diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.4.3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.4.3.ebuild
index f5f9b3e31b..b31615da8a 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.4.3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.4.3.ebuild
@@ -14,27 +14,33 @@ KEYWORDS="amd64 arm64"
 IUSE=""
 
 PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
+
+# XXX: Note we must prefix the patch filenames with "z" to ensure they are
+# applied _after_ a potential patch-${KV}.patch file, present when building a
+# patchlevel revision.  We mustn't apply our patches first, it fails when the
+# local patches overlap with the upstream patch.
+
 # in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g'
 UNIPATCH_LIST="
-		${PATCH_DIR}/0001-Add-secure_modules-call.patch \
-		${PATCH_DIR}/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \
-		${PATCH_DIR}/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \
-		${PATCH_DIR}/0004-ACPI-Limit-access-to-custom_method.patch \
-		${PATCH_DIR}/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \
-		${PATCH_DIR}/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \
-		${PATCH_DIR}/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \
-		${PATCH_DIR}/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \
-		${PATCH_DIR}/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \
-		${PATCH_DIR}/0010-Add-option-to-automatically-enforce-module-signature.patch \
-		${PATCH_DIR}/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \
-		${PATCH_DIR}/0012-efi-Add-EFI_SECURE_BOOT-bit.patch \
-		${PATCH_DIR}/0013-hibernate-Disable-in-a-signed-modules-environment.patch \
-		${PATCH_DIR}/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch \
-		${PATCH_DIR}/0015-Overlayfs-Use-copy-up-security-hooks.patch \
-		${PATCH_DIR}/0016-SELinux-Stub-in-copy-up-handling.patch \
-		${PATCH_DIR}/0017-SELinux-Handle-opening-of-a-unioned-file.patch \
-		${PATCH_DIR}/0018-SELinux-Check-against-union-label-for-file-operation.patch \
-		${PATCH_DIR}/0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
-		${PATCH_DIR}/0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \
-		${PATCH_DIR}/0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch \
+		${PATCH_DIR}/z0001-Add-secure_modules-call.patch \
+		${PATCH_DIR}/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \
+		${PATCH_DIR}/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \
+		${PATCH_DIR}/z0004-ACPI-Limit-access-to-custom_method.patch \
+		${PATCH_DIR}/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \
+		${PATCH_DIR}/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \
+		${PATCH_DIR}/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \
+		${PATCH_DIR}/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \
+		${PATCH_DIR}/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \
+		${PATCH_DIR}/z0010-Add-option-to-automatically-enforce-module-signature.patch \
+		${PATCH_DIR}/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \
+		${PATCH_DIR}/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch \
+		${PATCH_DIR}/z0013-hibernate-Disable-in-a-signed-modules-environment.patch \
+		${PATCH_DIR}/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch \
+		${PATCH_DIR}/z0015-Overlayfs-Use-copy-up-security-hooks.patch \
+		${PATCH_DIR}/z0016-SELinux-Stub-in-copy-up-handling.patch \
+		${PATCH_DIR}/z0017-SELinux-Handle-opening-of-a-unioned-file.patch \
+		${PATCH_DIR}/z0018-SELinux-Check-against-union-label-for-file-operation.patch \
+		${PATCH_DIR}/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
+		${PATCH_DIR}/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \
+		${PATCH_DIR}/z0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch \
 "
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0001-Add-secure_modules-call.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0001-Add-secure_modules-call.patch
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0001-Add-secure_modules-call.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0001-Add-secure_modules-call.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0004-ACPI-Limit-access-to-custom_method.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0004-ACPI-Limit-access-to-custom_method.patch
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0004-ACPI-Limit-access-to-custom_method.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0004-ACPI-Limit-access-to-custom_method.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0010-Add-option-to-automatically-enforce-module-signature.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0010-Add-option-to-automatically-enforce-module-signature.patch
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0010-Add-option-to-automatically-enforce-module-signature.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0010-Add-option-to-automatically-enforce-module-signature.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0012-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0012-efi-Add-EFI_SECURE_BOOT-bit.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0013-hibernate-Disable-in-a-signed-modules-environment.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0013-hibernate-Disable-in-a-signed-modules-environment.patch
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0013-hibernate-Disable-in-a-signed-modules-environment.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0013-hibernate-Disable-in-a-signed-modules-environment.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0015-Overlayfs-Use-copy-up-security-hooks.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0015-Overlayfs-Use-copy-up-security-hooks.patch
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0015-Overlayfs-Use-copy-up-security-hooks.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0015-Overlayfs-Use-copy-up-security-hooks.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0016-SELinux-Stub-in-copy-up-handling.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0016-SELinux-Stub-in-copy-up-handling.patch
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0016-SELinux-Stub-in-copy-up-handling.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0016-SELinux-Stub-in-copy-up-handling.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0017-SELinux-Handle-opening-of-a-unioned-file.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0017-SELinux-Handle-opening-of-a-unioned-file.patch
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0017-SELinux-Handle-opening-of-a-unioned-file.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0017-SELinux-Handle-opening-of-a-unioned-file.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0018-SELinux-Check-against-union-label-for-file-operation.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0018-SELinux-Check-against-union-label-for-file-operation.patch
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0018-SELinux-Check-against-union-label-for-file-operation.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0018-SELinux-Check-against-union-label-for-file-operation.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch