diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.8.11.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.8.11-r1.ebuild
similarity index 98%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.8.11.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.8.11-r1.ebuild
index 2fe3d5d496..1a6a9c3550 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.8.11.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.8.11-r1.ebuild
@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=5
-COREOS_SOURCE_REVISION=""
+COREOS_SOURCE_REVISION="-r1"
 inherit coreos-kernel
 
 DESCRIPTION="CoreOS Linux kernel"
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.8.11.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.8.11-r1.ebuild
similarity index 98%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.8.11.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.8.11-r1.ebuild
index 763d6d9dfe..5f7ad1c646 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.8.11.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.8.11-r1.ebuild
@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=5
-COREOS_SOURCE_REVISION=""
+COREOS_SOURCE_REVISION="-r1"
 inherit coreos-kernel savedconfig
 
 DESCRIPTION="CoreOS Linux kernel modules"
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.11.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.11-r1.ebuild
similarity index 96%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.11.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.11-r1.ebuild
index 1875665f3f..8d618d17d2 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.11.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.11-r1.ebuild
@@ -43,4 +43,5 @@ UNIPATCH_LIST="
         ${PATCH_DIR}/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch \
         ${PATCH_DIR}/z0020-hibernate-Disable-in-a-signed-modules-environment.patch \
         ${PATCH_DIR}/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
+        ${PATCH_DIR}/z0022-crypto-rsa-Add-Makefile-dependencies-to-fix-parallel.patch \
 "
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch
index 6c8e1df9bd..00522c1f94 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch
@@ -1,7 +1,7 @@
 From 61aa910fc208741c4bff9801566a1ca0a24531d9 Mon Sep 17 00:00:00 2001
 From: Vivek Goyal <vgoyal@redhat.com>
 Date: Tue, 19 Jul 2016 14:34:57 -0400
-Subject: [PATCH 01/21] security, overlayfs: provide copy up security hook for
+Subject: [PATCH 01/22] security, overlayfs: provide copy up security hook for
  unioned files
 
 Provide a security hook to label new file correctly when a file is copied
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch
index ae84c545a0..60f6eb93a1 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch
@@ -1,7 +1,7 @@
 From 591db70df1daa6d3fec150d1ec822ae413385323 Mon Sep 17 00:00:00 2001
 From: Vivek Goyal <vgoyal@redhat.com>
 Date: Tue, 19 Jul 2016 14:34:58 -0400
-Subject: [PATCH 02/21] selinux: Implementation for inode_copy_up() hook
+Subject: [PATCH 02/22] selinux: Implementation for inode_copy_up() hook
 
 A file is being copied up for overlay file system. Prepare a new set of
 creds and set create_sid appropriately so that new file is created with
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch
index 668fe998c1..e14fcd253e 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch
@@ -1,7 +1,7 @@
 From c4b0abc5ee89f6b6adc9b9aa6712f0403f43df69 Mon Sep 17 00:00:00 2001
 From: Vivek Goyal <vgoyal@redhat.com>
 Date: Tue, 19 Jul 2016 14:34:58 -0400
-Subject: [PATCH 03/21] security,overlayfs: Provide security hook for copy up
+Subject: [PATCH 03/22] security,overlayfs: Provide security hook for copy up
  of xattrs for overlay file
 
 Provide a security hook which is called when xattrs of a file are being
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch
index f54b060471..906d6ddb49 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch
@@ -1,7 +1,7 @@
 From 0b0daf47ee34e3c2bbb22a7620396461e20daca1 Mon Sep 17 00:00:00 2001
 From: Vivek Goyal <vgoyal@redhat.com>
 Date: Tue, 19 Jul 2016 14:34:58 -0400
-Subject: [PATCH 04/21] selinux: Implementation for inode_copy_up_xattr() hook
+Subject: [PATCH 04/22] selinux: Implementation for inode_copy_up_xattr() hook
 
 When a file is copied up in overlay, we have already created file on upper/
 with right label and there is no need to copy up selinux label/xattr from
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch
index 3065fcc8d3..c8f1a07d34 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch
@@ -1,7 +1,7 @@
 From 27a7af7125c4984bdb75c2a027d6046744df411c Mon Sep 17 00:00:00 2001
 From: Vivek Goyal <vgoyal@redhat.com>
 Date: Tue, 19 Jul 2016 14:34:59 -0400
-Subject: [PATCH 05/21] selinux: Pass security pointer to
+Subject: [PATCH 05/22] selinux: Pass security pointer to
  determine_inode_label()
 
