diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.10.12.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.11.0.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.10.12.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.11.0.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.10.12.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.11.0.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.10.12.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.11.0.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.10 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.11
similarity index 97%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.10
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.11
index 256c42c1f2..1713677d24 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.10
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.11
@@ -21,7 +21,8 @@ CONFIG_MEMORY_FAILURE=y
 CONFIG_X86_CHECK_BIOS_CORRUPTION=y
 # CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set
 CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=1
-CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
+CONFIG_LOCK_DOWN_KERNEL=y
+CONFIG_EFI_SECURE_BOOT_LOCK_DOWN=y
 CONFIG_KEXEC=y
 CONFIG_KEXEC_FILE=y
 CONFIG_KEXEC_VERIFY_SIG=y
@@ -149,7 +150,7 @@ CONFIG_SCHED_TRACER=y
 CONFIG_FTRACE_SYSCALLS=y
 CONFIG_STACK_TRACER=y
 CONFIG_BLK_DEV_IO_TRACE=y
-CONFIG_UPROBE_EVENT=y
+CONFIG_UPROBE_EVENTS=y
 CONFIG_FUNCTION_PROFILER=y
 CONFIG_DEBUG_BOOT_PARAMS=y
 CONFIG_OPTIMIZE_INLINING=y
@@ -164,3 +165,4 @@ CONFIG_OPTPROBES=y
 CONFIG_KPROBES_ON_FTRACE=y
 CONFIG_FCOE_FNIC=m
 CONFIG_ISCSI_IBFT_FIND=y
+CONFIG_VMXNET3=m
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.10 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.11
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.10
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.11
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.10 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.11
similarity index 99%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.10
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.11
index cda47f4d32..a2a0bec2b0 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.10
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.11
@@ -74,7 +74,6 @@ CONFIG_EFIVAR_FS=y
 CONFIG_BINFMT_MISC=m
 CONFIG_CPU_FREQ=y
 CONFIG_CPU_FREQ_STAT=y
-CONFIG_CPU_FREQ_STAT_DETAILS=y
 CONFIG_CPU_FREQ_GOV_POWERSAVE=m
 CONFIG_CPU_FREQ_GOV_USERSPACE=m
 CONFIG_CPU_FREQ_GOV_ONDEMAND=m
@@ -612,7 +611,6 @@ CONFIG_USB_NET_AX8817X=m
 # CONFIG_WLAN is not set
 CONFIG_XEN_NETDEV_FRONTEND=m
 CONFIG_XEN_NETDEV_BACKEND=m
-CONFIG_VMXNET3=m
 CONFIG_INPUT_MOUSEDEV=m
 # CONFIG_INPUT_MOUSEDEV_PSAUX is not set
 CONFIG_MOUSE_PS2=m
@@ -811,15 +809,13 @@ CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
 CONFIG_PANIC_ON_OOPS=y
 CONFIG_PANIC_TIMEOUT=60
 CONFIG_SCHED_STACK_END_CHECK=y
-CONFIG_TIMER_STATS=y
 CONFIG_DEBUG_CREDENTIALS=y
 CONFIG_RCU_CPU_STALL_TIMEOUT=60
 CONFIG_LATENCYTOP=y
-CONFIG_KPROBE_EVENT=y
+CONFIG_KPROBE_EVENTS=y
 CONFIG_BPF_EVENTS=y
 CONFIG_MEMTEST=y
 CONFIG_STRICT_DEVMEM=y
-CONFIG_DEBUG_SET_MODULE_RONX=y
 CONFIG_TRUSTED_KEYS=m
 CONFIG_ENCRYPTED_KEYS=m
 CONFIG_SECURITY=y
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest
index 5801556685..520300bf00 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest
@@ -1,2 +1 @@
-DIST linux-4.10.tar.xz 94231404 SHA256 3c95d9f049bd085e5c346d2c77f063b8425f191460fcd3ae9fe7e94e0477dc4b SHA512 c3690125a8402df638095bd98a613fcf1a257b81de7611c84711d315cd11e2634ab4636302b3742aedf1e3ba9ce0fea53fe8c7d48e37865d8ee5db3565220d90 WHIRLPOOL 86d021bae2dbfc4ef80c22d9e886bed4fbd9476473a2851d7beaf8ed0c7f7fbc1fa0da230eb9e763eb231b7c164c17b2a73fd336ab233543f57be280d6173738
-DIST patch-4.10.12.xz 264376 SHA256 ed919b49178bbda14b341058a92362322cbb09e9028229e860e6927553c8d037 SHA512 39dacec6f9ed28a3bf3339d98c9f0cc86b977252c8d2cabf5d39572cc1dff078bf8f52afdd7e6bc3213d00f7b42474d9c6a4ba641497d091b122e748a48ff0f9 WHIRLPOOL e1f9b96761e60da761d78bb8a2ddd91d9659b2c254766ba61c4ea5c72b9088aa8953e4e0fe567fae3e225693218f7995e81c4b6f92b2ce879668849b0df80496
+DIST linux-4.11.tar.xz 95447768 SHA256 b67ecafd0a42b3383bf4d82f0850cbff92a7e72a215a6d02f42ddbafcf42a7d6 SHA512 6610eed97ffb7207c71771198c36179b8244ace7222bebb109507720e26c5f17d918079a56d5febdd8605844d67fb2df0ebe910fa2f2f53690daf6e2a8ad09c3 WHIRLPOOL f577b7c5c209cb8dfef2f1d56d77314fbd53323743a34b900e2559ab0049b7c2d6262bda136dd3d005bc0527788106e0484e46558448a8720dac389a969e5886
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.10.12.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.10.12.ebuild
deleted file mode 100644
index d34ba81d76..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.10.12.ebuild
+++ /dev/null
@@ -1,39 +0,0 @@
-# Copyright 2014 CoreOS, Inc.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-ETYPE="sources"
-inherit kernel-2
-detect_version
-
-DESCRIPTION="Full sources for the CoreOS Linux kernel"
-HOMEPAGE="http://www.kernel.org"
-SRC_URI="${KERNEL_URI}"
-
-KEYWORDS="amd64 arm64"
-IUSE=""
-
-PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
-
-# XXX: Note we must prefix the patch filenames with "z" to ensure they are
-# applied _after_ a potential patch-${KV}.patch file, present when building a
-# patchlevel revision.  We mustn't apply our patches first, it fails when the
-# local patches overlap with the upstream patch.
-UNIPATCH_LIST="
-	${PATCH_DIR}/z0001-Add-secure_modules-call.patch \
-	${PATCH_DIR}/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \
-	${PATCH_DIR}/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \
-	${PATCH_DIR}/z0004-ACPI-Limit-access-to-custom_method.patch \
-	${PATCH_DIR}/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \
-	${PATCH_DIR}/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \
-	${PATCH_DIR}/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \
-	${PATCH_DIR}/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \
-	${PATCH_DIR}/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \
-	${PATCH_DIR}/z0010-Add-option-to-automatically-enforce-module-signature.patch \
-	${PATCH_DIR}/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \
-	${PATCH_DIR}/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch \
-	${PATCH_DIR}/z0013-hibernate-Disable-in-a-signed-modules-environment.patch \
-	${PATCH_DIR}/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
-	${PATCH_DIR}/z0015-Add-arm64-coreos-verity-hash.patch \
-	${PATCH_DIR}/z0016-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch \
-"
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.11.0.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.11.0.ebuild
new file mode 100644
index 0000000000..8e306611f2
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.11.0.ebuild
@@ -0,0 +1,47 @@
+# Copyright 2014 CoreOS, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+ETYPE="sources"
+inherit kernel-2
+detect_version
+
+DESCRIPTION="Full sources for the CoreOS Linux kernel"
+HOMEPAGE="http://www.kernel.org"
+SRC_URI="${KERNEL_URI}"
+
+KEYWORDS="amd64 arm64"
+IUSE=""
+
+PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
+
+# XXX: Note we must prefix the patch filenames with "z" to ensure they are
+# applied _after_ a potential patch-${KV}.patch file, present when building a
+# patchlevel revision.  We mustn't apply our patches first, it fails when the
+# local patches overlap with the upstream patch.
+UNIPATCH_LIST="
+	${PATCH_DIR}/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch \
+	${PATCH_DIR}/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch \
+	${PATCH_DIR}/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch \
+	${PATCH_DIR}/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch \
+	${PATCH_DIR}/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch \
+	${PATCH_DIR}/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch \
+	${PATCH_DIR}/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch \
+	${PATCH_DIR}/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch \
+	${PATCH_DIR}/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch \
+	${PATCH_DIR}/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch \
+	${PATCH_DIR}/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch \
+	${PATCH_DIR}/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch \
+	${PATCH_DIR}/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch \
+	${PATCH_DIR}/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch \
+	${PATCH_DIR}/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch \
+	${PATCH_DIR}/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch \
+	${PATCH_DIR}/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch \
+	${PATCH_DIR}/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch \
+	${PATCH_DIR}/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch \
+	${PATCH_DIR}/z0020-scsi-Lock-down-the-eata-driver.patch \
+	${PATCH_DIR}/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch \
+	${PATCH_DIR}/z0022-Lock-down-TIOCSSERIAL.patch \
+	${PATCH_DIR}/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
+	${PATCH_DIR}/z0024-Add-arm64-coreos-verity-hash.patch \
+"
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0001-Add-secure_modules-call.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0001-Add-secure_modules-call.patch
deleted file mode 100644
index 9636177fce..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0001-Add-secure_modules-call.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 56ce70f57c13296973ef0a14b7a2695d804abae8 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Fri, 9 Aug 2013 17:58:15 -0400
-Subject: [PATCH 01/16] Add secure_modules() call
-
-Provide a single call to allow kernel code to determine whether the system
-has been configured to either disable module loading entirely or to load
-only modules signed with a trusted key.
-
-Bugzilla: N/A
