM
+

tools/packaging/kernel/configs/fragments/x86_64/crypto.conf

@@ -1,2 +1,20 @@
 # x86 cryptographic instructions to improve AES encryption and SHA256 hashing.
 CONFIG_CRYPTO_AES_NI_INTEL=y
+
+# x86-specific options disabled by CONFIG_EXPERT that need to be restored:
+CONFIG_ZONE_DMA=y
+CONFIG_DMI=y
+CONFIG_MTRR=y
+CONFIG_X86_PAT=y
+CONFIG_EARLY_PRINTK=y
+CONFIG_SGETMASK_SYSCALL=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_X86_16BIT=y
+CONFIG_X86_ESPFIX64=y
+CONFIG_X86_UMIP=y
+CONFIG_MODIFY_LDT_SYSCALL=y
+CONFIG_X86_PM_TIMER=y
+CONFIG_ISA_DMA_API=y
+CONFIG_VGA_ARB=y
+CONFIG_FIRMWARE_MEMMAP=y
+CONFIG_SERIAL_8250_PNP=y

tools/packaging/kernel/kata_config_version

@@ -1 +1 @@
-173
+174

versions.yaml

@@ -207,11 +207,11 @@ assets:
   kernel:
     description: "Linux kernel optimised for virtual machines"
     url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
-    version: "v6.12.47"
+    version: "v6.18.5"
     confidential:
       description: "Linux kernel with x86_64 TEEs (SNP and TDX) support"
       url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
-      version: "v6.16.7"
+      version: "v6.18.5"
 
   kernel-arm-experimental:
     description: "Linux kernel with cpu/mem hotplug support on arm64"