From 58ea72b5127f98554291c02dfb687ef3b6d6d06b Mon Sep 17 00:00:00 2001
From: Michael Marineau <michael.marineau@coreos.com>
Date: Wed, 11 Nov 2015 10:34:51 -0800
Subject: [PATCH] coreos-kernel: more security option updates

 - Enable RANDOMIZE_BASE, hopefully Xen is ok with this now.
 - Disable HIBERNATE/KEXEC_JUMP, we don't need these features.
 - Fix RO/NX settings in the arm64 kernel.
---
 ...os-kernel-4.2.2-r6.ebuild => coreos-kernel-4.2.2-r7.ebuild} | 0
 .../sys-kernel/coreos-kernel/files/amd64_defconfig-4.2         | 3 +--
 .../sys-kernel/coreos-kernel/files/arm64_defconfig-4.2         | 2 ++
 3 files changed, 3 insertions(+), 2 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.2.2-r6.ebuild => coreos-kernel-4.2.2-r7.ebuild} (100%)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.2.2-r6.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.2.2-r7.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.2.2-r6.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.2.2-r7.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.2 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.2
index 92ec00edb5..1504a9c537 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.2
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.2
@@ -93,11 +93,10 @@ CONFIG_KEXEC_FILE=y
 CONFIG_KEXEC_VERIFY_SIG=y
 CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
 CONFIG_CRASH_DUMP=y
-CONFIG_KEXEC_JUMP=y
+CONFIG_RANDOMIZE_BASE=y
 CONFIG_PHYSICAL_ALIGN=0x1000000
 CONFIG_CMDLINE_BOOL=y
 CONFIG_CMDLINE="rootflags=rw mount.usrflags=ro"
-CONFIG_HIBERNATION=y
 # CONFIG_ACPI_AC is not set
 # CONFIG_ACPI_BATTERY is not set
 CONFIG_ACPI_BUTTON=m
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.2 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.2
index d980d7dcac..b69047260d 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.2
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.2
@@ -228,7 +228,9 @@ CONFIG_SCHEDSTATS=y
 # CONFIG_DEBUG_PREEMPT is not set
 CONFIG_DEBUG_CREDENTIALS=y
 # CONFIG_FTRACE is not set
+CONFIG_DEBUG_SET_MODULE_RONX=y
 CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_ALIGN_RODATA=y
 CONFIG_SECURITY=y
 CONFIG_CRYPTO_ANSI_CPRNG=y
 CONFIG_ARM64_CRYPTO=y