-Upstream-status: Fedora mustard.  Replaced by securelevels, but that was nak'd
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
----
- include/linux/module.h |  6 ++++++
- kernel/module.c        | 10 ++++++++++
- 2 files changed, 16 insertions(+)
-
-diff --git a/include/linux/module.h b/include/linux/module.h
-index cc7cba2..da4bd57 100644
---- a/include/linux/module.h
-+++ b/include/linux/module.h
-@@ -629,6 +629,8 @@ static inline bool module_requested_async_probing(struct module *module)
- 	return module && module->async_probe_requested;
- }
- 
-+extern bool secure_modules(void);
-+
- #ifdef CONFIG_LIVEPATCH
- static inline bool is_livepatch_module(struct module *mod)
- {
-@@ -750,6 +752,10 @@ static inline bool module_requested_async_probing(struct module *module)
- 	return false;
- }
- 
-+static inline bool secure_modules(void)
-+{
-+	return false;
-+}
- #endif /* CONFIG_MODULES */
- 
- #ifdef CONFIG_SYSFS
-diff --git a/kernel/module.c b/kernel/module.c
-index 1cd2bf3..3161532 100644
---- a/kernel/module.c
-+++ b/kernel/module.c
-@@ -4300,3 +4300,13 @@ void module_layout(struct module *mod,
- }
- EXPORT_SYMBOL(module_layout);
- #endif
-+
-+bool secure_modules(void)
-+{
-+#ifdef CONFIG_MODULE_SIG
-+	return (sig_enforce || modules_disabled);
-+#else
-+	return modules_disabled;
-+#endif
-+}
-+EXPORT_SYMBOL(secure_modules);
--- 
-2.9.3
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch
deleted file mode 100644
index 4483bb1d3f..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From e86746ca84516a0f983fcb917d8c7f1e537c3898 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Thu, 8 Mar 2012 10:35:59 -0500
-Subject: [PATCH 03/16] x86: Lock down IO port access when module security is
- enabled
-
-IO port access would permit users to gain access to PCI configuration
-registers, which in turn (on a lot of hardware) give access to MMIO register
-space. This would potentially permit root to trigger arbitrary DMA, so lock
-it down by default.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
----
- arch/x86/kernel/ioport.c | 5 +++--
- drivers/char/mem.c       | 4 ++++
- 2 files changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
-index 589b319..ab83724 100644
---- a/arch/x86/kernel/ioport.c
-+++ b/arch/x86/kernel/ioport.c
-@@ -15,6 +15,7 @@
- #include <linux/thread_info.h>
- #include <linux/syscalls.h>
- #include <linux/bitmap.h>
-+#include <linux/module.h>
- #include <asm/syscalls.h>
- 
- /*
-@@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
- 
- 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
- 		return -EINVAL;
--	if (turn_on && !capable(CAP_SYS_RAWIO))
-+	if (turn_on && (!capable(CAP_SYS_RAWIO) || secure_modules()))
- 		return -EPERM;
- 
- 	/*
-@@ -108,7 +109,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
- 		return -EINVAL;
- 	/* Trying to gain more privileges? */
- 	if (level > old) {
--		if (!capable(CAP_SYS_RAWIO))
-+		if (!capable(CAP_SYS_RAWIO) || secure_modules())
- 			return -EPERM;
- 	}
- 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
-diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 7e4a9d1..83cca9f 100644
---- a/drivers/char/mem.c
-+++ b/drivers/char/mem.c
-@@ -28,6 +28,7 @@
- #include <linux/export.h>
- #include <linux/io.h>
- #include <linux/uio.h>
-+#include <linux/module.h>
- 
- #include <linux/uaccess.h>
- 
-@@ -600,6 +601,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
- 	unsigned long i = *ppos;
- 	const char __user *tmp = buf;
- 
-+	if (secure_modules())
-+		return -EPERM;
-+
- 	if (!access_ok(VERIFY_READ, buf, count))
- 		return -EFAULT;
- 	while (count-- > 0 && i < 65536) {
--- 
-2.9.3
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
deleted file mode 100644
index 16c7c903da..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From acabe733bc7120d1557bb283dd4e00d55e4282a4 Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@redhat.com>
-Date: Mon, 25 Jun 2012 19:57:30 -0400
-Subject: [PATCH 07/16] acpi: Ignore acpi_rsdp kernel parameter when module
- loading is restricted
-
-This option allows userspace to pass the RSDP address to the kernel, which
-makes it possible for a user to circumvent any restrictions imposed on
-loading modules. Disable it in that case.
-
-Signed-off-by: Josh Boyer <jwboyer@redhat.com>
----
- drivers/acpi/osl.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index 57fb5f4..9174461 100644
---- a/drivers/acpi/osl.c
-+++ b/drivers/acpi/osl.c
-@@ -40,6 +40,7 @@
- #include <linux/list.h>
- #include <linux/jiffies.h>
- #include <linux/semaphore.h>
-+#include <linux/module.h>
- 
- #include <asm/io.h>
- #include <linux/uaccess.h>
-@@ -192,7 +193,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
- 	acpi_physical_address pa = 0;
- 
- #ifdef CONFIG_KEXEC
--	if (acpi_rsdp)
-+	if (acpi_rsdp && !secure_modules())
- 		return acpi_rsdp;
- #endif
- 
--- 
-2.9.3
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
deleted file mode 100644
index c376ec1dd6..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From a135df64b344fc57ddaef49fcb729e0111551ba3 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@coreos.com>
-Date: Thu, 19 Nov 2015 18:55:53 -0800
-Subject: [PATCH 08/16] kexec: Disable at runtime if the kernel enforces module
- loading restrictions
-
-kexec permits the loading and execution of arbitrary code in ring 0, which
-is something that module signing enforcement is meant to prevent. It makes
-sense to disable kexec in this situation.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
----
- kernel/kexec.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/kernel/kexec.c b/kernel/kexec.c
-index 980936a..a0e4cb3 100644
---- a/kernel/kexec.c
-+++ b/kernel/kexec.c
-@@ -17,6 +17,7 @@
- #include <linux/syscalls.h>
- #include <linux/vmalloc.h>
- #include <linux/slab.h>
-+#include <linux/module.h>
- 
- #include "kexec_internal.h"
- 
-@@ -190,7 +191,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
- 	int result;
- 
- 	/* We only trust the superuser with rebooting the system. */
--	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
-+	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled || secure_modules())
- 		return -EPERM;
- 
- 	/*
--- 
-2.9.3
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0010-Add-option-to-automatically-enforce-module-signature.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0010-Add-option-to-automatically-enforce-module-signature.patch
deleted file mode 100644
index b8f56aa27f..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0010-Add-option-to-automatically-enforce-module-signature.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-From 3e73063b8cec1c30f9937f784de14e37606b1e9d Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Fri, 9 Aug 2013 18:36:30 -0400
-Subject: [PATCH 10/16] Add option to automatically enforce module signatures
- when in Secure Boot mode
-
-UEFI Secure Boot provides a mechanism for ensuring that the firmware will
-only load signed bootloaders and kernels. Certain use cases may also
-require that all kernel modules also be signed. Add a configuration option
-that enforces this automatically when enabled.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
----
- Documentation/x86/zero-page.txt       |  2 ++
- arch/x86/Kconfig                      | 10 ++++++++++
- arch/x86/boot/compressed/eboot.c      | 35 +++++++++++++++++++++++++++++++++++
- arch/x86/include/uapi/asm/bootparam.h |  3 ++-
- arch/x86/kernel/setup.c               |  6 ++++++
- include/linux/module.h                |  6 ++++++
- kernel/module.c                       |  7 +++++++
- 7 files changed, 68 insertions(+), 1 deletion(-)
-
-diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
-index 95a4d34..b8527c6 100644
---- a/Documentation/x86/zero-page.txt
-+++ b/Documentation/x86/zero-page.txt
-@@ -31,6 +31,8 @@ Offset	Proto	Name		Meaning
- 1E9/001	ALL	eddbuf_entries	Number of entries in eddbuf (below)
- 1EA/001	ALL	edd_mbr_sig_buf_entries	Number of entries in edd_mbr_sig_buffer
- 				(below)
-+1EB/001	ALL     kbd_status      Numlock is enabled
-+1EC/001	ALL     secure_boot	Secure boot is enabled in the firmware
- 1EF/001	ALL	sentinel	Used to detect broken bootloaders
- 290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures
- 2D0/A00	ALL	e820_map	E820 memory map table
-diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index e487493..5be38b4 100644
---- a/arch/x86/Kconfig
-+++ b/arch/x86/Kconfig
-@@ -1815,6 +1815,16 @@ config EFI_MIXED
- 
- 	   If unsure, say N.
- 
-+config EFI_SECURE_BOOT_SIG_ENFORCE
-+        def_bool n
-+	prompt "Force module signing when UEFI Secure Boot is enabled"
-+	---help---
-+	  UEFI Secure Boot provides a mechanism for ensuring that the
-+	  firmware will only load signed bootloaders and kernels. Certain
-+	  use cases may also require that all kernel modules also be signed.
-+	  Say Y here to automatically enable module signature enforcement
-+	  when a system boots with UEFI Secure Boot enabled.
-+
- config SECCOMP
- 	def_bool y
- 	prompt "Enable seccomp to safely compute untrusted bytecode"
-diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index ff01c8f..3e9e29a 100644
---- a/arch/x86/boot/compressed/eboot.c
-+++ b/arch/x86/boot/compressed/eboot.c
-@@ -12,6 +12,7 @@
- #include <asm/efi.h>
- #include <asm/setup.h>
- #include <asm/desc.h>
-+#include <asm/bootparam_utils.h>
- 
- #include "../string.h"
- #include "eboot.h"
-@@ -600,6 +601,36 @@ static void setup_quirks(struct boot_params *boot_params)
- 	}
- }
- 
-+static int get_secure_boot(void)
-+{
-+	u8 sb, setup;
-+	unsigned long datasize = sizeof(sb);
-+	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
-+	efi_status_t status;
-+
-+	status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
-+				L"SecureBoot", &var_guid, NULL, &datasize, &sb);
-+
-+	if (status != EFI_SUCCESS)
-+		return 0;
-+
-+	if (sb == 0)
-+		return 0;
-+
-+