 Right now selinux_determine_inode_label() works on security pointer of
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch
index ceb6e82b79..295471503e 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch
@@ -1,7 +1,7 @@
 From 1271cf983fa9292fd7c6dd1b0d2eb1fedecd8cdb Mon Sep 17 00:00:00 2001
 From: Vivek Goyal <vgoyal@redhat.com>
 Date: Tue, 19 Jul 2016 14:34:59 -0400
-Subject: [PATCH 06/21] security, overlayfs: Provide hook to correctly label
+Subject: [PATCH 06/22] security, overlayfs: Provide hook to correctly label
  newly created files
 
 During a new file creation we need to make sure new file is created with the
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch
index aa14f1610f..219590161a 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch
@@ -1,7 +1,7 @@
 From 2c1808b93b771367bbb8f9617087ac550fee6b25 Mon Sep 17 00:00:00 2001
 From: Vivek Goyal <vgoyal@redhat.com>
 Date: Tue, 19 Jul 2016 14:34:59 -0400
-Subject: [PATCH 07/21] selinux: Implement dentry_create_files_as() hook
+Subject: [PATCH 07/22] selinux: Implement dentry_create_files_as() hook
 
 Calculate what would be the label of newly created file and set that secid
 in the passed creds.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch
index 9065c35926..b1fa4070c8 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch
@@ -1,7 +1,7 @@
 From 11eef9a6bb39e76cf94903fd09035a016105ecd3 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 17:58:15 -0400
-Subject: [PATCH 08/21] Add secure_modules() call
+Subject: [PATCH 08/22] Add secure_modules() call
 
 Provide a single call to allow kernel code to determine whether the system
 has been configured to either disable module loading entirely or to load
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
index 6ab1f441e9..4909c51ee6 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
@@ -1,7 +1,7 @@
 From e2e5d6241f6deda933501efc2bf8561ac0ee823c Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:10:38 -0500
-Subject: [PATCH 09/21] PCI: Lock down BAR access when module security is
+Subject: [PATCH 09/22] PCI: Lock down BAR access when module security is
  enabled
 
 Any hardware that can potentially generate DMA has to be locked down from
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch
index 137ed54333..bdbf344036 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch
@@ -1,7 +1,7 @@
 From dac8156e6c3b022f9aa7fe74f9633c4b516d836b Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:35:59 -0500
-Subject: [PATCH 10/21] x86: Lock down IO port access when module security is
+Subject: [PATCH 10/22] x86: Lock down IO port access when module security is
  enabled
 
 IO port access would permit users to gain access to PCI configuration
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch
index 22dd7702da..1fe598e87a 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch
@@ -1,7 +1,7 @@
 From af958e17249f457db4d717e930d03949a0409ce2 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:39:37 -0500
-Subject: [PATCH 11/21] ACPI: Limit access to custom_method
+Subject: [PATCH 11/22] ACPI: Limit access to custom_method
 
 custom_method effectively allows arbitrary access to system memory, making
 it possible for an attacker to circumvent restrictions on module loading.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch
index 7fe7ba70b5..706a0a23c5 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch
@@ -1,7 +1,7 @@
 From 78eca915fa66229e2a849010183ca05c2f32dcb7 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:46:50 -0500
-Subject: [PATCH 12/21] asus-wmi: Restrict debugfs interface when module
+Subject: [PATCH 12/22] asus-wmi: Restrict debugfs interface when module
  loading is restricted
 
 We have no way of validating what all of the Asus WMI methods do on a
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
index b6148c744a..b087f35e6f 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
@@ -1,7 +1,7 @@
 From d012dc5ff32ac9a20c81c2666693d27795246803 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 09:28:15 -0500
-Subject: [PATCH 13/21] Restrict /dev/mem and /dev/kmem when module loading is
+Subject: [PATCH 13/22] Restrict /dev/mem and /dev/kmem when module loading is
  restricted
 
 Allowing users to write to address space makes it possible for the kernel
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
index 16ece0f764..cb3ec192ed 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
@@ -1,7 +1,7 @@
 From c5afea751f473e5a4c3a3bc9ca6000210cc11d62 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Mon, 25 Jun 2012 19:57:30 -0400
-Subject: [PATCH 14/21] acpi: Ignore acpi_rsdp kernel parameter when module
+Subject: [PATCH 14/22] acpi: Ignore acpi_rsdp kernel parameter when module
  loading is restricted
 
