mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-22 15:01:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

sys-kernel/coreos-sources: bump to 4.13.8

Browse Source
This commit is contained in:
Jenkins OS 2017-10-20 04:48:19 +00:00
parent 97040e32bf
commit 24ed768112
29 changed files with 86 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13.7.ebuild → sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13.8.ebuild vendored
View File

0
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13.7.ebuild → sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13.8.ebuild vendored
View File

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest vendored
View File

@ -1,2 +1,2 @@
DIST linux-4.13.tar.xz 100579888 SHA256 2db3d6066c3ad93eb25b973a3d2951e022a7e975ee2fa7cbe5bddf84d9a49a2c SHA512 a557c2f0303ae618910b7106ff63d9978afddf470f03cb72aa748213e099a0ecd5f3119aea6cbd7b61df30ca6ef3ec57044d524b7babbaabddf8b08b8bafa7d2 WHIRLPOOL d3d332e02cd3c5056c76c28cf1f81504c6f7b8f2caed7238e7dd7866747fb03154b88d8d7aec4d0eddf5760624bc7d6c5485fb52a3e32d098a2742eba96c0d05 DIST linux-4.13.tar.xz 100579888 SHA256 2db3d6066c3ad93eb25b973a3d2951e022a7e975ee2fa7cbe5bddf84d9a49a2c SHA512 a557c2f0303ae618910b7106ff63d9978afddf470f03cb72aa748213e099a0ecd5f3119aea6cbd7b61df30ca6ef3ec57044d524b7babbaabddf8b08b8bafa7d2 WHIRLPOOL d3d332e02cd3c5056c76c28cf1f81504c6f7b8f2caed7238e7dd7866747fb03154b88d8d7aec4d0eddf5760624bc7d6c5485fb52a3e32d098a2742eba96c0d05
DIST patch-4.13.7.xz 165784 SHA256 0fe89c96e956efbded576214eef0c8e43cabe41dfca245e3ebb79fff9bc8715d SHA512 4d96c655ca4c720b872e1a88ba9989a419880cb5fec2a4a9190077588066f205c5dce2591a76f26375f6f50001334ceb7631d489d3b24ca443d10e1e6879ed54 WHIRLPOOL fb192f3acb9d3a249a2ecaf6b7d6c6eca0ac684c17c01226ed1ca69f5aafefa782aeb80000bfae5753672e2d8bb93b07377e8d1c0ca66b5dbdb1332d77ae38a9 DIST patch-4.13.8.xz 179404 SHA256 3b2bcceb16acd75322e98d3e93967e82bd0e7499c748bf12bd46c7519dacc315 SHA512 b70b1a081155fa9a7082ad2771aa0a43a9f6458aa5f7f312729aaa3a71db71d28bcd1d1cac6ffaee134797359f37ee86de70537c1190ca60c016a8779268e880 WHIRLPOOL 82e9c91772c2ddd9c38fa7c7ad0cb34c8bb8faa1793f2d9fb1c22f04351ad5b5b4af201e5d521343b3df411cd07a003754009fc7993cf844477015e034d66577

1
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.7.ebuild → sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.8.ebuild vendored
View File

@ -55,4 +55,5 @@ UNIPATCH_LIST="
${PATCH_DIR}/z0022-Lock-down-TIOCSSERIAL.patch \ ${PATCH_DIR}/z0022-Lock-down-TIOCSSERIAL.patch \
${PATCH_DIR}/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ ${PATCH_DIR}/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
${PATCH_DIR}/z0024-Add-arm64-coreos-verity-hash.patch \ ${PATCH_DIR}/z0024-Add-arm64-coreos-verity-hash.patch \
${PATCH_DIR}/z0025-cifs-Select-all-required-crypto-modules.patch \
" "