-+	status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
-+				L"SetupMode", &var_guid, NULL, &datasize,
-+				&setup);
-+
-+	if (status != EFI_SUCCESS)
-+		return 0;
-+
-+	if (setup == 1)
-+		return 0;
-+
-+	return 1;
-+}
-+
- static efi_status_t
- setup_uga32(void **uga_handle, unsigned long size, u32 *width, u32 *height)
- {
-@@ -1157,6 +1188,10 @@ struct boot_params *efi_main(struct efi_config *c,
- 	else
- 		setup_boot_services32(efi_early);
- 
-+	sanitize_boot_params(boot_params);
-+
-+	boot_params->secure_boot = get_secure_boot();
-+
- 	setup_graphics(boot_params);
- 
- 	setup_efi_pci(boot_params);
-diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
-index b10bf31..5138dac 100644
---- a/arch/x86/include/uapi/asm/bootparam.h
-+++ b/arch/x86/include/uapi/asm/bootparam.h
-@@ -135,7 +135,8 @@ struct boot_params {
- 	__u8  eddbuf_entries;				/* 0x1e9 */
- 	__u8  edd_mbr_sig_buf_entries;			/* 0x1ea */
- 	__u8  kbd_status;				/* 0x1eb */
--	__u8  _pad5[3];					/* 0x1ec */
-+	__u8  secure_boot;				/* 0x1ec */
-+	__u8  _pad5[2];					/* 0x1ed */
- 	/*
- 	 * The sentinel is set to a nonzero value (0xff) in header.S.
- 	 *
-diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 4cfba94..7c4295c 100644
---- a/arch/x86/kernel/setup.c
-+++ b/arch/x86/kernel/setup.c
-@@ -1184,6 +1184,12 @@ void __init setup_arch(char **cmdline_p)
- 
- 	io_delay_init();
- 
-+#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
-+	if (boot_params.secure_boot) {
-+		enforce_signed_modules();
-+	}
-+#endif
-+
- 	/*
- 	 * Parse the ACPI tables for possible boot-time SMP configuration.
- 	 */
-diff --git a/include/linux/module.h b/include/linux/module.h
-index da4bd57..25d88bb 100644
---- a/include/linux/module.h
-+++ b/include/linux/module.h
-@@ -260,6 +260,12 @@ extern const typeof(name) __mod_##type##__##name##_device_table		\
- 
- struct notifier_block;
- 
-+#ifdef CONFIG_MODULE_SIG
-+extern void enforce_signed_modules(void);
-+#else
-+static inline void enforce_signed_modules(void) {};
-+#endif
-+
- #ifdef CONFIG_MODULES
- 
- extern int modules_disabled; /* for sysctl */
-diff --git a/kernel/module.c b/kernel/module.c
-index 3161532..19fe883 100644
---- a/kernel/module.c
-+++ b/kernel/module.c
-@@ -4301,6 +4301,13 @@ void module_layout(struct module *mod,
- EXPORT_SYMBOL(module_layout);
- #endif
- 
-+#ifdef CONFIG_MODULE_SIG
-+void enforce_signed_modules(void)
-+{
-+	sig_enforce = true;
-+}
-+#endif
-+
- bool secure_modules(void)
- {
- #ifdef CONFIG_MODULE_SIG
--- 
-2.9.3
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
deleted file mode 100644
index fc80a34543..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 73f341d91ad94d23b610a87a1813004ce34a315b Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@fedoraproject.org>
-Date: Tue, 27 Aug 2013 13:28:43 -0400
-Subject: [PATCH 11/16] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
-
-The functionality of the config option is dependent upon the platform being
-UEFI based.  Reflect this in the config deps.
-
-Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
----
- arch/x86/Kconfig | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 5be38b4..efe6b42 100644
---- a/arch/x86/Kconfig
-+++ b/arch/x86/Kconfig
-@@ -1816,7 +1816,8 @@ config EFI_MIXED
- 	   If unsure, say N.
- 
- config EFI_SECURE_BOOT_SIG_ENFORCE
--        def_bool n
-+	def_bool n
-+	depends on EFI
- 	prompt "Force module signing when UEFI Secure Boot is enabled"
- 	---help---
- 	  UEFI Secure Boot provides a mechanism for ensuring that the
--- 
-2.9.3
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch
deleted file mode 100644
index 1bef76c087..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From fef19ea533f24b316a9fbba0e41a654428556721 Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@fedoraproject.org>
-Date: Tue, 27 Aug 2013 13:33:03 -0400
-Subject: [PATCH 12/16] efi: Add EFI_SECURE_BOOT bit
-
-UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
-for use with efi_enabled.
-
-Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
----
- arch/x86/kernel/setup.c | 2 ++
- include/linux/efi.h     | 1 +
- 2 files changed, 3 insertions(+)
-
-diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 7c4295c..c5c88bc 100644
---- a/arch/x86/kernel/setup.c
-+++ b/arch/x86/kernel/setup.c
-@@ -1186,7 +1186,9 @@ void __init setup_arch(char **cmdline_p)
- 
- #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
- 	if (boot_params.secure_boot) {
-+		set_bit(EFI_SECURE_BOOT, &efi.flags);
- 		enforce_signed_modules();
-+		pr_info("Secure boot enabled\n");
- 	}
- #endif
- 
-diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 5b1af30..1b12c29 100644
---- a/include/linux/efi.h
-+++ b/include/linux/efi.h
-@@ -1065,6 +1065,7 @@ extern int __init efi_setup_pcdp_console(char *);
- #define EFI_ARCH_1		7	/* First arch-specific bit */
- #define EFI_DBG			8	/* Print additional debug info at runtime */
- #define EFI_NX_PE_DATA		9	/* Can runtime data regions be mapped non-executable? */
-+#define EFI_SECURE_BOOT		10	/* Are we in Secure Boot mode? */
- 
- #ifdef CONFIG_EFI
- /*
--- 
-2.9.3
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0013-hibernate-Disable-in-a-signed-modules-environment.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0013-hibernate-Disable-in-a-signed-modules-environment.patch
deleted file mode 100644
index 21919300b6..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0013-hibernate-Disable-in-a-signed-modules-environment.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From f88379d39f564008627fb41ee4880eff9c410a58 Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@fedoraproject.org>
-Date: Fri, 20 Jun 2014 08:53:24 -0400
-Subject: [PATCH 13/16] hibernate: Disable in a signed modules environment
-
-There is currently no way to verify the resume image when returning
-from hibernate.  This might compromise the signed modules trust model,
-so until we can work with signed hibernate images we disable it in
-a secure modules environment.
-
-Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
----
- kernel/power/hibernate.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
-index b26dbc4..ab187ad 100644
---- a/kernel/power/hibernate.c
-+++ b/kernel/power/hibernate.c
-@@ -29,6 +29,7 @@
- #include <linux/ctype.h>
- #include <linux/genhd.h>
- #include <linux/ktime.h>
-+#include <linux/module.h>
- #include <trace/events/power.h>
- 
- #include "power.h"
-@@ -67,7 +68,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
- 
- bool hibernation_available(void)
- {
--	return (nohibernate == 0);
-+	return ((nohibernate == 0) && !secure_modules());
- }
- 
- /**
--- 
-2.9.3
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0016-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0016-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch
deleted file mode 100644
index 3fd9510d0a..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0016-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 85f70950f243ac7477d80053dd9ae8807cf36b08 Mon Sep 17 00:00:00 2001
-From: Stephen Smalley <sds@tycho.nsa.gov>
-Date: Mon, 9 Jan 2017 10:07:31 -0500
-Subject: [PATCH 16/16] selinux: allow context mounts on tmpfs, ramfs, devpts
- within user namespaces
-
-commit aad82892af261b9903cc11c55be3ecf5f0b0b4f8 ("selinux: Add support for
-unprivileged mounts from user namespaces") prohibited any use of context
-mount options within non-init user namespaces.  However, this breaks
-use of context mount options for tmpfs mounts within user namespaces,
-which are being used by Docker/runc.  There is no reason to block such
-usage for tmpfs, ramfs or devpts.  Exempt these filesystem types
-from this restriction.
-
-Before:
-sh$ userns_child_exec  -p -m -U -M '0 1000 1' -G '0 1000 1' bash
-sh# mount -t tmpfs -o context=system_u:object_r:user_tmp_t:s0:c13 none /tmp
-mount: tmpfs is write-protected, mounting read-only
-mount: cannot mount tmpfs read-only
-
-After:
-sh$ userns_child_exec  -p -m -U -M '0 1000 1' -G '0 1000 1' bash
-sh# mount -t tmpfs -o context=system_u:object_r:user_tmp_t:s0:c13 none /tmp
-sh# ls -Zd /tmp
-unconfined_u:object_r:user_tmp_t:s0:c13 /tmp
-
-Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
-Signed-off-by: Paul Moore <paul@paul-moore.com>
----
- security/selinux/hooks.c | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index d98550a..fbf2d6d 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -833,10 +833,14 @@ static int selinux_set_mnt_opts(struct super_block *sb,
- 	}
- 
- 	/*
--	 * If this is a user namespace mount, no contexts are allowed
--	 * on the command line and security labels must be ignored.
-+	 * If this is a user namespace mount and the filesystem type is not
-+	 * explicitly whitelisted, then no contexts are allowed on the command
-+	 * line and security labels must be ignored.
- 	 */
--	if (sb->s_user_ns != &init_user_ns) {
-+	if (sb->s_user_ns != &init_user_ns &&
-+	    strcmp(sb->s_type->name, "tmpfs") &&
-+	    strcmp(sb->s_type->name, "ramfs") &&
-+	    strcmp(sb->s_type->name, "devpts")) {
- 		if (context_sid || fscontext_sid || rootcontext_sid ||
- 		    defcontext_sid) {
- 			rc = -EACCES;
--- 
-2.9.3
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch
new file mode 100644
index 0000000000..18c9001d0a
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch
@@ -0,0 +1,46 @@
+From 8d2a3c8d17cbc09d163fb636fd06684ed4c287d6 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Mon, 21 Nov 2016 23:55:55 +0000
+Subject: [PATCH 01/24] efi: Add EFI_SECURE_BOOT bit
+
+UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
+that can be passed to efi_enabled() to find out whether secure boot is
+enabled.
+
+This will be used by the SysRq+x handler, registered by the x86 arch, to find
+out whether secure boot mode is enabled so that it can be disabled.
+
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ arch/x86/kernel/setup.c | 1 +
