diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.1.3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.1.3.ebuild new file mode 100644 index 0000000000..6be6f0d505 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.1.3.ebuild @@ -0,0 +1,9 @@ +# Copyright 2014 CoreOS, Inc. +# Distributed under the terms of the GNU General Public License v2 + +EAPI=5 +COREOS_SOURCE_REVISION="" +inherit coreos-kernel + +DESCRIPTION="CoreOS Linux kernel" +KEYWORDS="amd64" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.1 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.1 new file mode 100644 index 0000000000..6c90ff5f2d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.1 @@ -0,0 +1,945 @@ +# CONFIG_LOCALVERSION_AUTO is not set +CONFIG_SYSVIPC=y +CONFIG_POSIX_MQUEUE=y +# CONFIG_CROSS_MEMORY_ATTACH is not set +CONFIG_FHANDLE=y +CONFIG_AUDIT=y +CONFIG_NO_HZ=y +CONFIG_HIGH_RES_TIMERS=y +CONFIG_IRQ_TIME_ACCOUNTING=y +CONFIG_BSD_PROCESS_ACCT=y +CONFIG_BSD_PROCESS_ACCT_V3=y +CONFIG_TASK_XACCT=y +CONFIG_TASK_IO_ACCOUNTING=y +CONFIG_IKCONFIG=y +CONFIG_IKCONFIG_PROC=y +CONFIG_LOG_BUF_SHIFT=18 +CONFIG_NUMA_BALANCING=y +CONFIG_CGROUP_FREEZER=y +CONFIG_CGROUP_DEVICE=y +CONFIG_CPUSETS=y +CONFIG_CGROUP_CPUACCT=y +CONFIG_MEMCG=y +CONFIG_MEMCG_SWAP=y +CONFIG_MEMCG_KMEM=y +CONFIG_CGROUP_PERF=y +CONFIG_CFS_BANDWIDTH=y +CONFIG_RT_GROUP_SCHED=y +CONFIG_BLK_CGROUP=y +CONFIG_CHECKPOINT_RESTORE=y +CONFIG_NAMESPACES=y +CONFIG_USER_NS=y +CONFIG_SCHED_AUTOGROUP=y +CONFIG_BLK_DEV_INITRD=y +CONFIG_INITRAMFS_SOURCE="bootengine.cpio" +CONFIG_EXPERT=y +# CONFIG_COMPAT_BRK is not set +CONFIG_PROFILING=y +CONFIG_JUMP_LABEL=y +CONFIG_CC_STACKPROTECTOR_REGULAR=y +CONFIG_MODULES=y +CONFIG_MODULE_UNLOAD=y +CONFIG_MODULE_SIG=y +CONFIG_MODULE_SIG_SHA256=y +CONFIG_BLK_DEV_THROTTLING=y +CONFIG_PARTITION_ADVANCED=y +CONFIG_BSD_DISKLABEL=y +CONFIG_MINIX_SUBPARTITION=y +CONFIG_SOLARIS_X86_PARTITION=y +CONFIG_UNIXWARE_DISKLABEL=y +CONFIG_CFQ_GROUP_IOSCHED=y +CONFIG_SMP=y +CONFIG_X86_X2APIC=y +# CONFIG_X86_MPPARSE is not set +# CONFIG_X86_EXTENDED_PLATFORM is not set +CONFIG_X86_INTEL_LPSS=y +CONFIG_IOSF_MBI=m +CONFIG_HYPERVISOR_GUEST=y +CONFIG_PARAVIRT=y +CONFIG_PARAVIRT_SPINLOCKS=y +CONFIG_XEN=y +CONFIG_XEN_DEBUG_FS=y +CONFIG_XEN_PVH=y +CONFIG_PARAVIRT_TIME_ACCOUNTING=y +CONFIG_GART_IOMMU=y +CONFIG_NR_CPUS=128 +CONFIG_SCHED_SMT=y +CONFIG_PREEMPT_VOLUNTARY=y +CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y +# CONFIG_X86_16BIT is not set +CONFIG_MICROCODE=m +CONFIG_MICROCODE_AMD=y +CONFIG_X86_MSR=m +CONFIG_X86_CPUID=m +CONFIG_NUMA=y +CONFIG_NODES_SHIFT=7 +CONFIG_ARCH_MEMORY_PROBE=y +CONFIG_MEMORY_HOTPLUG=y +CONFIG_MEMORY_HOTREMOVE=y +CONFIG_KSM=y +CONFIG_MEMORY_FAILURE=y +CONFIG_TRANSPARENT_HUGEPAGE=y +CONFIG_CLEANCACHE=y +CONFIG_FRONTSWAP=y +CONFIG_ZSMALLOC=m +CONFIG_X86_CHECK_BIOS_CORRUPTION=y +# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set +CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=1 +CONFIG_EFI=y +CONFIG_EFI_STUB=y +CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y +CONFIG_HZ_1000=y +CONFIG_KEXEC=y +CONFIG_KEXEC_FILE=y +CONFIG_KEXEC_VERIFY_SIG=y +CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y +CONFIG_CRASH_DUMP=y +CONFIG_KEXEC_JUMP=y +CONFIG_PHYSICAL_ALIGN=0x1000000 +CONFIG_CMDLINE_BOOL=y +CONFIG_CMDLINE="init=/usr/lib/systemd/systemd rootflags=rw mount.usrflags=ro" +CONFIG_HIBERNATION=y +# CONFIG_ACPI_AC is not set +# CONFIG_ACPI_BATTERY is not set +CONFIG_ACPI_BUTTON=m +CONFIG_ACPI_FAN=m +CONFIG_ACPI_IPMI=m +CONFIG_ACPI_PROCESSOR_AGGREGATOR=y +CONFIG_ACPI_PCI_SLOT=y +CONFIG_ACPI_HOTPLUG_MEMORY=y +CONFIG_ACPI_APEI=y +CONFIG_ACPI_APEI_GHES=y +CONFIG_ACPI_APEI_PCIEAER=y +CONFIG_ACPI_APEI_MEMORY_FAILURE=y +CONFIG_ACPI_APEI_ERST_DEBUG=m +CONFIG_PMIC_OPREGION=y +CONFIG_CPU_FREQ=y +CONFIG_CPU_FREQ_STAT=m +CONFIG_CPU_FREQ_STAT_DETAILS=y +CONFIG_CPU_FREQ_GOV_POWERSAVE=m +CONFIG_CPU_FREQ_GOV_USERSPACE=m +CONFIG_CPU_FREQ_GOV_ONDEMAND=m +CONFIG_CPU_FREQ_GOV_CONSERVATIVE=m +CONFIG_X86_INTEL_PSTATE=y +CONFIG_X86_PCC_CPUFREQ=m +CONFIG_X86_ACPI_CPUFREQ=m +# CONFIG_X86_ACPI_CPUFREQ_CPB is not set +CONFIG_X86_AMD_FREQ_SENSITIVITY=m +CONFIG_INTEL_IDLE=y +CONFIG_I7300_IDLE=m +CONFIG_PCI_MMCONFIG=y +CONFIG_PCIEPORTBUS=y +CONFIG_HOTPLUG_PCI_PCIE=y +CONFIG_PCIE_ECRC=y +CONFIG_XEN_PCIDEV_FRONTEND=m +CONFIG_HOTPLUG_PCI=y +CONFIG_HOTPLUG_PCI_ACPI=y +CONFIG_HOTPLUG_PCI_ACPI_IBM=m +CONFIG_IA32_EMULATION=y +CONFIG_NET=y +CONFIG_PACKET=y +CONFIG_PACKET_DIAG=m +CONFIG_UNIX=y +CONFIG_UNIX_DIAG=m +CONFIG_XFRM_USER=m +CONFIG_XFRM_SUB_POLICY=y +CONFIG_XFRM_MIGRATE=y +CONFIG_XFRM_STATISTICS=y +CONFIG_NET_KEY=m +CONFIG_INET=y +CONFIG_IP_MULTICAST=y +CONFIG_IP_ADVANCED_ROUTER=y +CONFIG_IP_FIB_TRIE_STATS=y +CONFIG_IP_MULTIPLE_TABLES=y +CONFIG_IP_ROUTE_MULTIPATH=y +CONFIG_IP_ROUTE_VERBOSE=y +CONFIG_IP_PNP=y +CONFIG_IP_PNP_DHCP=y +CONFIG_IP_PNP_BOOTP=y +CONFIG_NET_IPIP=m +CONFIG_NET_IPGRE_DEMUX=m +CONFIG_NET_IPGRE=m +CONFIG_NET_IPGRE_BROADCAST=y +CONFIG_IP_MROUTE=y +CONFIG_IP_MROUTE_MULTIPLE_TABLES=y +CONFIG_IP_PIMSM_V1=y +CONFIG_IP_PIMSM_V2=y +CONFIG_NET_IPVTI=m +CONFIG_NET_FOU_IP_TUNNELS=y +CONFIG_GENEVE=m +CONFIG_INET_AH=m +CONFIG_INET_ESP=m +CONFIG_INET_IPCOMP=m +CONFIG_INET_XFRM_MODE_TRANSPORT=m +CONFIG_INET_XFRM_MODE_TUNNEL=m +CONFIG_INET_XFRM_MODE_BEET=m +CONFIG_INET_LRO=m +CONFIG_INET_DIAG=m +CONFIG_INET_UDP_DIAG=m +CONFIG_TCP_CONG_ADVANCED=y +# CONFIG_TCP_CONG_BIC is not set +# CONFIG_TCP_CONG_WESTWOOD is not set +# CONFIG_TCP_CONG_HTCP is not set +CONFIG_TCP_MD5SIG=y +CONFIG_IPV6=y +CONFIG_IPV6_ROUTER_PREF=y +CONFIG_IPV6_ROUTE_INFO=y +CONFIG_IPV6_OPTIMISTIC_DAD=y +CONFIG_INET6_AH=m +CONFIG_INET6_ESP=m +CONFIG_INET6_IPCOMP=m +CONFIG_IPV6_MIP6=m +CONFIG_INET6_XFRM_MODE_TRANSPORT=m +CONFIG_INET6_XFRM_MODE_TUNNEL=m +CONFIG_INET6_XFRM_MODE_BEET=m +CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m +CONFIG_IPV6_VTI=m +CONFIG_IPV6_SIT=m +CONFIG_IPV6_SIT_6RD=y +CONFIG_IPV6_GRE=m +CONFIG_IPV6_MULTIPLE_TABLES=y +CONFIG_IPV6_SUBTREES=y +CONFIG_IPV6_MROUTE=y +CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y +CONFIG_IPV6_PIMSM_V2=y +CONFIG_NETWORK_PHY_TIMESTAMPING=y +CONFIG_NETFILTER=y +CONFIG_NF_CONNTRACK=m +CONFIG_NF_CONNTRACK_SECMARK=y +CONFIG_NF_CONNTRACK_ZONES=y +CONFIG_NF_CONNTRACK_EVENTS=y +CONFIG_NF_CONNTRACK_TIMEOUT=y +CONFIG_NF_CONNTRACK_TIMESTAMP=y +CONFIG_NF_CT_PROTO_UDPLITE=m +CONFIG_NF_CONNTRACK_AMANDA=m +CONFIG_NF_CONNTRACK_FTP=m +CONFIG_NF_CONNTRACK_H323=m +CONFIG_NF_CONNTRACK_IRC=m +CONFIG_NF_CONNTRACK_NETBIOS_NS=m +CONFIG_NF_CONNTRACK_SNMP=m +CONFIG_NF_CONNTRACK_PPTP=m +CONFIG_NF_CONNTRACK_SANE=m +CONFIG_NF_CONNTRACK_SIP=m +CONFIG_NF_CONNTRACK_TFTP=m +CONFIG_NF_CT_NETLINK=m +CONFIG_NF_CT_NETLINK_TIMEOUT=m +CONFIG_NF_CT_NETLINK_HELPER=m +CONFIG_NETFILTER_NETLINK_QUEUE_CT=y +CONFIG_NETFILTER_XTABLES=y +CONFIG_NETFILTER_XT_SET=m +CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m +CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m +CONFIG_NETFILTER_XT_TARGET_CONNMARK=m +CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m +CONFIG_NETFILTER_XT_TARGET_CT=m +CONFIG_NETFILTER_XT_TARGET_DSCP=m +CONFIG_NETFILTER_XT_TARGET_HMARK=m +CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m +CONFIG_NETFILTER_XT_TARGET_LOG=m +CONFIG_NETFILTER_XT_TARGET_MARK=m +CONFIG_NETFILTER_XT_TARGET_NFLOG=m +CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m +CONFIG_NETFILTER_XT_TARGET_TEE=m +CONFIG_NETFILTER_XT_TARGET_TPROXY=m +CONFIG_NETFILTER_XT_TARGET_TRACE=m +CONFIG_NETFILTER_XT_TARGET_SECMARK=m +CONFIG_NETFILTER_XT_TARGET_TCPMSS=m +CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m +CONFIG_NETFILTER_XT_MATCH_BPF=m +CONFIG_NETFILTER_XT_MATCH_CGROUP=m +CONFIG_NETFILTER_XT_MATCH_CLUSTER=m +CONFIG_NETFILTER_XT_MATCH_COMMENT=m +CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m +CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m +CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m +CONFIG_NETFILTER_XT_MATCH_CONNMARK=m +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m +CONFIG_NETFILTER_XT_MATCH_CPU=m +CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m +CONFIG_NETFILTER_XT_MATCH_DSCP=m +CONFIG_NETFILTER_XT_MATCH_ESP=m +CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m +CONFIG_NETFILTER_XT_MATCH_HELPER=m +CONFIG_NETFILTER_XT_MATCH_IPCOMP=m +CONFIG_NETFILTER_XT_MATCH_IPRANGE=m +CONFIG_NETFILTER_XT_MATCH_IPVS=m +CONFIG_NETFILTER_XT_MATCH_L2TP=m +CONFIG_NETFILTER_XT_MATCH_LENGTH=m +CONFIG_NETFILTER_XT_MATCH_LIMIT=m +CONFIG_NETFILTER_XT_MATCH_MAC=m +CONFIG_NETFILTER_XT_MATCH_MARK=m +CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m +CONFIG_NETFILTER_XT_MATCH_NFACCT=m +CONFIG_NETFILTER_XT_MATCH_OSF=m +CONFIG_NETFILTER_XT_MATCH_OWNER=m +CONFIG_NETFILTER_XT_MATCH_POLICY=m +CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m +CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m +CONFIG_NETFILTER_XT_MATCH_QUOTA=m +CONFIG_NETFILTER_XT_MATCH_RATEEST=m +CONFIG_NETFILTER_XT_MATCH_REALM=m +CONFIG_NETFILTER_XT_MATCH_RECENT=m +CONFIG_NETFILTER_XT_MATCH_SOCKET=m +CONFIG_NETFILTER_XT_MATCH_STATE=m +CONFIG_NETFILTER_XT_MATCH_STATISTIC=m +CONFIG_NETFILTER_XT_MATCH_STRING=m +CONFIG_NETFILTER_XT_MATCH_TCPMSS=m +CONFIG_NETFILTER_XT_MATCH_TIME=m +CONFIG_NETFILTER_XT_MATCH_U32=m +CONFIG_IP_SET=m +CONFIG_IP_SET_BITMAP_IP=m +CONFIG_IP_SET_BITMAP_IPMAC=m +CONFIG_IP_SET_BITMAP_PORT=m +CONFIG_IP_SET_HASH_IP=m +CONFIG_IP_SET_HASH_IPMARK=m +CONFIG_IP_SET_HASH_IPPORT=m +CONFIG_IP_SET_HASH_IPPORTIP=m +CONFIG_IP_SET_HASH_IPPORTNET=m +CONFIG_IP_SET_HASH_MAC=m +CONFIG_IP_SET_HASH_NETPORTNET=m +CONFIG_IP_SET_HASH_NET=m +CONFIG_IP_SET_HASH_NETNET=m +CONFIG_IP_SET_HASH_NETPORT=m +CONFIG_IP_SET_HASH_NETIFACE=m +CONFIG_IP_SET_LIST_SET=m +CONFIG_IP_VS=m +CONFIG_IP_VS_IPV6=y +CONFIG_IP_VS_PROTO_TCP=y +CONFIG_IP_VS_PROTO_UDP=y +CONFIG_IP_VS_PROTO_ESP=y +CONFIG_IP_VS_PROTO_AH=y +CONFIG_IP_VS_PROTO_SCTP=y +CONFIG_IP_VS_RR=m +CONFIG_IP_VS_WRR=m +CONFIG_IP_VS_LC=m +CONFIG_IP_VS_WLC=m +CONFIG_IP_VS_FO=m +CONFIG_IP_VS_LBLC=m +CONFIG_IP_VS_LBLCR=m +CONFIG_IP_VS_DH=m +CONFIG_IP_VS_SH=m +CONFIG_IP_VS_SED=m +CONFIG_IP_VS_NQ=m +CONFIG_IP_VS_FTP=m +CONFIG_IP_VS_PE_SIP=m +CONFIG_NF_CONNTRACK_IPV4=m +# CONFIG_NF_CONNTRACK_PROC_COMPAT is not set +CONFIG_IP_NF_IPTABLES=m +CONFIG_IP_NF_MATCH_AH=m +CONFIG_IP_NF_MATCH_ECN=m +CONFIG_IP_NF_MATCH_RPFILTER=m +CONFIG_IP_NF_MATCH_TTL=m +CONFIG_IP_NF_FILTER=m +CONFIG_IP_NF_TARGET_REJECT=m +CONFIG_IP_NF_TARGET_SYNPROXY=m +CONFIG_IP_NF_NAT=m +CONFIG_IP_NF_TARGET_MASQUERADE=m +CONFIG_IP_NF_TARGET_NETMAP=m +CONFIG_IP_NF_TARGET_REDIRECT=m +CONFIG_IP_NF_MANGLE=m +CONFIG_IP_NF_TARGET_CLUSTERIP=m +CONFIG_IP_NF_TARGET_ECN=m +CONFIG_IP_NF_TARGET_TTL=m +CONFIG_IP_NF_RAW=m +CONFIG_IP_NF_ARPTABLES=m +CONFIG_IP_NF_ARPFILTER=m +CONFIG_IP_NF_ARP_MANGLE=m +CONFIG_NF_CONNTRACK_IPV6=m +CONFIG_IP6_NF_MATCH_AH=m +CONFIG_IP6_NF_MATCH_EUI64=m +CONFIG_IP6_NF_MATCH_FRAG=m +CONFIG_IP6_NF_MATCH_OPTS=m +CONFIG_IP6_NF_MATCH_HL=m +CONFIG_IP6_NF_MATCH_IPV6HEADER=m +CONFIG_IP6_NF_MATCH_MH=m +CONFIG_IP6_NF_MATCH_RPFILTER=m +CONFIG_IP6_NF_MATCH_RT=m +CONFIG_IP6_NF_TARGET_HL=m +CONFIG_IP6_NF_FILTER=m +CONFIG_IP6_NF_TARGET_REJECT=m +CONFIG_IP6_NF_TARGET_SYNPROXY=m +CONFIG_IP6_NF_MANGLE=m +CONFIG_IP6_NF_RAW=m +CONFIG_IP6_NF_NAT=m +CONFIG_IP6_NF_TARGET_MASQUERADE=m +CONFIG_IP6_NF_TARGET_NPT=m +CONFIG_BRIDGE_NF_EBTABLES=m +CONFIG_BRIDGE_EBT_BROUTE=m +CONFIG_BRIDGE_EBT_T_FILTER=m +CONFIG_BRIDGE_EBT_T_NAT=m +CONFIG_BRIDGE_EBT_802_3=m +CONFIG_BRIDGE_EBT_AMONG=m +CONFIG_BRIDGE_EBT_ARP=m +CONFIG_BRIDGE_EBT_IP=m +CONFIG_BRIDGE_EBT_IP6=m +CONFIG_BRIDGE_EBT_LIMIT=m +CONFIG_BRIDGE_EBT_MARK=m +CONFIG_BRIDGE_EBT_PKTTYPE=m +CONFIG_BRIDGE_EBT_STP=m +CONFIG_BRIDGE_EBT_VLAN=m +CONFIG_BRIDGE_EBT_ARPREPLY=m +CONFIG_BRIDGE_EBT_DNAT=m +CONFIG_BRIDGE_EBT_MARK_T=m +CONFIG_BRIDGE_EBT_REDIRECT=m +CONFIG_BRIDGE_EBT_SNAT=m +CONFIG_BRIDGE_EBT_LOG=m +CONFIG_BRIDGE_EBT_NFLOG=m +CONFIG_IP_DCCP=m +CONFIG_IP_SCTP=m +CONFIG_SCTP_COOKIE_HMAC_SHA1=y +CONFIG_RDS=m +CONFIG_RDS_RDMA=m +CONFIG_RDS_TCP=m +CONFIG_BRIDGE=m +CONFIG_BRIDGE_VLAN_FILTERING=y +CONFIG_VLAN_8021Q=m +CONFIG_VLAN_8021Q_GVRP=y +CONFIG_VLAN_8021Q_MVRP=y +CONFIG_NET_SCHED=y +CONFIG_NET_SCH_CBQ=m +CONFIG_NET_SCH_HTB=m +CONFIG_NET_SCH_HFSC=m +CONFIG_NET_SCH_PRIO=m +CONFIG_NET_SCH_MULTIQ=m +CONFIG_NET_SCH_RED=m +CONFIG_NET_SCH_SFB=m +CONFIG_NET_SCH_SFQ=m +CONFIG_NET_SCH_TEQL=m +CONFIG_NET_SCH_TBF=m +CONFIG_NET_SCH_GRED=m +CONFIG_NET_SCH_DSMARK=m +CONFIG_NET_SCH_NETEM=m +CONFIG_NET_SCH_DRR=m +CONFIG_NET_SCH_MQPRIO=m +CONFIG_NET_SCH_CHOKE=m +CONFIG_NET_SCH_QFQ=m +CONFIG_NET_SCH_CODEL=m +CONFIG_NET_SCH_FQ_CODEL=m +CONFIG_NET_SCH_FQ=m +CONFIG_NET_SCH_HHF=m +CONFIG_NET_SCH_PIE=m +CONFIG_NET_SCH_INGRESS=m +CONFIG_NET_SCH_PLUG=m +CONFIG_NET_CLS_BASIC=m +CONFIG_NET_CLS_TCINDEX=m +CONFIG_NET_CLS_ROUTE4=m +CONFIG_NET_CLS_FW=m +CONFIG_NET_CLS_U32=m +CONFIG_CLS_U32_PERF=y +CONFIG_CLS_U32_MARK=y +CONFIG_NET_CLS_RSVP=m +CONFIG_NET_CLS_RSVP6=m +CONFIG_NET_CLS_FLOW=m +CONFIG_NET_CLS_CGROUP=m +CONFIG_NET_CLS_BPF=m +CONFIG_NET_EMATCH=y +CONFIG_NET_EMATCH_CMP=m +CONFIG_NET_EMATCH_NBYTE=m +CONFIG_NET_EMATCH_U32=m +CONFIG_NET_EMATCH_META=m +CONFIG_NET_EMATCH_TEXT=m +CONFIG_NET_EMATCH_IPSET=m +CONFIG_NET_CLS_ACT=y +CONFIG_NET_ACT_POLICE=m +CONFIG_NET_ACT_GACT=m +CONFIG_GACT_PROB=y +CONFIG_NET_ACT_MIRRED=m +CONFIG_NET_ACT_IPT=m +CONFIG_NET_ACT_NAT=m +CONFIG_NET_ACT_PEDIT=m +CONFIG_NET_ACT_SKBEDIT=m +CONFIG_NET_ACT_CSUM=m +CONFIG_NET_ACT_VLAN=m +CONFIG_NET_CLS_IND=y +CONFIG_DCB=y +CONFIG_OPENVSWITCH=m +CONFIG_VSOCKETS=m +CONFIG_VMWARE_VMCI_VSOCKETS=m +CONFIG_NETLINK_MMAP=y +CONFIG_NETLINK_DIAG=m +CONFIG_MPLS_ROUTING=m +CONFIG_CGROUP_NET_PRIO=y +CONFIG_BPF_JIT=y +CONFIG_NET_DROP_MONITOR=m +# CONFIG_WIRELESS is not set +CONFIG_NET_9P=m +CONFIG_NET_9P_VIRTIO=m +CONFIG_NET_9P_RDMA=m +# CONFIG_UEVENT_HELPER is not set +CONFIG_DEVTMPFS=y +CONFIG_DEVTMPFS_MOUNT=y +CONFIG_FW_LOADER=m +# CONFIG_FIRMWARE_IN_KERNEL is not set +CONFIG_CONNECTOR=m +CONFIG_MTD=m +# CONFIG_PNP_DEBUG_MESSAGES is not set +CONFIG_BLK_DEV_PCIESSD_MTIP32XX=m +CONFIG_ZRAM=m +CONFIG_ZRAM_LZ4_COMPRESS=y +CONFIG_BLK_CPQ_CISS_DA=m +CONFIG_BLK_DEV_LOOP=m +CONFIG_BLK_DEV_NVME=m +CONFIG_BLK_DEV_RAM=m +CONFIG_XEN_BLKDEV_FRONTEND=m +CONFIG_XEN_BLKDEV_BACKEND=m +CONFIG_VIRTIO_BLK=m +CONFIG_BLK_DEV_RBD=m +CONFIG_HP_ILO=m +CONFIG_VMWARE_BALLOON=m +CONFIG_INTEL_MEI_ME=m +CONFIG_INTEL_MEI_TXE=m +CONFIG_VMWARE_VMCI=m +CONFIG_BLK_DEV_SD=m +CONFIG_BLK_DEV_SR=m +CONFIG_CHR_DEV_SG=m +CONFIG_SCSI_CONSTANTS=y +CONFIG_SCSI_LOGGING=y +CONFIG_SCSI_SCAN_ASYNC=y +CONFIG_SCSI_FC_ATTRS=m +CONFIG_SCSI_SAS_ATA=y +CONFIG_ISCSI_TCP=m +CONFIG_ISCSI_BOOT_SYSFS=m +CONFIG_SCSI_HPSA=m +CONFIG_SCSI_3W_9XXX=m +CONFIG_SCSI_3W_SAS=m +CONFIG_SCSI_AACRAID=m +CONFIG_SCSI_AIC94XX=m +# CONFIG_AIC94XX_DEBUG is not set +CONFIG_SCSI_MVSAS=m +# CONFIG_SCSI_MVSAS_DEBUG is not set +CONFIG_SCSI_MVSAS_TASKLET=y +CONFIG_SCSI_ARCMSR=m +CONFIG_MEGARAID_SAS=m +CONFIG_SCSI_MPT2SAS=m +CONFIG_SCSI_MPT3SAS=m +CONFIG_SCSI_BUSLOGIC=m +CONFIG_VMWARE_PVSCSI=m +CONFIG_XEN_SCSI_FRONTEND=m +CONFIG_SCSI_ISCI=m +CONFIG_SCSI_SYM53C8XX_2=m +CONFIG_SCSI_QLA_FC=m +CONFIG_SCSI_LPFC=m +CONFIG_SCSI_VIRTIO=m +CONFIG_SCSI_DH=m +CONFIG_ATA=m +CONFIG_SATA_AHCI=m +CONFIG_SATA_SIL24=m +CONFIG_PDC_ADMA=m +CONFIG_SATA_QSTOR=m +CONFIG_SATA_SX4=m +CONFIG_ATA_PIIX=m +CONFIG_SATA_MV=m +CONFIG_SATA_NV=m +CONFIG_SATA_PROMISE=m +CONFIG_SATA_SIS=m +CONFIG_SATA_VIA=m +CONFIG_SATA_VITESSE=m +CONFIG_PATA_VIA=m +CONFIG_MD=y +CONFIG_MD_LINEAR=m +CONFIG_MD_RAID0=m +CONFIG_BCACHE=m +CONFIG_BLK_DEV_DM=m +CONFIG_DM_CRYPT=m +CONFIG_DM_SNAPSHOT=m +CONFIG_DM_THIN_PROVISIONING=m +CONFIG_DM_MIRROR=m +CONFIG_DM_RAID=m +CONFIG_DM_ZERO=m +CONFIG_DM_MULTIPATH=m +CONFIG_DM_MULTIPATH_QL=m +CONFIG_DM_MULTIPATH_ST=m +CONFIG_DM_UEVENT=y +CONFIG_DM_VERITY=m +CONFIG_FUSION=y +CONFIG_FUSION_SPI=m +CONFIG_FUSION_SAS=m +CONFIG_FUSION_MAX_SGE=40 +CONFIG_FUSION_CTL=m +CONFIG_FUSION_LOGGING=y +CONFIG_NETDEVICES=y +CONFIG_BONDING=m +CONFIG_DUMMY=m +CONFIG_MACVLAN=m +CONFIG_MACVTAP=m +CONFIG_IPVLAN=m +CONFIG_VXLAN=m +CONFIG_NETCONSOLE=m +CONFIG_NETCONSOLE_DYNAMIC=y +CONFIG_TUN=m +CONFIG_VETH=m +CONFIG_VIRTIO_NET=m +CONFIG_VHOST_NET=m +# CONFIG_NET_VENDOR_3COM is not set +# CONFIG_NET_VENDOR_ADAPTEC is not set +# CONFIG_NET_VENDOR_AGERE is not set +CONFIG_ACENIC=m +CONFIG_AMD8111_ETH=m +CONFIG_PCNET32=m +# CONFIG_NET_VENDOR_ARC is not set +CONFIG_ATL2=m +CONFIG_ATL1=m +CONFIG_ATL1E=m +CONFIG_ATL1C=m +CONFIG_ALX=m +# CONFIG_NET_CADENCE is not set +CONFIG_B44=m +CONFIG_CNIC=m +CONFIG_TIGON3=m +CONFIG_BNX2X=m +CONFIG_BNA=m +CONFIG_CHELSIO_T1=m +CONFIG_CHELSIO_T1_1G=y +CONFIG_CHELSIO_T3=m +CONFIG_CHELSIO_T4=m +CONFIG_CHELSIO_T4VF=m +CONFIG_NET_TULIP=y +CONFIG_TULIP=m +CONFIG_TULIP_MMIO=y +CONFIG_TULIP_NAPI=y +CONFIG_DL2K=m +CONFIG_SUNDANCE=m +CONFIG_S2IO=m +CONFIG_VXGE=m +CONFIG_HP100=m +CONFIG_E100=m +CONFIG_E1000=m +CONFIG_E1000E=m +CONFIG_IGB=m +CONFIG_IGBVF=m +CONFIG_IXGB=m +CONFIG_IXGBE=m +CONFIG_IXGBEVF=m +CONFIG_I40E=m +CONFIG_I40E_VXLAN=y +CONFIG_I40EVF=m +CONFIG_IP1000=m +CONFIG_JME=m +CONFIG_SKGE=m +CONFIG_SKY2=m +CONFIG_MLX4_EN=m +# CONFIG_MLX4_DEBUG is not set +# CONFIG_NET_VENDOR_MICREL is not set +CONFIG_MYRI10GE=m +# CONFIG_NET_VENDOR_NATSEMI is not set +CONFIG_FORCEDETH=m +# CONFIG_NET_VENDOR_OKI is not set +# CONFIG_NET_PACKET_ENGINE is not set +CONFIG_NETXEN_NIC=m +# CONFIG_NET_VENDOR_QUALCOMM is not set +CONFIG_8139CP=m +CONFIG_8139TOO=m +CONFIG_8139TOO_TUNE_TWISTER=y +CONFIG_8139TOO_8129=y +CONFIG_R8169=m +# CONFIG_NET_VENDOR_RDC is not set +# CONFIG_NET_VENDOR_ROCKER is not set +# CONFIG_NET_VENDOR_SAMSUNG is not set +# CONFIG_NET_VENDOR_SEEQ is not set +# CONFIG_NET_VENDOR_SILAN is not set +# CONFIG_NET_VENDOR_SIS is not set +CONFIG_SFC=m +# CONFIG_NET_VENDOR_SMSC is not set +# CONFIG_NET_VENDOR_STMICRO is not set +# CONFIG_NET_VENDOR_SUN is not set +# CONFIG_NET_VENDOR_TEHUTI is not set +# CONFIG_NET_VENDOR_TI is not set +# CONFIG_NET_VENDOR_VIA is not set +# CONFIG_NET_VENDOR_WIZNET is not set +CONFIG_AT803X_PHY=m +CONFIG_AMD_PHY=m +CONFIG_MARVELL_PHY=m +CONFIG_BROADCOM_PHY=m +CONFIG_BCM87XX_PHY=m +CONFIG_REALTEK_PHY=m +# CONFIG_USB_NET_DRIVERS is not set +# CONFIG_WLAN is not set +CONFIG_XEN_NETDEV_FRONTEND=m +CONFIG_XEN_NETDEV_BACKEND=m +CONFIG_VMXNET3=m +CONFIG_HYPERV_NET=m +CONFIG_INPUT_MOUSEDEV=m +# CONFIG_INPUT_MOUSEDEV_PSAUX is not set +CONFIG_INPUT_EVDEV=m +CONFIG_MOUSE_PS2=m +# CONFIG_MOUSE_PS2_ALPS is not set +# CONFIG_MOUSE_PS2_LOGIPS2PP is not set +# CONFIG_MOUSE_PS2_SYNAPTICS is not set +# CONFIG_MOUSE_PS2_CYPRESS is not set +# CONFIG_MOUSE_PS2_LIFEBOOK is not set +# CONFIG_MOUSE_PS2_TRACKPOINT is not set +# CONFIG_MOUSE_PS2_FOCALTECH is not set +CONFIG_INPUT_MISC=y +# CONFIG_SERIO_SERPORT is not set +CONFIG_DEVPTS_MULTIPLE_INSTANCES=y +# CONFIG_LEGACY_PTYS is not set +# CONFIG_DEVKMEM is not set +CONFIG_SERIAL_8250=y +CONFIG_SERIAL_8250_CONSOLE=y +CONFIG_SERIAL_8250_NR_UARTS=32 +CONFIG_SERIAL_8250_EXTENDED=y +CONFIG_SERIAL_8250_MANY_PORTS=y +CONFIG_SERIAL_8250_SHARE_IRQ=y +CONFIG_SERIAL_8250_RSA=y +CONFIG_TTY_PRINTK=y +CONFIG_VIRTIO_CONSOLE=m +CONFIG_IPMI_HANDLER=m +CONFIG_IPMI_PANIC_EVENT=y +CONFIG_IPMI_PANIC_STRING=y +CONFIG_IPMI_DEVICE_INTERFACE=m +CONFIG_IPMI_SI=m +CONFIG_IPMI_SSIF=m +CONFIG_IPMI_WATCHDOG=m +CONFIG_IPMI_POWEROFF=m +CONFIG_HW_RANDOM_TIMERIOMEM=m +CONFIG_HW_RANDOM_VIRTIO=m +CONFIG_NVRAM=m +CONFIG_RAW_DRIVER=m +CONFIG_MAX_RAW_DEVS=8192 +CONFIG_HPET=y +CONFIG_HANGCHECK_TIMER=m +CONFIG_TCG_TPM=m +CONFIG_TCG_TIS=m +CONFIG_TCG_TIS_I2C_ATMEL=m +CONFIG_TCG_TIS_I2C_INFINEON=m +CONFIG_TCG_TIS_I2C_NUVOTON=m +CONFIG_TCG_NSC=m +CONFIG_TCG_ATMEL=m +CONFIG_TCG_INFINEON=m +CONFIG_TCG_XEN=m +# CONFIG_I2C_COMPAT is not set +CONFIG_I2C_AMD756=m +CONFIG_I2C_AMD8111=m +CONFIG_I2C_I801=m +CONFIG_I2C_PIIX4=m +CONFIG_HWMON=m +CONFIG_SENSORS_K8TEMP=m +CONFIG_SENSORS_K10TEMP=m +CONFIG_SENSORS_FAM15H_POWER=m +CONFIG_SENSORS_I5500=m +CONFIG_SENSORS_CORETEMP=m +CONFIG_INT340X_THERMAL=m +CONFIG_WATCHDOG=y +CONFIG_SOFT_WATCHDOG=m +CONFIG_ITCO_WDT=m +CONFIG_ITCO_VENDOR_SUPPORT=y +CONFIG_XEN_WDT=m +CONFIG_FB=y +CONFIG_FB_VESA=y +CONFIG_FB_EFI=y +CONFIG_XEN_FBDEV_FRONTEND=m +CONFIG_FB_HYPERV=m +CONFIG_BACKLIGHT_LCD_SUPPORT=y +# CONFIG_LCD_CLASS_DEVICE is not set +# CONFIG_BACKLIGHT_CLASS_DEVICE is not set +CONFIG_VGACON_SOFT_SCROLLBACK=y +CONFIG_FRAMEBUFFER_CONSOLE=y +CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y +CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y +CONFIG_HID=m +CONFIG_HID_A4TECH=m +CONFIG_HID_APPLE=m +CONFIG_HID_BELKIN=m +CONFIG_HID_CHERRY=m +CONFIG_HID_EZKEY=m +CONFIG_HID_LOGITECH=m +CONFIG_HID_MICROSOFT=m +CONFIG_HID_MONTEREY=m +CONFIG_HID_HYPERV_MOUSE=m +CONFIG_USB=m +CONFIG_USB_XHCI_HCD=m +CONFIG_USB_EHCI_HCD=m +CONFIG_USB_OHCI_HCD=m +CONFIG_USB_OHCI_HCD_SSB=y +CONFIG_USB_UHCI_HCD=m +CONFIG_USB_STORAGE=m +CONFIG_USB_UAS=m +CONFIG_USB_SERIAL=m +CONFIG_USB_SERIAL_GENERIC=y +CONFIG_USB_SERIAL_CP210X=m +CONFIG_USB_SERIAL_FTDI_SIO=m +CONFIG_MMC=m +CONFIG_MMC_BLOCK_MINORS=16 +CONFIG_MMC_SDHCI=m +CONFIG_MMC_SDHCI_PCI=m +# CONFIG_MMC_RICOH_MMC is not set +CONFIG_MMC_SDHCI_ACPI=m +CONFIG_INFINIBAND=m +CONFIG_INFINIBAND_USER_MAD=m +CONFIG_INFINIBAND_MTHCA=m +CONFIG_INFINIBAND_IPATH=m +CONFIG_INFINIBAND_QIB=m +CONFIG_INFINIBAND_AMSO1100=m +CONFIG_INFINIBAND_CXGB3=m +CONFIG_INFINIBAND_CXGB4=m +CONFIG_MLX4_INFINIBAND=m +CONFIG_MLX5_INFINIBAND=m +CONFIG_INFINIBAND_NES=m +CONFIG_INFINIBAND_OCRDMA=m +CONFIG_INFINIBAND_USNIC=m +CONFIG_INFINIBAND_IPOIB=m +CONFIG_INFINIBAND_IPOIB_CM=y +CONFIG_INFINIBAND_IPOIB_DEBUG_DATA=y +CONFIG_INFINIBAND_SRP=m +CONFIG_INFINIBAND_ISER=m +CONFIG_EDAC=y +# CONFIG_EDAC_LEGACY_SYSFS is not set +CONFIG_EDAC_DECODE_MCE=m +CONFIG_EDAC_MCE_INJ=m +CONFIG_EDAC_MM_EDAC=m +CONFIG_EDAC_AMD64=m +CONFIG_EDAC_E752X=m +CONFIG_EDAC_I82975X=m +CONFIG_EDAC_I3000=m +CONFIG_EDAC_I3200=m +CONFIG_EDAC_X38=m +CONFIG_EDAC_I5400=m +CONFIG_EDAC_I7CORE=m +CONFIG_EDAC_I5000=m +CONFIG_EDAC_I5100=m +CONFIG_EDAC_I7300=m +CONFIG_EDAC_SBRIDGE=m +CONFIG_RTC_CLASS=y +CONFIG_DMADEVICES=y +CONFIG_INTEL_IOATDMA=y +CONFIG_VFIO=m +CONFIG_VFIO_PCI=m +CONFIG_VFIO_PCI_VGA=y +CONFIG_VIRT_DRIVERS=y +CONFIG_VIRTIO_PCI=m +CONFIG_VIRTIO_BALLOON=m +CONFIG_VIRTIO_INPUT=m +CONFIG_VIRTIO_MMIO=m +CONFIG_HYPERV=m +CONFIG_HYPERV_UTILS=m +CONFIG_HYPERV_BALLOON=m +CONFIG_XEN_SELFBALLOONING=y +CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y +CONFIG_XEN_DEV_EVTCHN=m +CONFIG_XENFS=m +CONFIG_XEN_MCE_LOG=y +CONFIG_PVPANIC=m +CONFIG_AMD_IOMMU=y +CONFIG_AMD_IOMMU_V2=m +CONFIG_INTEL_IOMMU=y +CONFIG_IRQ_REMAP=y +CONFIG_DELL_RBU=m +CONFIG_DCDBAS=m +CONFIG_DMI_SYSFS=m +CONFIG_ISCSI_IBFT_FIND=y +CONFIG_EFI_VARS=m +CONFIG_EXT4_FS=m +CONFIG_EXT4_FS_POSIX_ACL=y +CONFIG_EXT4_FS_SECURITY=y +CONFIG_XFS_FS=m +CONFIG_XFS_POSIX_ACL=y +CONFIG_BTRFS_FS=m +CONFIG_BTRFS_FS_POSIX_ACL=y +CONFIG_FANOTIFY=y +CONFIG_QUOTA=y +CONFIG_QUOTA_NETLINK_INTERFACE=y +# CONFIG_PRINT_QUOTA_WARNING is not set +CONFIG_QFMT_V2=m +CONFIG_AUTOFS4_FS=m +CONFIG_FUSE_FS=m +CONFIG_OVERLAY_FS=m +CONFIG_ISO9660_FS=m +CONFIG_JOLIET=y +CONFIG_ZISOFS=y +CONFIG_UDF_FS=m +CONFIG_MSDOS_FS=m +CONFIG_VFAT_FS=m +CONFIG_FAT_DEFAULT_IOCHARSET="ascii" +CONFIG_PROC_KCORE=y +CONFIG_TMPFS=y +CONFIG_TMPFS_POSIX_ACL=y +CONFIG_HUGETLBFS=y +CONFIG_CONFIGFS_FS=m +CONFIG_SQUASHFS=m +CONFIG_SQUASHFS_LZO=y +CONFIG_SQUASHFS_XZ=y +CONFIG_NFS_FS=m +CONFIG_NFS_V3_ACL=y +CONFIG_NFS_V4=m +CONFIG_NFS_V4_1=y +CONFIG_NFS_V4_2=y +CONFIG_NFSD=m +CONFIG_NFSD_V3_ACL=y +CONFIG_NFSD_V4=y +CONFIG_SUNRPC_DEBUG=y +CONFIG_CEPH_FS=m +CONFIG_CIFS=m +CONFIG_CIFS_STATS=y +CONFIG_CIFS_STATS2=y +CONFIG_CIFS_WEAK_PW_HASH=y +CONFIG_CIFS_UPCALL=y +CONFIG_CIFS_XATTR=y +CONFIG_CIFS_POSIX=y +CONFIG_CIFS_ACL=y +CONFIG_CIFS_DFS_UPCALL=y +CONFIG_CIFS_SMB2=y +CONFIG_9P_FS=m +CONFIG_9P_FS_POSIX_ACL=y +CONFIG_NLS_DEFAULT="utf8" +CONFIG_NLS_CODEPAGE_437=m +CONFIG_NLS_ASCII=m +CONFIG_NLS_UTF8=m +CONFIG_PRINTK_TIME=y +CONFIG_BOOT_PRINTK_DELAY=y +CONFIG_DYNAMIC_DEBUG=y +CONFIG_DEBUG_INFO=y +# CONFIG_ENABLE_WARN_DEPRECATED is not set +CONFIG_STRIP_ASM_SYMS=y +CONFIG_MAGIC_SYSRQ=y +CONFIG_DEBUG_STACKOVERFLOW=y +CONFIG_DEBUG_SHIRQ=y +CONFIG_LOCKUP_DETECTOR=y +CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y +CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y +CONFIG_PANIC_ON_OOPS=y +CONFIG_PANIC_TIMEOUT=60 +CONFIG_SCHED_STACK_END_CHECK=y +CONFIG_TIMER_STATS=y +CONFIG_RCU_CPU_STALL_TIMEOUT=60 +# CONFIG_RCU_CPU_STALL_INFO is not set +CONFIG_LATENCYTOP=y +CONFIG_DEBUG_STRICT_USER_COPY_CHECKS=y +CONFIG_SCHED_TRACER=y +CONFIG_FTRACE_SYSCALLS=y +CONFIG_STACK_TRACER=y +CONFIG_BLK_DEV_IO_TRACE=y +CONFIG_UPROBE_EVENT=y +CONFIG_FUNCTION_PROFILER=y +CONFIG_MEMTEST=y +CONFIG_STRICT_DEVMEM=y +CONFIG_DEBUG_SET_MODULE_RONX=y +CONFIG_DEBUG_BOOT_PARAMS=y +CONFIG_OPTIMIZE_INLINING=y +CONFIG_TRUSTED_KEYS=m +CONFIG_ENCRYPTED_KEYS=m +CONFIG_SECURITY=y +CONFIG_SECURITY_NETWORK=y +CONFIG_SECURITY_NETWORK_XFRM=y +CONFIG_SECURITY_SELINUX=y +CONFIG_SECURITY_SELINUX_BOOTPARAM=y +CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0 +CONFIG_SECURITY_SELINUX_DISABLE=y +# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set +CONFIG_CRYPTO_CRC32C_INTEL=m +CONFIG_CRYPTO_SHA1_SSSE3=m +CONFIG_CRYPTO_SHA256_SSSE3=m +CONFIG_CRYPTO_AES_NI_INTEL=m +# CONFIG_CRYPTO_ANSI_CPRNG is not set +CONFIG_CRYPTO_USER_API_HASH=m +CONFIG_CRYPTO_USER_API_SKCIPHER=m +CONFIG_PKCS7_MESSAGE_PARSER=y +CONFIG_SIGNED_PE_FILE_VERIFICATION=y +CONFIG_KVM=m +CONFIG_KVM_INTEL=m +CONFIG_KVM_AMD=m +# CONFIG_XZ_DEC_POWERPC is not set +# CONFIG_XZ_DEC_IA64 is not set +# CONFIG_XZ_DEC_ARM is not set +# CONFIG_XZ_DEC_ARMTHUMB is not set +# CONFIG_XZ_DEC_SPARC is not set diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.1.3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.1.3.ebuild new file mode 100644 index 0000000000..17c23d2991 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.1.3.ebuild @@ -0,0 +1,29 @@ +# Copyright 2014 CoreOS, Inc. +# Distributed under the terms of the GNU General Public License v2 + +EAPI="5" +ETYPE="sources" +inherit kernel-2 +detect_version + +DESCRIPTION="Full sources for the CoreOS Linux kernel" +HOMEPAGE="http://www.kernel.org" +SRC_URI="${KERNEL_URI}" + +KEYWORDS="amd64 arm64" +IUSE="" + +PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}" +UNIPATCH_LIST="${PATCH_DIR}/01-Add-secure_modules-call.patch \ +${PATCH_DIR}/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \ +${PATCH_DIR}/03-x86-Lock-down-IO-port-access-when-module-security-is.patch \ +${PATCH_DIR}/04-ACPI-Limit-access-to-custom_method.patch \ +${PATCH_DIR}/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \ +${PATCH_DIR}/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \ +${PATCH_DIR}/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \ +${PATCH_DIR}/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \ +${PATCH_DIR}/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \ +${PATCH_DIR}/10-Add-option-to-automatically-enforce-module-signature.patch \ +${PATCH_DIR}/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \ +${PATCH_DIR}/13-efi-Add-EFI_SECURE_BOOT-bit.patch \ +${PATCH_DIR}/14-hibernate-Disable-in-a-signed-modules-environment.patch" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/01-Add-secure_modules-call.