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch vendored
View File

@ -1,7 +1,7 @@
From e03ef102d0cabd798b0784330e5c063e406ba69f Mon Sep 17 00:00:00 2001 From 4f4eec160361014f861c8f439e137138dd98008b Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org> From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Mon, 21 Nov 2016 23:55:55 +0000 Date: Mon, 21 Nov 2016 23:55:55 +0000
Subject: [PATCH 01/24] efi: Add EFI_SECURE_BOOT bit Subject: [PATCH 01/25] efi: Add EFI_SECURE_BOOT bit
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
that can be passed to efi_enabled() to find out whether secure boot is that can be passed to efi_enabled() to find out whether secure boot is

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch vendored
View File

@ -1,7 +1,7 @@
From 36cf82213ee6353307254117689a7ed8bd0b390c Mon Sep 17 00:00:00 2001 From 074ed22e06e4f170ca31203ed2de6e261f9bfabe Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com> From: David Howells <dhowells@redhat.com>
Date: Mon, 21 Nov 2016 23:36:17 +0000 Date: Mon, 21 Nov 2016 23:36:17 +0000
Subject: [PATCH 02/24] Add the ability to lock down access to the running Subject: [PATCH 02/25] Add the ability to lock down access to the running
kernel image kernel image
Provide a single call to allow kernel code to determine whether the system Provide a single call to allow kernel code to determine whether the system

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch vendored
View File

@ -1,7 +1,7 @@
From 41c69b650459b3c6493af84133a97f85218218ec Mon Sep 17 00:00:00 2001 From 2364eace65d3d0249a38f3d6cce7538423e5f7c9 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com> From: David Howells <dhowells@redhat.com>
Date: Mon, 21 Nov 2016 23:55:55 +0000 Date: Mon, 21 Nov 2016 23:55:55 +0000
Subject: [PATCH 03/24] efi: Lock down the kernel if booted in secure boot mode Subject: [PATCH 03/25] efi: Lock down the kernel if booted in secure boot mode
UEFI Secure Boot provides a mechanism for ensuring that the firmware will UEFI Secure Boot provides a mechanism for ensuring that the firmware will
only load signed bootloaders and kernels. Certain use cases may also only load signed bootloaders and kernels. Certain use cases may also

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch vendored
View File

@ -1,7 +1,7 @@
From 21703e9af75dd9c17303e3e7e8ccc54dc409fd5f Mon Sep 17 00:00:00 2001 From ba9d0a66a38d4dcf1aa8d3620f8970711acd207d Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com> From: David Howells <dhowells@redhat.com>
Date: Wed, 23 Nov 2016 13:22:22 +0000 Date: Wed, 23 Nov 2016 13:22:22 +0000
Subject: [PATCH 04/24] Enforce module signatures if the kernel is locked down Subject: [PATCH 04/25] Enforce module signatures if the kernel is locked down
If the kernel is locked down, require that all modules have valid If the kernel is locked down, require that all modules have valid
signatures that we can verify. signatures that we can verify.

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch vendored
View File

@ -1,7 +1,7 @@
From adfa60bbc2f70b8e3af62ff2119cf335e1097a11 Mon Sep 17 00:00:00 2001 From 9542095e861e2faf88188d58fc03848cd64bb2db Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 22 Nov 2016 08:46:16 +0000 Date: Tue, 22 Nov 2016 08:46:16 +0000
Subject: [PATCH 05/24] Restrict /dev/mem and /dev/kmem when the kernel is Subject: [PATCH 05/25] Restrict /dev/mem and /dev/kmem when the kernel is
locked down locked down
Allowing users to write to address space makes it possible for the kernel to Allowing users to write to address space makes it possible for the kernel to

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch vendored
View File

@ -1,7 +1,7 @@
From 46a1082586962eb5b323de33038f83f3cb099f14 Mon Sep 17 00:00:00 2001 From 65a71a75ec1552710a63c6e1e5e4d7473c24b29b Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 22 Nov 2016 08:46:15 +0000 Date: Tue, 22 Nov 2016 08:46:15 +0000
Subject: [PATCH 06/24] kexec: Disable at runtime if the kernel is locked down Subject: [PATCH 06/25] kexec: Disable at runtime if the kernel is locked down
kexec permits the loading and execution of arbitrary code in ring 0, which kexec permits the loading and execution of arbitrary code in ring 0, which
is something that lock-down is meant to prevent. It makes sense to disable is something that lock-down is meant to prevent. It makes sense to disable