+ include/linux/efi.h     | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+index 4bf0c89..396285b 100644
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -1184,6 +1184,7 @@ void __init setup_arch(char **cmdline_p)
+ 			pr_info("Secure boot disabled\n");
+ 			break;
+ 		case efi_secureboot_mode_enabled:
++			set_bit(EFI_SECURE_BOOT, &efi.flags);
+ 			pr_info("Secure boot enabled\n");
+ 			break;
+ 		default:
+diff --git a/include/linux/efi.h b/include/linux/efi.h
+index 94d34e0..6049600 100644
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -1069,6 +1069,7 @@ extern int __init efi_setup_pcdp_console(char *);
+ #define EFI_DBG			8	/* Print additional debug info at runtime */
+ #define EFI_NX_PE_DATA		9	/* Can runtime data regions be mapped non-executable? */
+ #define EFI_MEM_ATTR		10	/* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
++#define EFI_SECURE_BOOT		11	/* Are we in Secure Boot mode? */
+ 
+ #ifdef CONFIG_EFI
+ /*
+-- 
+2.9.3
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch
new file mode 100644
index 0000000000..cc95ed5f32
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch
@@ -0,0 +1,149 @@
+From d23f58628946d89a63b5c31c52ca3eb8569d9480 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Mon, 21 Nov 2016 23:36:17 +0000
+Subject: [PATCH 02/24] Add the ability to lock down access to the running
+ kernel image
+
+Provide a single call to allow kernel code to determine whether the system
+should be locked down, thereby disallowing various accesses that might
+allow the running kernel image to be changed including the loading of
+modules that aren't validly signed with a key we recognise, fiddling with
+MSR registers and disallowing hibernation,
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ include/linux/kernel.h   |  9 +++++++++
+ include/linux/security.h | 11 +++++++++++
+ security/Kconfig         | 15 +++++++++++++++
+ security/Makefile        |  3 +++
+ security/lock_down.c     | 40 ++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 78 insertions(+)
+ create mode 100644 security/lock_down.c
+
+diff --git a/include/linux/kernel.h b/include/linux/kernel.h
+index 4c26dc3..b820a80 100644
+--- a/include/linux/kernel.h
++++ b/include/linux/kernel.h
+@@ -275,6 +275,15 @@ extern int oops_may_print(void);
+ void do_exit(long error_code) __noreturn;
+ void complete_and_exit(struct completion *, long) __noreturn;
+ 
++#ifdef CONFIG_LOCK_DOWN_KERNEL
++extern bool kernel_is_locked_down(void);
++#else
++static inline bool kernel_is_locked_down(void)
++{
++	return false;
++}
++#endif
++
+ /* Internal, do not use. */
+ int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
+ int __must_check _kstrtol(const char *s, unsigned int base, long *res);
+diff --git a/include/linux/security.h b/include/linux/security.h
+index 96899fa..5808570 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -1678,5 +1678,16 @@ static inline void free_secdata(void *secdata)
+ { }
+ #endif /* CONFIG_SECURITY */
+ 
++#ifdef CONFIG_LOCK_DOWN_KERNEL
++extern void lock_kernel_down(void);
++#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT
++extern void lift_kernel_lockdown(void);
++#endif
++#else
++static inline void lock_kernel_down(void)
++{
++}
++#endif
++
+ #endif /* ! __LINUX_SECURITY_H */
+ 
+diff --git a/security/Kconfig b/security/Kconfig
+index d900f47..d9b391d 100644
+--- a/security/Kconfig
++++ b/security/Kconfig
+@@ -193,6 +193,21 @@ config STATIC_USERMODEHELPER_PATH
+ 	  If you wish for all usermode helper programs to be disabled,
+ 	  specify an empty string here (i.e. "").
+ 
++config LOCK_DOWN_KERNEL
++	bool "Allow the kernel to be 'locked down'"
++	help
++	  Allow the kernel to be locked down under certain circumstances, for
++	  instance if UEFI secure boot is enabled.  Locking down the kernel
++	  turns off various features that might otherwise allow access to the
++	  kernel image (eg. setting MSR registers).
++
++config ALLOW_LOCKDOWN_LIFT
++	bool
++	help
++	  Allow the lockdown on a kernel to be lifted, thereby restoring the
++	  ability of userspace to access the kernel image (eg. by SysRq+x under
++	  x86).
++
+ source security/selinux/Kconfig
+ source security/smack/Kconfig
+ source security/tomoyo/Kconfig
+diff --git a/security/Makefile b/security/Makefile
+index f2d71cd..8c4a43e 100644
+--- a/security/Makefile
++++ b/security/Makefile
+@@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
+ # Object integrity file lists
+ subdir-$(CONFIG_INTEGRITY)		+= integrity
+ obj-$(CONFIG_INTEGRITY)			+= integrity/
++
++# Allow the kernel to be locked down
++obj-$(CONFIG_LOCK_DOWN_KERNEL)		+= lock_down.o
+diff --git a/security/lock_down.c b/security/lock_down.c
+new file mode 100644
+index 0000000..5788c60
+--- /dev/null
++++ b/security/lock_down.c
+@@ -0,0 +1,40 @@
++/* Lock down the kernel
++ *
++ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
++ * Written by David Howells (dhowells@redhat.com)
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public Licence
++ * as published by the Free Software Foundation; either version
++ * 2 of the Licence, or (at your option) any later version.
++ */
++
++#include <linux/security.h>
++#include <linux/export.h>
++
++static __read_mostly bool kernel_locked_down;
++
++/*
++ * Put the kernel into lock-down mode.
++ */
++void lock_kernel_down(void)
++{
++	kernel_locked_down = true;
++}
++
++/*
++ * Take the kernel out of lockdown mode.
++ */
++void lift_kernel_lockdown(void)
++{
++	kernel_locked_down = false;
++}
++
++/**
++ * kernel_is_locked_down - Find out if the kernel is locked down
++ */
++bool kernel_is_locked_down(void)
++{
++	return kernel_locked_down;
++}
++EXPORT_SYMBOL(kernel_is_locked_down);
+-- 
+2.9.3
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
new file mode 100644
index 0000000000..a05b8d6121
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
@@ -0,0 +1,69 @@
+From 60416b718069a800e830593fdfb852abad37862b Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Mon, 21 Nov 2016 23:55:55 +0000
+Subject: [PATCH 03/24] efi: Lock down the kernel if booted in secure boot mode
+
+UEFI Secure Boot provides a mechanism for ensuring that the firmware will
+only load signed bootloaders and kernels.  Certain use cases may also
+require that all kernel modules also be signed.  Add a configuration option
+that to lock down the kernel - which includes requiring validly signed
+modules - if the kernel is secure-booted.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ arch/x86/Kconfig        | 12 ++++++++++++
+ arch/x86/kernel/setup.c |  8 +++++++-
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index cc98d5a..21f3985 100644
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -1817,6 +1817,18 @@ config EFI_MIXED
+ 
+ 	   If unsure, say N.
+ 
++config EFI_SECURE_BOOT_LOCK_DOWN
++	def_bool n
++	depends on EFI
++	prompt "Lock down the kernel when UEFI Secure Boot is enabled"
++	---help---
++	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
++	  will only load signed bootloaders and kernels.  Certain use cases may
++	  also require that all kernel modules also be signed and that
++	  userspace is prevented from directly changing the running kernel
++	  image.  Say Y here to automatically lock down the kernel when a
++	  system boots with UEFI Secure Boot enabled.
++
+ config SECCOMP
+ 	def_bool y
+ 	prompt "Enable seccomp to safely compute untrusted bytecode"
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+index 396285b..85dfa74 100644
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -69,6 +69,7 @@
+ #include <linux/crash_dump.h>
+ #include <linux/tboot.h>
+ #include <linux/jiffies.h>
++#include <linux/security.h>
+ 
+ #include <video/edid.h>
+ 
+@@ -1185,7 +1186,12 @@ void __init setup_arch(char **cmdline_p)
+ 			break;
+ 		case efi_secureboot_mode_enabled:
+ 			set_bit(EFI_SECURE_BOOT, &efi.flags);
+-			pr_info("Secure boot enabled\n");
++			if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT_LOCK_DOWN)) {
++				lock_kernel_down();
++				pr_info("Secure boot enabled and kernel locked down\n");
++			} else {
++				pr_info("Secure boot enabled\n");
++			}
+ 			break;
+ 		default:
+ 			pr_info("Secure boot could not be determined\n");
+-- 
+2.9.3
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch
new file mode 100644
index 0000000000..d734e584fe
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch
@@ -0,0 +1,29 @@
+From 5fb1117bb8bdfa834a1479a250508d87f9c29d9c Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 23 Nov 2016 13:22:22 +0000
+Subject: [PATCH 04/24] Enforce module signatures if the kernel is locked down
+
+If the kernel is locked down, require that all modules have valid
+signatures that we can verify.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ kernel/module.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/module.c b/kernel/module.c
+index 7eba6de..3331f2e 100644
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -2756,7 +2756,7 @@ static int module_sig_check(struct load_info *info, int flags)
+ 	}
+ 
+ 	/* Not having a signature is only an error if we're strict. */
+-	if (err == -ENOKEY && !sig_enforce)
++	if (err == -ENOKEY && !sig_enforce && !kernel_is_locked_down())
+ 		err = 0;
+ 
+ 	return err;
+-- 
+2.9.3
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch
similarity index 57%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch
index 9aa35c307c..33b1bdb807 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch
@@ -1,37 +1,38 @@
-From 3fc3471444e9d743dab373753403b3a5d61c4214 Mon Sep 17 00:00:00 2001
+From ec94f3ef19d149bf234a02fbf5733fc90532d903 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Fri, 9 Mar 2012 09:28:15 -0500
-Subject: [PATCH 06/16] Restrict /dev/mem and /dev/kmem when module loading is
- restricted
+Date: Tue, 22 Nov 2016 08:46:16 +0000
+Subject: [PATCH 05/24] Restrict /dev/mem and /dev/kmem when the kernel is
+ locked down
 