 This option allows userspace to pass the RSDP address to the kernel, which
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
index 4292053b0a..570533f90b 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
@@ -1,7 +1,7 @@
 From ef69c624f93bfe1f239a3c8fd7c18434315063a4 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@coreos.com>
 Date: Thu, 19 Nov 2015 18:55:53 -0800
-Subject: [PATCH 15/21] kexec: Disable at runtime if the kernel enforces module
+Subject: [PATCH 15/22] kexec: Disable at runtime if the kernel enforces module
  loading restrictions
 
 kexec permits the loading and execution of arbitrary code in ring 0, which
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch
index e6b304d49f..a8e48d9a32 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch
@@ -1,7 +1,7 @@
 From 7328100467c24fb90c510aed529969e50a504fcf Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 8 Feb 2013 11:12:13 -0800
-Subject: [PATCH 16/21] x86: Restrict MSR access when module loading is
+Subject: [PATCH 16/22] x86: Restrict MSR access when module loading is
  restricted
 
 Writing to MSRs should not be allowed if module loading is restricted,
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch
index 94819d416f..8893fbcad0 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch
@@ -1,7 +1,7 @@
 From 30317cca0747b8e31f5e6f45804883bc2e0a8062 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 18:36:30 -0400
-Subject: [PATCH 17/21] Add option to automatically enforce module signatures
+Subject: [PATCH 17/22] Add option to automatically enforce module signatures
  when in Secure Boot mode
 
 UEFI Secure Boot provides a mechanism for ensuring that the firmware will
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
index 461419fbb5..a41206dcee 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
@@ -1,7 +1,7 @@
 From fe523b61b4171c61dd3d8502f82ceca832e07455 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:28:43 -0400
-Subject: [PATCH 18/21] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
+Subject: [PATCH 18/22] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
 
 The functionality of the config option is dependent upon the platform being
 UEFI based.  Reflect this in the config deps.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch
index 707cb6d329..f8b8fc10db 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch
@@ -1,7 +1,7 @@
 From e75618eb44390ca1a3c89116218bf95869534d54 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:33:03 -0400
-Subject: [PATCH 19/21] efi: Add EFI_SECURE_BOOT bit
+Subject: [PATCH 19/22] efi: Add EFI_SECURE_BOOT bit
 
 UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
 for use with efi_enabled.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch
index 9ac963acb3..1ecf2182e4 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch
@@ -1,7 +1,7 @@
 From e2c1136cd8b9ca7b1bab22d248275f48d1a304ab Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 20 Jun 2014 08:53:24 -0400
-Subject: [PATCH 20/21] hibernate: Disable in a signed modules environment
+Subject: [PATCH 20/22] hibernate: Disable in a signed modules environment
 
 There is currently no way to verify the resume image when returning
 from hibernate.  This might compromise the signed modules trust model,
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
index 7598751a1c..51949b46d6 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
@@ -1,7 +1,7 @@
 From 7856850e71d8f561d4fdade202e9ce2992fb78bf Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 21/21] kbuild: derive relative path for KBUILD_SRC from CURDIR
+Subject: [PATCH 21/22] kbuild: derive relative path for KBUILD_SRC from CURDIR
 
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0022-crypto-rsa-Add-Makefile-dependencies-to-fix-parallel.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0022-crypto-rsa-Add-Makefile-dependencies-to-fix-parallel.patch
new file mode 100644
index 0000000000..8f569ea75d
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0022-crypto-rsa-Add-Makefile-dependencies-to-fix-parallel.patch
@@ -0,0 +1,30 @@
+From b764ba9deb30b2b3b1089e6bd019235d8eeec7f0 Mon Sep 17 00:00:00 2001
+From: David Michael <david.michael@coreos.com>
+Date: Tue, 29 Nov 2016 11:15:12 -0800
+Subject: [PATCH 22/22] crypto: rsa - Add Makefile dependencies to fix parallel
+ builds
+
+Both asn1 headers are included by rsa_helper.c, so rsa_helper.o
+should explicitly depend on them.
+
+Signed-off-by: David Michael <david.michael@coreos.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+---
+ crypto/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/crypto/Makefile b/crypto/Makefile
+index 99cc64ac..bd6a029 100644
+--- a/crypto/Makefile
++++ b/crypto/Makefile
+@@ -40,6 +40,7 @@ obj-$(CONFIG_CRYPTO_ECDH) += ecdh_generic.o
+ 
+ $(obj)/rsapubkey-asn1.o: $(obj)/rsapubkey-asn1.c $(obj)/rsapubkey-asn1.h
+ $(obj)/rsaprivkey-asn1.o: $(obj)/rsaprivkey-asn1.c $(obj)/rsaprivkey-asn1.h
++$(obj)/rsa_helper.o: $(obj)/rsapubkey-asn1.h $(obj)/rsaprivkey-asn1.h
+ clean-files += rsapubkey-asn1.c rsapubkey-asn1.h
+ clean-files += rsaprivkey-asn1.c rsaprivkey-asn1.h
+ 
+-- 
+2.7.4
+