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch vendored
View File

@ -1,7 +1,7 @@
From b79bed540e03d94c967726ed154adaaa9a853959 Mon Sep 17 00:00:00 2001 From 035ce6505390f4df4c0cb1c2c2ef5c8725a89d68 Mon Sep 17 00:00:00 2001
From: Dave Young <dyoung@redhat.com> From: Dave Young <dyoung@redhat.com>
Date: Tue, 22 Nov 2016 08:46:15 +0000 Date: Tue, 22 Nov 2016 08:46:15 +0000
Subject: [PATCH 07/24] Copy secure_boot flag in boot params across kexec Subject: [PATCH 07/25] Copy secure_boot flag in boot params across kexec
reboot reboot
Kexec reboot in case secure boot being enabled does not keep the secure Kexec reboot in case secure boot being enabled does not keep the secure

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch vendored
View File

@ -1,7 +1,7 @@
From 507952ee036f02987f83d4b7385be9b5dfa34d7c Mon Sep 17 00:00:00 2001 From b1fcbba3cd5a50e63b42911651dbd01742bb3730 Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com> From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
Date: Wed, 23 Nov 2016 13:49:19 +0000 Date: Wed, 23 Nov 2016 13:49:19 +0000
Subject: [PATCH 08/24] kexec_file: Disable at runtime if securelevel has been Subject: [PATCH 08/25] kexec_file: Disable at runtime if securelevel has been
set set
When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch vendored
View File

@ -1,7 +1,7 @@
From 5c5ad91fce7da054aa83761f72601e1d56a28660 Mon Sep 17 00:00:00 2001 From 7bc4b3476a5a5b9906a553ed31cd494998d6060a Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org> From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 22 Nov 2016 08:46:15 +0000 Date: Tue, 22 Nov 2016 08:46:15 +0000
Subject: [PATCH 09/24] hibernate: Disable when the kernel is locked down Subject: [PATCH 09/25] hibernate: Disable when the kernel is locked down
There is currently no way to verify the resume image when returning There is currently no way to verify the resume image when returning
from hibernate. This might compromise the signed modules trust model, from hibernate. This might compromise the signed modules trust model,

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch vendored
View File

@ -1,7 +1,7 @@
From ca6b230412ab3e8546149b597cf44b767bb827c4 Mon Sep 17 00:00:00 2001 From 35cf679f2d6fb017eace3c16d568666c5fcf227e Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@srcf.ucam.org> From: Matthew Garrett <mjg59@srcf.ucam.org>
Date: Wed, 23 Nov 2016 13:28:17 +0000 Date: Wed, 23 Nov 2016 13:28:17 +0000
Subject: [PATCH 10/24] uswsusp: Disable when the kernel is locked down Subject: [PATCH 10/25] uswsusp: Disable when the kernel is locked down
uswsusp allows a user process to dump and then restore kernel state, which uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to modify the running kernel. Disable this if the kernel makes it possible to modify the running kernel. Disable this if the kernel

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch vendored
View File

@ -1,7 +1,7 @@
From 431e44d46f884a411cefa7c4120d26fe738e018a Mon Sep 17 00:00:00 2001 From af41f9d5ea3ed71233a05a3be0694087afd4d2cf Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 22 Nov 2016 08:46:15 +0000 Date: Tue, 22 Nov 2016 08:46:15 +0000
Subject: [PATCH 11/24] PCI: Lock down BAR access when the kernel is locked Subject: [PATCH 11/25] PCI: Lock down BAR access when the kernel is locked
down down
Any hardware that can potentially generate DMA has to be locked down in Any hardware that can potentially generate DMA has to be locked down in

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch vendored
View File

@ -1,7 +1,7 @@
From 438b2fa68262a24e41e928a066a91c3b8cc732ea Mon Sep 17 00:00:00 2001 From 3ccaeff749221412d51dd251a6a1503ca1d0cf93 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 22 Nov 2016 08:46:16 +0000 Date: Tue, 22 Nov 2016 08:46:16 +0000
Subject: [PATCH 12/24] x86: Lock down IO port access when the kernel is locked Subject: [PATCH 12/25] x86: Lock down IO port access when the kernel is locked
down down
IO port access would permit users to gain access to PCI configuration IO port access would permit users to gain access to PCI configuration

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch vendored
View File

@ -1,7 +1,7 @@
From 9e25efe48f3ebba5f8ae29edbac3bdd686a2e29c Mon Sep 17 00:00:00 2001 From 7ceef49935cf93e0a50224b97291153f9137057f Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 22 Nov 2016 08:46:17 +0000 Date: Tue, 22 Nov 2016 08:46:17 +0000
Subject: [PATCH 13/24] x86: Restrict MSR access when the kernel is locked down Subject: [PATCH 13/25] x86: Restrict MSR access when the kernel is locked down
Writing to MSRs should not be allowed if the kernel is locked down, since Writing to MSRs should not be allowed if the kernel is locked down, since
it could lead to execution of arbitrary code in kernel mode. Based on a it could lead to execution of arbitrary code in kernel mode. Based on a

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch vendored
View File

@ -1,7 +1,7 @@
From 3711ab05c1fa894323f6ba6cf8d6ed941b71e6dd Mon Sep 17 00:00:00 2001 From d5fa5c9aa1da121f01686f4e30cfebcce66899ef Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 22 Nov 2016 08:46:16 +0000 Date: Tue, 22 Nov 2016 08:46:16 +0000
Subject: [PATCH 14/24] asus-wmi: Restrict debugfs interface when the kernel is Subject: [PATCH 14/25] asus-wmi: Restrict debugfs interface when the kernel is
locked down locked down
We have no way of validating what all of the Asus WMI methods do on a given We have no way of validating what all of the Asus WMI methods do on a given

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch vendored
View File

@ -1,7 +1,7 @@
From 9270c8dd98aac0c126bd4de8b043f7b640538158 Mon Sep 17 00:00:00 2001 From 039580a0a222b5e49fb837f2100812f6eb581bbe Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 22 Nov 2016 08:46:16 +0000 Date: Tue, 22 Nov 2016 08:46:16 +0000
Subject: [PATCH 15/24] ACPI: Limit access to custom_method when the kernel is Subject: [PATCH 15/25] ACPI: Limit access to custom_method when the kernel is
locked down locked down
custom_method effectively allows arbitrary access to system memory, making custom_method effectively allows arbitrary access to system memory, making

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch vendored
View File

@ -1,7 +1,7 @@
From 32938322a86727368913c229e651f2bc9ea232ca Mon Sep 17 00:00:00 2001 From db68e90cb4b22a47acb0151cca4e939791443544 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com> From: Josh Boyer <jwboyer@redhat.com>
Date: Tue, 22 Nov 2016 08:46:16 +0000 Date: Tue, 22 Nov 2016 08:46:16 +0000
Subject: [PATCH 16/24] acpi: Ignore acpi_rsdp kernel param when the kernel has Subject: [PATCH 16/25] acpi: Ignore acpi_rsdp kernel param when the kernel has
been locked down been locked down
This option allows userspace to pass the RSDP address to the kernel, which This option allows userspace to pass the RSDP address to the kernel, which

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch vendored
View File

@ -1,7 +1,7 @@
From d5daa6edc6e51072dc797b81051360b478fb5265 Mon Sep 17 00:00:00 2001 From 1c741dbc002b042f2d63233967dc02241e6c079b Mon Sep 17 00:00:00 2001
From: Linn Crosetto <linn@hpe.com> From: Linn Crosetto <linn@hpe.com>
Date: Wed, 23 Nov 2016 13:32:27 +0000 Date: Wed, 23 Nov 2016 13:32:27 +0000
Subject: [PATCH 17/24] acpi: Disable ACPI table override if the kernel is Subject: [PATCH 17/25] acpi: Disable ACPI table override if the kernel is
locked down locked down
From the kernel documentation (initrd_table_override.txt): From the kernel documentation (initrd_table_override.txt):

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch vendored
View File

@ -1,7 +1,7 @@
From 1489fcf49abbef75b55b57b0ccbedf6fe04540c7 Mon Sep 17 00:00:00 2001 From 4425474f38e9cb670e5e32080f95f777cf4d1552 Mon Sep 17 00:00:00 2001
From: Linn Crosetto <linn@hpe.com> From: Linn Crosetto <linn@hpe.com>
Date: Wed, 23 Nov 2016 13:39:41 +0000 Date: Wed, 23 Nov 2016 13:39:41 +0000
Subject: [PATCH 18/24] acpi: Disable APEI error injection if the kernel is Subject: [PATCH 18/25] acpi: Disable APEI error injection if the kernel is
locked down locked down
ACPI provides an error injection mechanism, EINJ, for debugging and testing ACPI provides an error injection mechanism, EINJ, for debugging and testing

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch vendored
View File

@ -1,7 +1,7 @@
From d0108763f62a685f8be631809b0930ada06e11d5 Mon Sep 17 00:00:00 2001 From adbb95420bd4ca2827505a441c18376e1a587136 Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com> From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Wed, 23 Nov 2016 13:52:16 +0000 Date: Wed, 23 Nov 2016 13:52:16 +0000
Subject: [PATCH 19/24] bpf: Restrict kernel image access functions when the Subject: [PATCH 19/25] bpf: Restrict kernel image access functions when the
kernel is locked down kernel is locked down
There are some bpf functions can be used to read kernel memory: There are some bpf functions can be used to read kernel memory:

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0020-scsi-Lock-down-the-eata-driver.patch vendored
View File

@ -1,7 +1,7 @@
From d7ddac19599ea83cdd96fa49b5c63cacd5a48246 Mon Sep 17 00:00:00 2001 From df42138d03b69a650b8d30870331ec6caaeb76c1 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com> From: David Howells <dhowells@redhat.com>
Date: Tue, 22 Nov 2016 10:10:34 +0000 Date: Tue, 22 Nov 2016 10:10:34 +0000
Subject: [PATCH 20/24] scsi: Lock down the eata driver Subject: [PATCH 20/25] scsi: Lock down the eata driver
When the kernel is running in secure boot mode, we lock down the kernel to When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this prevent userspace from modifying the running kernel image. Whilst this

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch vendored
View File

@ -1,7 +1,7 @@
From 756c195d5ae03785c244ab97f69882a1e505a878 Mon Sep 17 00:00:00 2001 From c56df2d816dded6ad706735722235bb26b3ae5cc Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com> From: David Howells <dhowells@redhat.com>
Date: Fri, 25 Nov 2016 14:37:45 +0000 Date: Fri, 25 Nov 2016 14:37:45 +0000
Subject: [PATCH 21/24] Prohibit PCMCIA CIS storage when the kernel is locked Subject: [PATCH 21/25] Prohibit PCMCIA CIS storage when the kernel is locked
down down
Prohibit replacement of the PCMCIA Card Information Structure when the Prohibit replacement of the PCMCIA Card Information Structure when the

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0022-Lock-down-TIOCSSERIAL.patch vendored
View File

@ -1,7 +1,7 @@
From 156c8ff989e16ed6ba8b87455f09397a09e06c63 Mon Sep 17 00:00:00 2001 From 7d7f5a887df630f32cecec52dab67e4102363cdd Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com> From: David Howells <dhowells@redhat.com>
Date: Wed, 7 Dec 2016 10:28:39 +0000 Date: Wed, 7 Dec 2016 10:28:39 +0000
Subject: [PATCH 22/24] Lock down TIOCSSERIAL Subject: [PATCH 22/25] Lock down TIOCSSERIAL
Lock down TIOCSSERIAL as that can be used to change the ioport and irq Lock down TIOCSSERIAL as that can be used to change the ioport and irq
settings on a serial port. This only appears to be an issue for the serial settings on a serial port. This only appears to be an issue for the serial