-Allowing users to write to address space makes it possible for the kernel
-to be subverted, avoiding module loading restrictions. Prevent this when
-any restrictions have been imposed on loading modules.
+Allowing users to write to address space makes it possible for the kernel to
+be subverted, avoiding module loading restrictions.  Prevent this when the
+kernel has been locked down.
 
 Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
 ---
  drivers/char/mem.c | 6 ++++++
  1 file changed, 6 insertions(+)
 
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 83cca9f..e19f483 100644
+index 7e4a9d1..3c305b8 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
-@@ -180,6 +180,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
+@@ -179,6 +179,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
  	if (p != *ppos)
  		return -EFBIG;
  
-+	if (secure_modules())
++	if (kernel_is_locked_down())
 +		return -EPERM;
 +
  	if (!valid_phys_addr_range(p, count))
  		return -EFAULT;
  
-@@ -536,6 +539,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
+@@ -535,6 +538,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
  	char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
  	int err = 0;
  
-+	if (secure_modules())
++	if (kernel_is_locked_down())
 +		return -EPERM;
 +
  	if (p < (unsigned long) high_memory) {
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch
new file mode 100644
index 0000000000..6c1d8c146f
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch
@@ -0,0 +1,39 @@
+From a2dee11f2125409c99596864ab59bc6240040180 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Tue, 22 Nov 2016 08:46:15 +0000
+Subject: [PATCH 06/24] kexec: Disable at runtime if the kernel is locked down
+
+kexec permits the loading and execution of arbitrary code in ring 0, which
+is something that lock-down is meant to prevent. It makes sense to disable
+kexec in this situation.
+
+This does not affect kexec_file_load() which can check for a signature on the
+image to be booted.
+
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ kernel/kexec.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/kernel/kexec.c b/kernel/kexec.c
+index 980936a..46de8e6 100644
+--- a/kernel/kexec.c
++++ b/kernel/kexec.c
+@@ -194,6 +194,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
+ 		return -EPERM;
+ 
+ 	/*
++	 * kexec can be used to circumvent module loading restrictions, so
++	 * prevent loading in that case
++	 */
++	if (kernel_is_locked_down())
++		return -EPERM;
++
++	/*
+ 	 * Verify we have a legal set of flags
+ 	 * This leaves us room for future extensions.
+ 	 */
+-- 
+2.9.3
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch
new file mode 100644
index 0000000000..33c2e8b716
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch
@@ -0,0 +1,38 @@
+From ff9bf489aa713b99ef5069e7b87eaa88b3e50838 Mon Sep 17 00:00:00 2001
+From: Dave Young <dyoung@redhat.com>
+Date: Tue, 22 Nov 2016 08:46:15 +0000
+Subject: [PATCH 07/24] Copy secure_boot flag in boot params across kexec
+ reboot
+
+Kexec reboot in case secure boot being enabled does not keep the secure
+boot mode in new kernel, so later one can load unsigned kernel via legacy
+kexec_load.  In this state, the system is missing the protections provided
+by secure boot.
+
+Adding a patch to fix this by retain the secure_boot flag in original
+kernel.
+
+secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
+stub.  Fixing this issue by copying secure_boot flag across kexec reboot.
+
+Signed-off-by: Dave Young <dyoung@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ arch/x86/kernel/kexec-bzimage64.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
+index d0a814a..3551bca 100644
+--- a/arch/x86/kernel/kexec-bzimage64.c
++++ b/arch/x86/kernel/kexec-bzimage64.c
+@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
+ 	if (efi_enabled(EFI_OLD_MEMMAP))
+ 		return 0;
+ 
++	params->secure_boot = boot_params.secure_boot;
+ 	ei->efi_loader_signature = current_ei->efi_loader_signature;
+ 	ei->efi_systab = current_ei->efi_systab;
+ 	ei->efi_systab_hi = current_ei->efi_systab_hi;
+-- 
+2.9.3
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch
new file mode 100644
index 0000000000..c86b58c9f3
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch
@@ -0,0 +1,39 @@
+From 5702dfdd0be2172bed2fd65d5f09ccf8f91ceef6 Mon Sep 17 00:00:00 2001
+From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
+Date: Wed, 23 Nov 2016 13:49:19 +0000
+Subject: [PATCH 08/24] kexec_file: Disable at runtime if securelevel has been
+ set
+
+When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
+through kexec_file systemcall if securelevel has been set.
+
+This code was showed in Matthew's patch but not in git:
+https://lkml.org/lkml/2015/3/13/778
+
+Cc: Matthew Garrett <mjg59@srcf.ucam.org>
+Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ kernel/kexec_file.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
+index b118735..f6937ee 100644
+--- a/kernel/kexec_file.c
++++ b/kernel/kexec_file.c
+@@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
+ 	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
+ 		return -EPERM;
+ 
++	/* Don't permit images to be loaded into trusted kernels if we're not
++	 * going to verify the signature on them
++	 */
++	if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
++		return -EPERM;
++
+ 	/* Make sure we have a legal set of flags */
+ 	if (flags != (flags & KEXEC_FILE_FLAGS))
+ 		return -EINVAL;
+-- 
+2.9.3
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch
new file mode 100644
index 0000000000..ad1ecebe44
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch
@@ -0,0 +1,32 @@
+From 83a20b13d75872926dba2d642eff291979edbe2e Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Tue, 22 Nov 2016 08:46:15 +0000
+Subject: [PATCH 09/24] hibernate: Disable when the kernel is locked down
+
+There is currently no way to verify the resume image when returning
+from hibernate.  This might compromise the signed modules trust model,
+so until we can work with signed hibernate images we disable it when the
+kernel is locked down.
+
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ kernel/power/hibernate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
+index a8b978c..50cca5d 100644
+--- a/kernel/power/hibernate.c
++++ b/kernel/power/hibernate.c
+@@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
+ 
+ bool hibernation_available(void)
+ {
+-	return (nohibernate == 0);
++	return nohibernate == 0 && !kernel_is_locked_down();
+ }
+ 
+ /**
+-- 
+2.9.3
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch
new file mode 100644
index 0000000000..101b1b007a
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch
@@ -0,0 +1,32 @@
+From 78782de3728538b3e8fb5a2b23823bc98aa4afe8 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg59@srcf.ucam.org>
+Date: Wed, 23 Nov 2016 13:28:17 +0000
+Subject: [PATCH 10/24] uswsusp: Disable when the kernel is locked down
+
+uswsusp allows a user process to dump and then restore kernel state, which
+makes it possible to modify the running kernel.  Disable this if the kernel
+is locked down.
+
+Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ kernel/power/user.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/power/user.c b/kernel/power/user.c
+index 22df9f7..e4b926d 100644
+--- a/kernel/power/user.c
++++ b/kernel/power/user.c
+@@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
+ 	if (!hibernation_available())
+ 		return -EPERM;
+ 
++	if (kernel_is_locked_down())
++		return -EPERM;
++
+ 	lock_system_sleep();
+ 
+ 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
+-- 
+2.9.3
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch
similarity index 56%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch
index cb9eaaa94c..1ef63218c7 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch
@@ -1,73 +1,66 @@
-From 7d153226d6afea4f25ba771ad674bcbe8e386c49 Mon Sep 17 00:00:00 2001
+From 0dfaa6335b722d770fa40ca9e3694fbebb6afcd4 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Thu, 8 Mar 2012 10:10:38 -0500
-Subject: [PATCH 02/16] PCI: Lock down BAR access when module security is
- enabled
+Date: Tue, 22 Nov 2016 08:46:15 +0000
+Subject: [PATCH 11/24] PCI: Lock down BAR access when the kernel is locked
+ down
 
-Any hardware that can potentially generate DMA has to be locked down from
-userspace in order to avoid it being possible for an attacker to modify
-kernel code, allowing them to circumvent disabled module loading or module
-signing. Default to paranoid - in future we can potentially relax this for
+Any hardware that can potentially generate DMA has to be locked down in
+order to avoid it being possible for an attacker to modify kernel code,
+allowing them to circumvent disabled module loading or module signing.
+Default to paranoid - in future we can potentially relax this for
 sufficiently IOMMU-isolated devices.
 
 Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
 ---
- drivers/pci/pci-sysfs.c | 10 ++++++++++
- drivers/pci/proc.c      |  8 +++++++-
- drivers/pci/syscall.c   |  3 ++-
- 3 files changed, 19 insertions(+), 2 deletions(-)
+ drivers/pci/pci-sysfs.c | 9 +++++++++
+ drivers/pci/proc.c      | 8 +++++++-
+ drivers/pci/syscall.c   | 2 +-
+ 3 files changed, 17 insertions(+), 2 deletions(-)
 
 diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
-index 0666287..9867e0c 100644
+index 25d010d..f70b366 100644
 --- a/drivers/pci/pci-sysfs.c
 +++ b/drivers/pci/pci-sysfs.c
-@@ -30,6 +30,7 @@
- #include <linux/vgaarb.h>
- #include <linux/pm_runtime.h>
- #include <linux/of.h>
-+#include <linux/module.h>
- #include "pci.h"
- 
- static int sysfs_initialized;	/* = 0 */
-@@ -718,6 +719,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
+@@ -727,6 +727,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
  	loff_t init_off = off;
  	u8 *data = (u8 *) buf;
  
-+	if (secure_modules())
++	if (kernel_is_locked_down())
 +		return -EPERM;
 +
  	if (off > dev->cfg_size)
  		return 0;
  	if (off + count > dev->cfg_size) {
-@@ -1009,6 +1013,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
+@@ -1018,6 +1021,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
  	resource_size_t start, end;
  	int i;
  
-+	if (secure_modules())
++	if (kernel_is_locked_down())
 +		return -EPERM;
 +
  	for (i = 0; i < PCI_ROM_RESOURCE; i++)
  		if (res == &pdev->resource[i])
  			break;
-@@ -1108,6 +1115,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
+@@ -1117,6 +1123,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
  				     struct bin_attribute *attr, char *buf,
  				     loff_t off, size_t count)
  {
-+	if (secure_modules())
++	if (kernel_is_locked_down())
 +		return -EPERM;
 +
  	return pci_resource_io(filp, kobj, attr, buf, off, count, true);
  }
  
 diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
-index f82710a..3af0fcf 100644
+index f82710a..139d6f0 100644
 --- a/drivers/pci/proc.c
 +++ b/drivers/pci/proc.c
 @@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
  	int size = dev->cfg_size;
  	int cnt;
  
-+	if (secure_modules())
++	if (kernel_is_locked_down())
 +		return -EPERM;
 +
  	if (pos >= size)
@@ -77,7 +70,7 @@ index f82710a..3af0fcf 100644
  #endif /* HAVE_PCI_MMAP */
  	int ret = 0;
  
-+	if (secure_modules())
++	if (kernel_is_locked_down())
 +		return -EPERM;
 +
  	switch (cmd) {
@@ -88,28 +81,20 @@ index f82710a..3af0fcf 100644
  	int i, ret, write_combine;
  
 -	if (!capable(CAP_SYS_RAWIO))
-+	if (!capable(CAP_SYS_RAWIO) || secure_modules())
++	if (!capable(CAP_SYS_RAWIO) || kernel_is_locked_down())
  		return -EPERM;
  
  	/* Make sure the caller is mapping a real resource for this device */
 diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
-index 9bf993e..922bdf6 100644
+index 9bf993e..c095247 100644
 --- a/drivers/pci/syscall.c
 +++ b/drivers/pci/syscall.c
-@@ -11,6 +11,7 @@
- #include <linux/pci.h>
- #include <linux/syscalls.h>
- #include <linux/uaccess.h>
-+#include <linux/module.h>
- #include "pci.h"
- 
- SYSCALL_DEFINE5(pciconfig_read, unsigned long, bus, unsigned long, dfn,
-@@ -92,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
+@@ -92,7 +92,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
  	u32 dword;
  	int err = 0;
  
 -	if (!capable(CAP_SYS_ADMIN))
-+	if (!capable(CAP_SYS_ADMIN) || secure_modules())
++	if (!capable(CAP_SYS_ADMIN) || kernel_is_locked_down())
  		return -EPERM;
  
  	dev = pci_get_bus_and_slot(bus, dfn);
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch
new file mode 100644
index 0000000000..8029dc17ae
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch
@@ -0,0 +1,59 @@
+From 141aed03a504771f93f996bf93208ffc98cb2757 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Tue, 22 Nov 2016 08:46:16 +0000
+Subject: [PATCH 12/24] x86: Lock down IO port access when the kernel is locked
+ down
+
+IO port access would permit users to gain access to PCI configuration
+registers, which in turn (on a lot of hardware) give access to MMIO
+register space. This would potentially permit root to trigger arbitrary
+DMA, so lock it down by default.
+
+This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
+KDDISABIO console ioctls.
+
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ arch/x86/kernel/ioport.c | 4 ++--
+ drivers/char/mem.c       | 2 ++
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
+index 9c3cf09..4a613fe 100644
+--- a/arch/x86/kernel/ioport.c
++++ b/arch/x86/kernel/ioport.c
+@@ -30,7 +30,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
+ 
+ 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
+ 		return -EINVAL;
+-	if (turn_on && !capable(CAP_SYS_RAWIO))
++	if (turn_on && (!capable(CAP_SYS_RAWIO) || kernel_is_locked_down()))
+ 		return -EPERM;
+ 
+ 	/*
+@@ -120,7 +120,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
+ 		return -EINVAL;
+ 	/* Trying to gain more privileges? */
+ 	if (level > old) {
+-		if (!capable(CAP_SYS_RAWIO))
++		if (!capable(CAP_SYS_RAWIO) || kernel_is_locked_down())
+ 			return -EPERM;
+ 	}
+ 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
+diff --git a/drivers/char/mem.c b/drivers/char/mem.c
+index 3c305b8..f68976e 100644
+--- a/drivers/char/mem.c
++++ b/drivers/char/mem.c
+@@ -763,6 +763,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
+ 
+ static int open_port(struct inode *inode, struct file *filp)
+ {
++	if (kernel_is_locked_down())
++		return -EPERM;
+ 	return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
+ }
+ 
+-- 
+2.9.3
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch
similarity index 62%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch
index 09d65f0c4e..6e7e53fd06 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch
@@ -1,28 +1,28 @@
-From ec485c7a0607c648e91a0bfbde3bb00b08834f68 Mon Sep 17 00:00:00 2001
+From 692346713c770cdcfddd2b03821658b562f02f70 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Fri, 8 Feb 2013 11:12:13 -0800
-Subject: [PATCH 09/16] x86: Restrict MSR access when module loading is
- restricted
+Date: Tue, 22 Nov 2016 08:46:17 +0000
+Subject: [PATCH 13/24] x86: Restrict MSR access when the kernel is locked down
 
-Writing to MSRs should not be allowed if module loading is restricted,
-since it could lead to execution of arbitrary code in kernel mode. Based
-on a patch by Kees Cook.
+Writing to MSRs should not be allowed if the kernel is locked down, since
+it could lead to execution of arbitrary code in kernel mode.  Based on a
+patch by Kees Cook.
 
 Cc: Kees Cook <keescook@chromium.org>
 Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
 ---
  arch/x86/kernel/msr.c | 7 +++++++
  1 file changed, 7 insertions(+)
 
 diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
-index ef68880..74937d9 100644
+index ef68880..fbcce02 100644
 --- a/arch/x86/kernel/msr.c
 +++ b/arch/x86/kernel/msr.c
 @@ -84,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
  	int err = 0;
  	ssize_t bytes = 0;
  
-+	if (secure_modules())
++	if (kernel_is_locked_down())
 +		return -EPERM;
 +
  	if (count % 8)
@@ -32,7 +32,7 @@ index ef68880..74937d9 100644
  			err = -EBADF;
  			break;
  		}
-+		if (secure_modules()) {
++		if (kernel_is_locked_down()) {
 +			err = -EPERM;
 +			break;
 +		}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch
similarity index 64%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch
index eb952d5c48..9bf261b4c9 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch
@@ -1,29 +1,30 @@
-From 1cc7d069c2ef9833542ded0bbb2cb4b33163d384 Mon Sep 17 00:00:00 2001
+From 09a257a1f105159ad9f4450c2968531c4cccf745 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Fri, 9 Mar 2012 08:46:50 -0500
-Subject: [PATCH 05/16] asus-wmi: Restrict debugfs interface when module
- loading is restricted
+Date: Tue, 22 Nov 2016 08:46:16 +0000
+Subject: [PATCH 14/24] asus-wmi: Restrict debugfs interface when the kernel is
+ locked down
 
-We have no way of validating what all of the Asus WMI methods do on a
-given machine, and there's a risk that some will allow hardware state to
-be manipulated in such a way that arbitrary code can be executed in the
-kernel, circumventing module loading restrictions. Prevent that if any of
-these features are enabled.
+We have no way of validating what all of the Asus WMI methods do on a given
+machine - and there's a risk that some will allow hardware state to be
+manipulated in such a way that arbitrary code can be executed in the
+kernel, circumventing module loading restrictions.  Prevent that if the
+kernel is locked down.
 
 Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
 ---
  drivers/platform/x86/asus-wmi.c | 9 +++++++++
  1 file changed, 9 insertions(+)
 
 diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
-index 8499d3a..8378491 100644
+index 8fe5890..feef250 100644
 --- a/drivers/platform/x86/asus-wmi.c
 +++ b/drivers/platform/x86/asus-wmi.c
 @@ -1900,6 +1900,9 @@ static int show_dsts(struct seq_file *m, void *data)
  	int err;
  	u32 retval = -1;
  
-+	if (secure_modules())
++	if (kernel_is_locked_down())
 +		return -EPERM;
 +
  	err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
@@ -33,7 +34,7 @@ index 8499d3a..8378491 100644
  	int err;
  	u32 retval = -1;
  
-+	if (secure_modules())
++	if (kernel_is_locked_down())
 +		return -EPERM;
 +
  	err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
@@ -43,7 +44,7 @@ index 8499d3a..8378491 100644
  	union acpi_object *obj;
  	acpi_status status;
  
-+	if (secure_modules())
++	if (kernel_is_locked_down())
 +		return -EPERM;
 +
  	status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0004-ACPI-Limit-access-to-custom_method.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch
similarity index 69%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0004-ACPI-Limit-access-to-custom_method.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch
index 7c583398aa..80f4498cb4 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0004-ACPI-Limit-access-to-custom_method.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch
@@ -1,26 +1,28 @@
-From 6256746af8e6279fa742e586aadb6cd75e129762 Mon Sep 17 00:00:00 2001
+From fac665360016f0601ce9c1b6d662d7bab23c8019 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Fri, 9 Mar 2012 08:39:37 -0500
-Subject: [PATCH 04/16] ACPI: Limit access to custom_method
+Date: Tue, 22 Nov 2016 08:46:16 +0000
+Subject: [PATCH 15/24] ACPI: Limit access to custom_method when the kernel is
+ locked down
 
 custom_method effectively allows arbitrary access to system memory, making
 it possible for an attacker to circumvent restrictions on module loading.
-Disable it if any such restrictions have been enabled.
+Disable it if the kernel is locked down.
 
 Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
 ---
  drivers/acpi/custom_method.c | 3 +++
  1 file changed, 3 insertions(+)
 
 diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
-index c68e724..4277938 100644
+index c68e724..e4d721c 100644
 --- a/drivers/acpi/custom_method.c
 +++ b/drivers/acpi/custom_method.c
 @@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
  	struct acpi_table_header table;
  	acpi_status status;
  