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/01-Add-secure_modules-call.patch new file mode 100644 index 0000000000..b92062776e --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/01-Add-secure_modules-call.patch @@ -0,0 +1,64 @@ +From 936a56597be7d12ca65e1d4df38f3e1d39308318 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Fri, 9 Aug 2013 17:58:15 -0400 +Subject: [PATCH 01/14] Add secure_modules() call + +Provide a single call to allow kernel code to determine whether the system +has been configured to either disable module loading entirely or to load +only modules signed with a trusted key. + +Bugzilla: N/A +Upstream-status: Fedora mustard. Replaced by securelevels, but that was nak'd + +Signed-off-by: Matthew Garrett +--- + include/linux/module.h | 7 +++++++ + kernel/module.c | 10 ++++++++++ + 2 files changed, 17 insertions(+) + +diff --git a/include/linux/module.h b/include/linux/module.h +index c883b86..cdc46a7 100644 +--- a/include/linux/module.h ++++ b/include/linux/module.h +@@ -508,6 +508,8 @@ int unregister_module_notifier(struct notifier_block *nb); + + extern void print_modules(void); + ++extern bool secure_modules(void); ++ + #else /* !CONFIG_MODULES... */ + + /* Given an address, look for it in the exception tables. */ +@@ -618,6 +620,11 @@ static inline int unregister_module_notifier(struct notifier_block *nb) + static inline void print_modules(void) + { + } ++ ++static inline bool secure_modules(void) ++{ ++ return false; ++} + #endif /* CONFIG_MODULES */ + + #ifdef CONFIG_SYSFS +diff --git a/kernel/module.c b/kernel/module.c +index cfc9e84..1773828 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -3915,3 +3915,13 @@ void module_layout(struct module *mod, + } + EXPORT_SYMBOL(module_layout); + #endif ++ ++bool secure_modules(void) ++{ ++#ifdef CONFIG_MODULE_SIG ++ return (sig_enforce || modules_disabled); ++#else ++ return modules_disabled; ++#endif ++} ++EXPORT_SYMBOL(secure_modules); +-- +2.3.6 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch new file mode 100644 index 0000000000..84843993f5 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch @@ -0,0 +1,118 @@ +From b0000803ff4c4c769aefc37f2d8196756eeb0bb1 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Thu, 8 Mar 2012 10:10:38 -0500 +Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is + enabled + +Any hardware that can potentially generate DMA has to be locked down from +userspace in order to avoid it being possible for an attacker to modify +kernel code, allowing them to circumvent disabled module loading or module +signing. Default to paranoid - in future we can potentially relax this for +sufficiently IOMMU-isolated devices. + +Signed-off-by: Matthew Garrett +--- + drivers/pci/pci-sysfs.c | 10 ++++++++++ + drivers/pci/proc.c | 8 +++++++- + drivers/pci/syscall.c | 3 ++- + 3 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c +index 312f23a..93e6ac1 100644 +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + #include "pci.h" + + static int sysfs_initialized; /* = 0 */ +@@ -710,6 +711,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, + loff_t init_off = off; + u8 *data = (u8 *) buf; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (off > dev->cfg_size) + return 0; + if (off + count > dev->cfg_size) { +@@ -1004,6 +1008,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, + resource_size_t start, end; + int i; + ++ if (secure_modules()) ++ return -EPERM; ++ + for (i = 0; i < PCI_ROM_RESOURCE; i++) + if (res == &pdev->resource[i]) + break; +@@ -1105,6 +1112,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, + struct bin_attribute *attr, char *buf, + loff_t off, size_t count) + { ++ if (secure_modules()) ++ return -EPERM; ++ + return pci_resource_io(filp, kobj, attr, buf, off, count, true); + } + +diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c +index 3f155e7..4265ea0 100644 +--- a/drivers/pci/proc.c ++++ b/drivers/pci/proc.c +@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, + int size = dev->cfg_size; + int cnt; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (pos >= size) + return 0; + if (nbytes >= size) +@@ -195,6 +198,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, + #endif /* HAVE_PCI_MMAP */ + int ret = 0; + ++ if (secure_modules()) ++ return -EPERM; ++ + switch (cmd) { + case PCIIOC_CONTROLLER: + ret = pci_domain_nr(dev->bus); +@@ -233,7 +239,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) + struct pci_filp_private *fpriv = file->private_data; + int i, ret; + +- if (!capable(CAP_SYS_RAWIO)) ++ if (!capable(CAP_SYS_RAWIO) || secure_modules()) + return -EPERM; + + /* Make sure the caller is mapping a real resource for this device */ +diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c +index b91c4da..98f5637 100644 +--- a/drivers/pci/syscall.c ++++ b/drivers/pci/syscall.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + #include "pci.h" + +@@ -92,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, + u32 dword; + int err = 0; + +- if (!capable(CAP_SYS_ADMIN)) ++ if (!capable(CAP_SYS_ADMIN) || secure_modules()) + return -EPERM; + + dev = pci_get_bus_and_slot(bus, dfn); +-- +2.3.6 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/03-x86-Lock-down-IO-port-access-when-module-security-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/03-x86-Lock-down-IO-port-access-when-module-security-is.patch new file mode 100644 index 0000000000..066107a3fc --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/03-x86-Lock-down-IO-port-access-when-module-security-is.patch @@ -0,0 +1,72 @@ +From a86490e90244d673cf1705dbfeb705cca4d5322e Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Thu, 8 Mar 2012 10:35:59 -0500 +Subject: [PATCH 03/14] x86: Lock down IO port access when module security is + enabled + +IO port access would permit users to gain access to PCI configuration +registers, which in turn (on a lot of hardware) give access to MMIO register +space. This would potentially permit root to trigger arbitrary DMA, so lock +it down by default. + +Signed-off-by: Matthew Garrett +--- + arch/x86/kernel/ioport.c | 5 +++-- + drivers/char/mem.c | 4 ++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c +index 37dae79..1ecc03c 100644 +--- a/arch/x86/kernel/ioport.c ++++ b/arch/x86/kernel/ioport.