6
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch vendored
View File

@ -1,7 +1,7 @@
From 1a7f0516d79117e7e8fdf5fd4ad98cd8e33abf21 Mon Sep 17 00:00:00 2001 From bb3fa65910d0a5b6c92a2d91c9399a36cb456dbd Mon Sep 17 00:00:00 2001
From: Vito Caputo <vito.caputo@coreos.com> From: Vito Caputo <vito.caputo@coreos.com>
Date: Wed, 25 Nov 2015 02:59:45 -0800 Date: Wed, 25 Nov 2015 02:59:45 -0800
Subject: [PATCH 23/24] kbuild: derive relative path for KBUILD_SRC from CURDIR Subject: [PATCH 23/25] kbuild: derive relative path for KBUILD_SRC from CURDIR
This enables relocating source and build trees to different roots, This enables relocating source and build trees to different roots,
provided they stay reachable relative to one another. Useful for provided they stay reachable relative to one another. Useful for
@ -12,7 +12,7 @@ by some undesirable path component.
1 file changed, 2 insertions(+), 1 deletion(-) 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile diff --git a/Makefile b/Makefile
index 0d4f1b19869d..11ab2b77f732 100644 index 66ec023da822..1a5fdd05024c 100644
--- a/Makefile --- a/Makefile
+++ b/Makefile +++ b/Makefile
@@ -142,7 +142,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make @@ -142,7 +142,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0024-Add-arm64-coreos-verity-hash.patch vendored
View File

@ -1,7 +1,7 @@
From 2c1a9a33846f068c75958b33bbba00a76862223a Mon Sep 17 00:00:00 2001 From 5f6ef485a1366fc3be1296e12a8b648726d00250 Mon Sep 17 00:00:00 2001
From: Geoff Levand <geoff@infradead.org> From: Geoff Levand <geoff@infradead.org>
Date: Fri, 11 Nov 2016 17:28:52 -0800 Date: Fri, 11 Nov 2016 17:28:52 -0800
Subject: [PATCH 24/24] Add arm64 coreos verity hash Subject: [PATCH 24/25] Add arm64 coreos verity hash
Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Geoff Levand <geoff@infradead.org>
--- ---

35
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0025-cifs-Select-all-required-crypto-modules.patch vendored Normal file
View File

@ -0,0 +1,35 @@
From 47bfd708975ffbb4392fdfe23524af37bbba26c3 Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <benjamin.gilbert@coreos.com>
Date: Thu, 19 Oct 2017 11:36:02 -0700
Subject: [PATCH 25/25] cifs: Select all required crypto modules
Some dependencies were lost when CIFS_SMB2 was merged into CIFS.
Fixes: 2a38e12053b7 ("[SMB3] Remove ifdef since SMB3 (and later) now STRONGLY preferred")
Signed-off-by: Benjamin Gilbert <benjamin.gilbert@coreos.com>
---
fs/cifs/Kconfig | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/cifs/Kconfig b/fs/cifs/Kconfig
index f7243617316c..d5b2e12b5d02 100644
--- a/fs/cifs/Kconfig
+++ b/fs/cifs/Kconfig
@@ -5,9 +5,14 @@ config CIFS
select CRYPTO
select CRYPTO_MD4
select CRYPTO_MD5
+ select CRYPTO_SHA256
+ select CRYPTO_CMAC
select CRYPTO_HMAC
select CRYPTO_ARC4
+ select CRYPTO_AEAD2
+ select CRYPTO_CCM
select CRYPTO_ECB
+ select CRYPTO_AES
select CRYPTO_DES
help
This is the client VFS module for the SMB3 family of NAS protocols,
--
2.14.1