-+	if (secure_modules())
++	if (kernel_is_locked_down())
 +		return -EPERM;
 +
  	if (!(*ppos)) {
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch
new file mode 100644
index 0000000000..886ab57670
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch
@@ -0,0 +1,32 @@
+From 6af7fcaa158248e47ec3319c15226bdb83876749 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@redhat.com>
+Date: Tue, 22 Nov 2016 08:46:16 +0000
+Subject: [PATCH 16/24] acpi: Ignore acpi_rsdp kernel param when the kernel has
+ been locked down
+
+This option allows userspace to pass the RSDP address to the kernel, which
+makes it possible for a user to circumvent any restrictions imposed on
+loading modules.  Ignore the option when the kernel is locked down.
+
+Signed-off-by: Josh Boyer <jwboyer@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ drivers/acpi/osl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
+index db78d35..d4d4ba3 100644
+--- a/drivers/acpi/osl.c
++++ b/drivers/acpi/osl.c
+@@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
+ 	acpi_physical_address pa = 0;
+ 
+ #ifdef CONFIG_KEXEC
+-	if (acpi_rsdp)
++	if (acpi_rsdp && !kernel_is_locked_down())
+ 		return acpi_rsdp;
+ #endif
+ 
+-- 
+2.9.3
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
new file mode 100644
index 0000000000..d0506e0826
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
@@ -0,0 +1,41 @@
+From 3d13a2254fdb3bc3e618c45edf57324d37720e69 Mon Sep 17 00:00:00 2001
+From: Linn Crosetto <linn@hpe.com>
+Date: Wed, 23 Nov 2016 13:32:27 +0000
+Subject: [PATCH 17/24] acpi: Disable ACPI table override if the kernel is
+ locked down
+
+From the kernel documentation (initrd_table_override.txt):
+
+  If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
+  to override nearly any ACPI table provided by the BIOS with an
+  instrumented, modified one.
+
+When securelevel is set, the kernel should disallow any unauthenticated
+changes to kernel space.  ACPI tables contain code invoked by the kernel,
+so do not allow ACPI tables to be overridden if the kernel is locked down.
+
+Signed-off-by: Linn Crosetto <linn@hpe.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ drivers/acpi/tables.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
+index 2604189..601096d 100644
+--- a/drivers/acpi/tables.c
++++ b/drivers/acpi/tables.c
+@@ -542,6 +542,11 @@ void __init acpi_table_upgrade(void)
+ 	if (table_nr == 0)
+ 		return;
+ 
++	if (kernel_is_locked_down()) {
++		pr_notice("kernel is locked down, ignoring table override\n");
++		return;
++	}
++
+ 	acpi_tables_addr =
+ 		memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
+ 				       all_tables_size, PAGE_SIZE);
+-- 
+2.9.3
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch
new file mode 100644
index 0000000000..afd3091cb0
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch
@@ -0,0 +1,44 @@
+From 3109ef59a2ac9c3dc8255ec18f66970c2c4a207c Mon Sep 17 00:00:00 2001
+From: Linn Crosetto <linn@hpe.com>
+Date: Wed, 23 Nov 2016 13:39:41 +0000
+Subject: [PATCH 18/24] acpi: Disable APEI error injection if the kernel is
+ locked down
+
+ACPI provides an error injection mechanism, EINJ, for debugging and testing
+the ACPI Platform Error Interface (APEI) and other RAS features.  If
+supported by the firmware, ACPI specification 5.0 and later provide for a
+way to specify a physical memory address to which to inject the error.
+
+Injecting errors through EINJ can produce errors which to the platform are
+indistinguishable from real hardware errors.  This can have undesirable
+side-effects, such as causing the platform to mark hardware as needing
+replacement.
+
+While it does not provide a method to load unauthenticated privileged code,
+the effect of these errors may persist across reboots and affect trust in
+the underlying hardware, so disable error injection through EINJ if
+the kernel is locked down.
+
+Signed-off-by: Linn Crosetto <linn@hpe.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ drivers/acpi/apei/einj.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c
+index ec50c32..e082718 100644
+--- a/drivers/acpi/apei/einj.c
++++ b/drivers/acpi/apei/einj.c
+@@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
+ 	int rc;
+ 	u64 base_addr, size;
+ 
++	if (kernel_is_locked_down())
++		return -EPERM;
++
+ 	/* If user manually set "flags", make sure it is legal */
+ 	if (flags && (flags &
+ 		~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
+-- 
+2.9.3
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch
new file mode 100644
index 0000000000..bba91f8abb
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch
@@ -0,0 +1,57 @@
+From a8b6c30d4fd43d684b3594eb60d62382abc39050 Mon Sep 17 00:00:00 2001
+From: "Lee, Chun-Yi" <jlee@suse.com>
+Date: Wed, 23 Nov 2016 13:52:16 +0000
+Subject: [PATCH 19/24] bpf: Restrict kernel image access functions when the
+ kernel is locked down
+
+There are some bpf functions can be used to read kernel memory:
+bpf_probe_read, bpf_probe_write_user and bpf_trace_printk.  These allow
+private keys in kernel memory (e.g. the hibernation image signing key) to
+be read by an eBPF program.  Prohibit those functions when the kernel is
+locked down.
+
+Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ kernel/trace/bpf_trace.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
+index cee9802..7fde851 100644
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr)
+ {
+ 	int ret;
+ 
++	if (kernel_is_locked_down()) {
++		memset(dst, 0, size);
++		return -EPERM;
++	}
++
+ 	ret = probe_kernel_read(dst, unsafe_ptr, size);
+ 	if (unlikely(ret < 0))
+ 		memset(dst, 0, size);
+@@ -84,6 +89,9 @@ static const struct bpf_func_proto bpf_probe_read_proto = {
+ BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src,
+ 	   u32, size)
+ {
++	if (kernel_is_locked_down())
++		return -EPERM;
++
+ 	/*
+ 	 * Ensure we're in user context which is safe for the helper to
+ 	 * run. This helper has no business in a kthread.
+@@ -143,6 +151,9 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1,
+ 	if (fmt[--fmt_size] != 0)
+ 		return -EINVAL;
+ 
++	if (kernel_is_locked_down())
++		return __trace_printk(1, fmt, 0, 0, 0);
++
+ 	/* check format string for allowed specifiers */
+ 	for (i = 0; i < fmt_size; i++) {
+ 		if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i]))
+-- 
+2.9.3
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0020-scsi-Lock-down-the-eata-driver.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0020-scsi-Lock-down-the-eata-driver.patch
new file mode 100644
index 0000000000..9bc5aebc8f
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0020-scsi-Lock-down-the-eata-driver.patch
@@ -0,0 +1,47 @@
+From 8e46fe54f266e8bf44ee499c3e3965c909785751 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 22 Nov 2016 10:10:34 +0000
+Subject: [PATCH 20/24] scsi: Lock down the eata driver
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image.  Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+The eata driver takes a single string parameter that contains a slew of
+settings, including hardware resource configuration.  Prohibit use of the
+parameter if the kernel is locked down.
+
+Suggested-by: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Dario Ballabio <ballabio_dario@emc.com>
+cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>
+cc: "Martin K. Petersen" <martin.petersen@oracle.com>
+cc: linux-scsi@vger.kernel.org
+---
+ drivers/scsi/eata.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/eata.c b/drivers/scsi/eata.c
+index 227dd2c..5c036d1 100644
+--- a/drivers/scsi/eata.c
++++ b/drivers/scsi/eata.c
+@@ -1552,8 +1552,13 @@ static int eata2x_detect(struct scsi_host_template *tpnt)
+ 
+ 	tpnt->proc_name = "eata2x";
+ 
+-	if (strlen(boot_options))
++	if (strlen(boot_options)) {
++		if (kernel_is_locked_down()) {
++			pr_err("Command line-specified device addresses, irqs and dma channels are not permitted when the kernel is locked down\n");
++			return -EPERM;
++		}
+ 		option_setup(boot_options);
++	}
+ 
+ #if defined(MODULE)
+ 	/* io_port could have been modified when loading as a module */
+-- 
+2.9.3
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch
new file mode 100644
index 0000000000..71e8361fc0
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch
@@ -0,0 +1,33 @@
+From 676e67b4574709c9d4dd7fe3ceef4b0fe236f99a Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Fri, 25 Nov 2016 14:37:45 +0000
+Subject: [PATCH 21/24] Prohibit PCMCIA CIS storage when the kernel is locked
+ down
+
+Prohibit replacement of the PCMCIA Card Information Structure when the
+kernel is locked down.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ drivers/pcmcia/cistpl.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
+index 55ef7d1..193e4f7 100644
+--- a/drivers/pcmcia/cistpl.c
++++ b/drivers/pcmcia/cistpl.c
+@@ -1578,6 +1578,11 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
+ 	struct pcmcia_socket *s;
+ 	int error;
+ 
++	if (kernel_is_locked_down()) {
++		pr_err("Direct CIS storage isn't permitted when the kernel is locked down\n");
++		return -EPERM;
++	}
++
+ 	s = to_socket(container_of(kobj, struct device, kobj));
+ 
+ 	if (off)
+-- 
+2.9.3
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0022-Lock-down-TIOCSSERIAL.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0022-Lock-down-TIOCSSERIAL.patch
new file mode 100644
index 0000000000..32d8f01a76
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0022-Lock-down-TIOCSSERIAL.patch
@@ -0,0 +1,36 @@
+From 754ca1eba971c80218e8dd21e816851721153dff Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 7 Dec 2016 10:28:39 +0000
+Subject: [PATCH 22/24] Lock down TIOCSSERIAL
+
+Lock down TIOCSSERIAL as that can be used to change the ioport and irq
+settings on a serial port.  This only appears to be an issue for the serial
+drivers that use the core serial code.  All other drivers seem to either
+ignore attempts to change port/irq or give an error.
+
+Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ drivers/tty/serial/serial_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
+index 3fe5689..4181b00 100644
+--- a/drivers/tty/serial/serial_core.c
++++ b/drivers/tty/serial/serial_core.c
+@@ -821,6 +821,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
+ 	new_flags = new_info->flags;
+ 	old_custom_divisor = uport->custom_divisor;
+ 
++	if ((change_port || change_irq) && kernel_is_locked_down()) {
++		pr_err("Using TIOCSSERIAL to change device addresses, irqs and dma channels is not permitted when the kernel is locked down\n");
++		retval = -EPERM;
++		goto exit;
++	}
++
+ 	if (!capable(CAP_SYS_ADMIN)) {
+ 		retval = -EPERM;
+ 		if (change_irq || change_port ||
+-- 
+2.9.3
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
similarity index 78%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
index 6cfafd5d63..aa8ca4fc0e 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
@@ -1,7 +1,7 @@
-From 8ef1fd05524775d97e12e0afe610678668c2743b Mon Sep 17 00:00:00 2001
+From 888481838b62903a4b2709cb84595f89820589bb Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 14/16] kbuild: derive relative path for KBUILD_SRC from CURDIR
+Subject: [PATCH 23/24] kbuild: derive relative path for KBUILD_SRC from CURDIR
 
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for
@@ -12,10 +12,10 @@ by some undesirable path component.
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index 9689d3f..0c0b5be 100644
+index 4b074a9..723c84d 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -147,7 +147,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
+@@ -149,7 +149,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
  	@:
  
  sub-make:
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0015-Add-arm64-coreos-verity-hash.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0024-Add-arm64-coreos-verity-hash.patch
similarity index 65%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0015-Add-arm64-coreos-verity-hash.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0024-Add-arm64-coreos-verity-hash.patch
index 6f940934bd..6967428a13 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.10/z0015-Add-arm64-coreos-verity-hash.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0024-Add-arm64-coreos-verity-hash.patch
@@ -1,7 +1,7 @@
-From b6077ba8b3a213a88c805cc14322828b1f08219c Mon Sep 17 00:00:00 2001
+From 0ec3dd6e4d4b7a14e9fae62c6f2affe6b643063e Mon Sep 17 00:00:00 2001
 From: Geoff Levand <geoff@infradead.org>
 Date: Fri, 11 Nov 2016 17:28:52 -0800
-Subject: [PATCH 15/16] Add arm64 coreos verity hash
+Subject: [PATCH 24/24] Add arm64 coreos verity hash
 
 Signed-off-by: Geoff Levand <geoff@infradead.org>
 ---
@@ -9,10 +9,10 @@ Signed-off-by: Geoff Levand <geoff@infradead.org>
  1 file changed, 5 insertions(+)
 
 diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
-index 4b1abac..a53fa57 100644
+index 4fb6ccd..f791d18 100644
 --- a/arch/arm64/kernel/head.S
 +++ b/arch/arm64/kernel/head.S
-@@ -195,6 +195,11 @@ section_table:
+@@ -200,6 +200,11 @@ section_table:
  	.short	0		// NumberOfLineNumbers  (0 for executables)
  	.long	0xe0500020	// Characteristics (section flags)
  
@@ -21,9 +21,9 @@ index 4b1abac..a53fa57 100644
 +	.ascii	"verity-hash"
 +	.org	_head + 512 + 64
 +
+ #ifdef CONFIG_DEBUG_EFI
  	/*
- 	 * EFI will load .text onwards at the 4k section alignment
- 	 * described in the PE/COFF header. To ensure that instruction
+ 	 * The debug table is referenced via its Relative Virtual Address (RVA),
 -- 
 2.9.3