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #include + + /* +@@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) + + if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) + return -EINVAL; +- if (turn_on && !capable(CAP_SYS_RAWIO)) ++ if (turn_on && (!capable(CAP_SYS_RAWIO) || secure_modules())) + return -EPERM; + + /* +@@ -103,7 +104,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) + return -EINVAL; + /* Trying to gain more privileges? */ + if (level > old) { +- if (!capable(CAP_SYS_RAWIO)) ++ if (!capable(CAP_SYS_RAWIO) || secure_modules()) + return -EPERM; + } + regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12); +diff --git a/drivers/char/mem.c b/drivers/char/mem.c +index 6b1721f..53fe675 100644 +--- a/drivers/char/mem.c ++++ b/drivers/char/mem.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + + #include + +@@ -577,6 +578,9 @@ static ssize_t write_port(struct file *file, const char __user *buf, + unsigned long i = *ppos; + const char __user *tmp = buf; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (!access_ok(VERIFY_READ, buf, count)) + return -EFAULT; + while (count-- > 0 && i < 65536) { +-- +2.3.6 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/04-ACPI-Limit-access-to-custom_method.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/04-ACPI-Limit-access-to-custom_method.patch new file mode 100644 index 0000000000..bad99ccea9 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/04-ACPI-Limit-access-to-custom_method.patch @@ -0,0 +1,31 @@ +From ab99ed435205e3d47265a572c22226c62db1923a Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Fri, 9 Mar 2012 08:39:37 -0500 +Subject: [PATCH 04/14] ACPI: Limit access to custom_method + +custom_method effectively allows arbitrary access to system memory, making +it possible for an attacker to circumvent restrictions on module loading. +Disable it if any such restrictions have been enabled. + +Signed-off-by: Matthew Garrett +--- + drivers/acpi/custom_method.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c +index c68e724..4277938 100644 +--- a/drivers/acpi/custom_method.c ++++ b/drivers/acpi/custom_method.c +@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, + struct acpi_table_header table; + acpi_status status; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (!(*ppos)) { + /* parse the table header to get the table length */ + if (count <= sizeof(struct acpi_table_header)) +-- +2.3.6 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch new file mode 100644 index 0000000000..3b65ac8a9a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch @@ -0,0 +1,54 @@ +From d410f5739b850b6ad738ad042e88cd76c26a95f3 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Fri, 9 Mar 2012 08:46:50 -0500 +Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module + loading is restricted + +We have no way of validating what all of the Asus WMI methods do on a +given machine, and there's a risk that some will allow hardware state to +be manipulated in such a way that arbitrary code can be executed in the +kernel, circumventing module loading restrictions. Prevent that if any of +these features are enabled. + +Signed-off-by: Matthew Garrett +--- + drivers/platform/x86/asus-wmi.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c +index 7543a56..93b5a69 100644 +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -1589,6 +1589,9 @@ static int show_dsts(struct seq_file *m, void *data) + int err; + u32 retval = -1; + ++ if (secure_modules()) ++ return -EPERM; ++ + err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval); + + if (err < 0) +@@ -1605,6 +1608,9 @@ static int show_devs(struct seq_file *m, void *data) + int err; + u32 retval = -1; + ++ if (secure_modules()) ++ return -EPERM; ++ + err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param, + &retval); + +@@ -1629,6 +1635,9 @@ static int show_call(struct seq_file *m, void *data) + union acpi_object *obj; + acpi_status status; + ++ if (secure_modules()) ++ return -EPERM; ++ + status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID, + 1, asus->debug.method_id, + &input, &output); +-- +2.3.6 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch new file mode 100644 index 0000000000..8f552cdf68 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch @@ -0,0 +1,42 @@ +From f463770943d3f1f6881fab3c9268fe1013cdf34a Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Fri, 9 Mar 2012 09:28:15 -0500 +Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is + restricted + +Allowing users to write to address space makes it possible for the kernel +to be subverted, avoiding module loading restrictions. Prevent this when +any restrictions have been imposed on loading modules. + +Signed-off-by: Matthew Garrett +--- + drivers/char/mem.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/char/mem.c b/drivers/char/mem.c +index 53fe675..b52c888 100644 +--- a/drivers/char/mem.c ++++ b/drivers/char/mem.c +@@ -167,6 +167,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, + if (p != *ppos) + return -EFBIG; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (!valid_phys_addr_range(p, count)) + return -EFAULT; + +@@ -513,6 +516,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, + char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ + int err = 0; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (p < (unsigned long) high_memory) { + unsigned long to_write = min_t(unsigned long, count, + (unsigned long)high_memory - p); +-- +2.3.6 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch new file mode 100644 index 0000000000..07c091a47e --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch @@ -0,0 +1,39 @@ +From a9f8a4bbb86570f8f418e400eb9cfe284b8f62ea Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Mon, 25 Jun 2012 19:57:30 -0400 +Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module + loading is restricted + +This option allows userspace to pass the RSDP address to the kernel, which +makes it possible for a user to circumvent any restrictions imposed on +loading modules. Disable it in that case. + +Signed-off-by: Josh Boyer +--- + drivers/acpi/osl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c +index 7ccba39..9cbdbcc 100644 +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -44,6 +44,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -252,7 +253,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); + acpi_physical_address __init acpi_os_get_root_pointer(void) + { + #ifdef CONFIG_KEXEC +- if (acpi_rsdp) ++ if (acpi_rsdp && !secure_modules()) + return acpi_rsdp; + #endif + +-- +2.3.6 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch new file mode 100644 index 0000000000..b5bb913bab --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch @@ -0,0 +1,44 @@ +From a79e89146431a294b7afe9ad4f170c9e263f36c2 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Fri, 9 Aug 2013 03:33:56 -0400 +Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module + loading restrictions + +kexec permits the loading and execution of arbitrary code in ring 0, which +is something that module signing enforcement is meant to prevent. It makes +sense to disable kexec in this situation. + +Signed-off-by: Matthew Garrett +--- + kernel/kexec.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/kernel/kexec.c b/kernel/kexec.c +index 7a36fdc..22d30d7 100644 +--- a/kernel/kexec.c ++++ b/kernel/kexec.c +@@ -36,6 +36,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -1247,6 +1248,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, + return -EPERM; + + /* ++ * kexec can be used to circumvent module loading restrictions, so ++ * prevent loading in that case ++ */ ++ if (secure_modules()) ++ return -EPERM; ++ ++ /* + * Verify we have a legal set of flags + * This leaves us room for future extensions. + */ +-- +2.3.6 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch new file mode 100644 index 0000000000..0ac09e14cc --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch @@ -0,0 +1,44 @@ +From 204575347e0f12cafb44b09e95f1512417c2bff2 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Fri, 8 Feb 2013 11:12:13 -0800 +Subject: [PATCH 09/14] x86: Restrict MSR access when module loading is + restricted + +Writing to MSRs should not be allowed if module loading is restricted, +since it could lead to execution of arbitrary code in kernel mode. Based +on a patch by Kees Cook. + +Cc: Kees Cook +Signed-off-by: Matthew Garrett +--- + arch/x86/kernel/msr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c +index 113e707..26c2f83 100644 +--- a/arch/x86/kernel/msr.c ++++ b/arch/x86/kernel/msr.c +@@ -105,6 +105,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, + int err = 0; + ssize_t bytes = 0; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (count % 8) + return -EINVAL; /* Invalid chunk size */ + +@@ -152,6 +155,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) + err = -EBADF; + break; + } ++ if (secure_modules()) { ++ err = -EPERM; ++ break; ++ } + if (copy_from_user(®s, uregs, sizeof regs)) { + err = -EFAULT; + break; +-- +2.3.6 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/10-Add-option-to-automatically-enforce-module-signature.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/10-Add-option-to-automatically-enforce-module-signature.patch new file mode 100644 index 0000000000..4e6c53751e --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/10-Add-option-to-automatically-enforce-module-signature.patch @@ -0,0 +1,186 @@ +From 51778d46aa09dd60ae2e4025ed87f17674beaa53 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Fri, 9 Aug 2013 18:36:30 -0400 +Subject: [PATCH 10/14] Add option to automatically enforce module signatures + when in Secure Boot mode + +UEFI Secure Boot provides a mechanism for ensuring that the firmware will +only load signed bootloaders and kernels. Certain use cases may also +require that all kernel modules also be signed. Add a configuration option +that enforces this automatically when enabled. + +Signed-off-by: Matthew Garrett +--- + Documentation/x86/zero-page.txt | 2 ++ + arch/x86/Kconfig | 10 ++++++++++ + arch/x86/boot/compressed/eboot.c | 36 +++++++++++++++++++++++++++++++++++ + arch/x86/include/uapi/asm/bootparam.h | 3 ++- + arch/x86/kernel/setup.c | 6 ++++++ + include/linux/module.h | 6 ++++++ + kernel/module.c | 7 +++++++ + 7 files changed, 69 insertions(+), 1 deletion(-) + +diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt +index 82fbdbc..a811210 100644 +--- a/Documentation/x86/zero-page.txt ++++ b/Documentation/x86/zero-page.txt +@@ -30,6 +30,8 @@ Offset Proto Name Meaning + 1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below) + 1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer + (below) ++1EB/001 ALL kbd_status Numlock is enabled ++1EC/001 ALL secure_boot Secure boot is enabled in the firmware + 1EF/001 ALL sentinel Used to detect broken bootloaders + 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures + 2D0/A00 ALL e820_map E820 memory map table +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 226d569..6a8f880 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1697,6 +1697,16 @@ config EFI_MIXED + + If unsure, say N. + ++config EFI_SECURE_BOOT_SIG_ENFORCE ++ def_bool n ++ prompt "Force module signing when UEFI Secure Boot is enabled" ++ ---help--- ++ UEFI Secure Boot provides a mechanism for ensuring that the ++ firmware will only load signed bootloaders and kernels. Certain ++ use cases may also require that all kernel modules also be signed. ++ Say Y here to automatically enable module signature enforcement ++ when a system boots with UEFI Secure Boot enabled. ++ + config SECCOMP + def_bool y + prompt "Enable seccomp to safely compute untrusted bytecode" +diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c +index 48304b8..2ff1901 100644 +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + + #include "../string.h" + #include "eboot.h" +@@ -827,6 +828,37 @@ out: + return status; + } + ++static int get_secure_boot(void) ++{ ++ u8 sb, setup; ++ unsigned long datasize = sizeof(sb); ++ efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; ++ efi_status_t status; ++ ++ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, ++ L"SecureBoot", &var_guid, NULL, &datasize, &sb); ++ ++ if (status != EFI_SUCCESS) ++ return 0; ++ ++ if (sb == 0) ++ return 0; ++ ++ ++ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, ++ L"SetupMode", &var_guid, NULL, &datasize, ++ &setup); ++ ++ if (status != EFI_SUCCESS) ++ return 0; ++ ++ if (setup == 1) ++ return 0; ++ ++ return 1; ++} ++ ++ + /* + * See if we have Graphics Output Protocol + */ +@@ -1408,6 +1440,10 @@ struct boot_params *efi_main(struct efi_config *c, + else + setup_boot_services32(efi_early); + ++ sanitize_boot_params(boot_params); ++ ++ boot_params->secure_boot = get_secure_boot(); ++ + setup_graphics(boot_params); + + setup_efi_pci(boot_params); +diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h +index ab456dc..74ba408 100644 +--- a/arch/x86/include/uapi/asm/bootparam.h ++++ b/arch/x86/include/uapi/asm/bootparam.h +@@ -134,7 +134,8 @@ struct boot_params { + __u8 eddbuf_entries; /* 0x1e9 */ + __u8 edd_mbr_sig_buf_entries; /* 0x1ea */ + __u8 kbd_status; /* 0x1eb */ +- __u8 _pad5[3]; /* 0x1ec */ ++ __u8 secure_boot; /* 0x1ec */ ++ __u8 _pad5[2]; /* 0x1ed */ + /* + * The sentinel is set to a nonzero value (0xff) in header.S. + * +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index d74ac33..88dad73 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1156,6 +1156,12 @@ void __init setup_arch(char **cmdline_p) + + io_delay_init(); + ++#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE ++ if (boot_params.secure_boot) { ++ enforce_signed_modules(); ++ } ++#endif ++ + /* + * Parse the ACPI tables for possible boot-time SMP configuration. + */ +diff --git a/include/linux/module.h b/include/linux/module.h +index cdc46a7..0c1edd3 100644 +--- a/include/linux/module.h ++++ b/include/linux/module.h +@@ -188,6 +188,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); + + struct notifier_block; + ++#ifdef CONFIG_MODULE_SIG ++extern void enforce_signed_modules(void); ++#else ++static inline void enforce_signed_modules(void) {}; ++#endif ++ + #ifdef CONFIG_MODULES + + extern int modules_disabled; /* for sysctl */ +diff --git a/kernel/module.c b/kernel/module.c +index 1773828..e7065d6 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -3916,6 +3916,13 @@ void module_layout(struct module *mod, + EXPORT_SYMBOL(module_layout); + #endif + ++#ifdef CONFIG_MODULE_SIG ++void enforce_signed_modules(void) ++{ ++ sig_enforce = true; ++} ++#endif ++ + bool secure_modules(void) + { + #ifdef CONFIG_MODULE_SIG +-- +2.3.6 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/11-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/11-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch new file mode 100644 index 0000000000..abf80cd85f --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/11-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch @@ -0,0 +1,58 @@ +From 0a0fa32050ac4335b919bae16038acdea35ba55f Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Tue, 5 Feb 2013 19:25:05 -0500 +Subject: [PATCH 11/14] efi: Disable secure boot if shim is in insecure mode + +A user can manually tell the shim boot loader to disable validation of +images it loads. When a user does this, it creates a UEFI variable called +MokSBState that does not have the runtime attribute set. Given that the +user explicitly disabled validation, we can honor that and not enable +secure boot mode if that variable is set. + +Signed-off-by: Josh Boyer +--- + arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c +index 2ff1901..35268ab 100644 +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -830,8 +830,9 @@ out: + + static int get_secure_boot(void) + { +- u8 sb, setup; ++ u8 sb, setup, moksbstate; + unsigned long datasize = sizeof(sb); ++ u32 attr; + efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; + efi_status_t status; + +@@ -855,6 +856,23 @@ static int get_secure_boot(void) + if (setup == 1) + return 0; + ++ /* See if a user has put shim into insecure_mode. If so, and the variable ++ * doesn't have the runtime attribute set, we might as well honor that. ++ */ ++ var_guid = EFI_SHIM_LOCK_GUID; ++ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, ++ L"MokSBState", &var_guid, &attr, &datasize, ++ &moksbstate); ++ ++ /* If it fails, we don't care why. Default to secure */ ++ if (status != EFI_SUCCESS) ++ return 1; ++ ++ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) { ++ if (moksbstate == 1) ++ return 0; ++ } ++ + return 1; + } + +-- +2.3.6 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch new file mode 100644 index 0000000000..b194d66727 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch @@ -0,0 +1,30 @@ +From 05994fcab209f56472d8a8ec75a48f1d92e37440 Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Tue, 27 Aug 2013 13:28:43 -0400 +Subject: [PATCH 12/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI + +The functionality of the config option is dependent upon the platform being +UEFI based. Reflect this in the config deps. + +Signed-off-by: Josh Boyer +--- + arch/x86/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 6a8f880..d3c21e9 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1698,7 +1698,8 @@ config EFI_MIXED + If unsure, say N. + + config EFI_SECURE_BOOT_SIG_ENFORCE +- def_bool n ++ def_bool n ++ depends on EFI + prompt "Force module signing when UEFI Secure Boot is enabled" + ---help--- + UEFI Secure Boot provides a mechanism for ensuring that the +-- +2.3.6 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/13-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/13-efi-Add-EFI_SECURE_BOOT-bit.patch new file mode 100644 index 0000000000..8f0e2fbf21 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/13-efi-Add-EFI_SECURE_BOOT-bit.patch @@ -0,0 +1,43 @@ +From e029a605d5db033c5349142ef8a051658f586238 Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Tue, 27 Aug 2013 13:33:03 -0400 +Subject: [PATCH 13/14] efi: Add EFI_SECURE_BOOT bit + +UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit +for use with efi_enabled. + +Signed-off-by: Josh Boyer +--- + arch/x86/kernel/setup.c | 2 ++ + include/linux/efi.h | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index 88dad73..d99c8c3 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1158,7 +1158,9 @@ void __init setup_arch(char **cmdline_p) + + #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE + if (boot_params.secure_boot) { ++ set_bit(EFI_SECURE_BOOT, &efi.flags); + enforce_signed_modules(); ++ pr_info("Secure boot enabled\n"); + } + #endif + +diff --git a/include/linux/efi.h b/include/linux/efi.h +index af5be03..aa4ee20 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -943,6 +943,7 @@ extern int __init efi_setup_pcdp_console(char *); + #define EFI_PARAVIRT 6 /* Access is via a paravirt interface */ + #define EFI_ARCH_1 7 /* First arch-specific bit */ + #define EFI_DBG 8 /* Print additional debug info at runtime */ ++#define EFI_SECURE_BOOT 9 /* Are we in Secure Boot mode? */ + + #ifdef CONFIG_EFI + /* +-- +2.3.6 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/14-hibernate-Disable-in-a-signed-modules-environment.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/14-hibernate-Disable-in-a-signed-modules-environment.patch new file mode 100644 index 0000000000..c9a4c9fe82 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/14-hibernate-Disable-in-a-signed-modules-environment.patch @@ -0,0 +1,39 @@ +From 4c471f14d2964118b1cbc7ec4440872215701c5f Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Fri, 20 Jun 2014 08:53:24 -0400 +Subject: [PATCH 14/14] hibernate: Disable in a signed modules environment + +There is currently no way to verify the resume image when returning +from hibernate. This might compromise the signed modules trust model, +so until we can work with signed hibernate images we disable it in +a secure modules environment. + +Signed-off-by: Josh Boyer +--- + kernel/power/hibernate.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c +index 2329daa..48a8e82 100644 +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #include + + #include "power.h" +@@ -66,7 +67,7 @@ static const struct platform_hibernation_ops *hibernation_ops; + + bool hibernation_available(void) + { +- return (nohibernate == 0); ++ return ((nohibernate == 0) && !secure_modules()); + } + + /** +-- +2.3.6 +