diff --git a/sdk_container/src/third_party/coreos-overlay/eclass/cros-kernel2.eclass b/sdk_container/src/third_party/coreos-overlay/eclass/cros-kernel2.eclass
index d7f771c080..eb78cf3696 100644
--- a/sdk_container/src/third_party/coreos-overlay/eclass/cros-kernel2.eclass
+++ b/sdk_container/src/third_party/coreos-overlay/eclass/cros-kernel2.eclass
@@ -15,7 +15,7 @@ DEPEND="sys-apps/debianutils
 "
 
 IUSE="-source symlink-usr"
-RESTRICT="binchecks"
+RESTRICT="binchecks strip"
 STRIP_MASK="/usr/lib/debug/lib/modules/*/vmlinux"
 
 # Build out-of-tree and incremental by default, but allow an ebuild inheriting
@@ -146,6 +146,15 @@ kmake() {
 		"$@"
 }
 
+# Discard the module signing key, we use new keys for each build.
+shred_keys() {
+	local build_dir="$(cros-workon_get_build_dir)"
+	if [[ -e "${build_dir}"/signing_key.priv ]]; then
+		shred -u "${build_dir}"/signing_key.* || die
+		rm -f "${build_dir}"/x509.genkey || die
+	fi
+}
+
 cros-kernel2_src_unpack() {
 	local srclocal="${CROS_WORKON_LOCALDIR[0]}/${CROS_WORKON_LOCALNAME[0]}"
 	local srcpath="${CROS_WORKON_SRCROOT}/${srclocal}"
@@ -165,6 +174,9 @@ cros-kernel2_src_unpack() {
 	# onto the kernel image itself.
 	cp "${ROOT}"/usr/share/bootengine/bootengine.cpio \
 		"$(cros-workon_get_build_dir)" || die "copy of dracut cpio failed."
+
+	# make sure no keys are cached from a previous build
+	shred_keys
 }
 
 cros-kernel2_src_configure() {
@@ -199,7 +211,11 @@ cros-kernel2_src_install() {
 	kmake INSTALL_PATH="${D}/usr/boot" install
 	# Install firmware to a temporary (bogus) location.
 	# The linux-firmware package will be used instead.
-	kmake INSTALL_MOD_PATH="${D}" INSTALL_FW_PATH="${T}/fw" modules_install
+	# Stripping must be done here, not portage, to preserve sigs.
+	kmake INSTALL_MOD_PATH="${D}" \
+		  INSTALL_MOD_STRIP="--strip-unneeded" \
+		  INSTALL_FW_PATH="${T}/fw" \
+		  modules_install
 
 	local version=$(kernelversion)
 	dosym "vmlinuz-${version}" /usr/boot/vmlinuz
@@ -209,8 +225,10 @@ cros-kernel2_src_install() {
 	fi
 
 	# Install uncompressed kernel for debugging purposes.
-	insinto /usr/lib/debug/lib/modules/${version}/
-	doins "$(cros-workon_get_build_dir)/vmlinux"
+	# XXX: we haven't been using this, also we are not keeping module symbols
+	# right now. Revisit both of these if we need to beef up debugging tools.
+	#insinto /usr/lib/debug/lib/modules/${version}/
+	#doins "$(cros-workon_get_build_dir)/vmlinux"
 
 	if use source; then
 		install_kernel_sources
@@ -218,6 +236,8 @@ cros-kernel2_src_install() {
 		# Remove invalid symlinks when source isn't installed
 		rm -f "${D}/lib/modules/${version}/"{build,source}
 	fi
+
+	shred_keys
 }
 
 EXPORT_FUNCTIONS src_unpack src_configure src_compile src_install
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-3.17.2-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-3.17.2-r2.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-3.17.2-r1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-3.17.2-r2.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/x86_64_defconfig-3.17.2 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/x86_64_defconfig-3.17.2
index 8a8cec9e47..9d5bad9b4a 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/x86_64_defconfig-3.17.2
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/x86_64_defconfig-3.17.2
@@ -295,7 +295,15 @@ CONFIG_MODULE_UNLOAD=y
 # CONFIG_MODULE_FORCE_UNLOAD is not set
 # CONFIG_MODVERSIONS is not set
 # CONFIG_MODULE_SRCVERSION_ALL is not set
-# CONFIG_MODULE_SIG is not set
+CONFIG_MODULE_SIG=y
+# CONFIG_MODULE_SIG_FORCE is not set
+CONFIG_MODULE_SIG_ALL=y
+# CONFIG_MODULE_SIG_SHA1 is not set
+# CONFIG_MODULE_SIG_SHA224 is not set
+CONFIG_MODULE_SIG_SHA256=y
+# CONFIG_MODULE_SIG_SHA384 is not set
+# CONFIG_MODULE_SIG_SHA512 is not set
+CONFIG_MODULE_SIG_HASH="sha256"
 CONFIG_STOP_MACHINE=y
 CONFIG_BLOCK=y
 CONFIG_BLK_DEV_BSG=y
@@ -341,7 +349,7 @@ CONFIG_DEFAULT_CFQ=y
 # CONFIG_DEFAULT_NOOP is not set
 CONFIG_DEFAULT_IOSCHED="cfq"
 CONFIG_PREEMPT_NOTIFIERS=y
-CONFIG_ASN1=m
+CONFIG_ASN1=y
 CONFIG_UNINLINE_SPIN_UNLOCK=y
 CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
 CONFIG_INLINE_READ_UNLOCK=y
@@ -516,6 +524,9 @@ CONFIG_HZ_1000=y
 CONFIG_HZ=1000
 CONFIG_SCHED_HRTICK=y
 CONFIG_KEXEC=y
+CONFIG_KEXEC_FILE=y
+CONFIG_KEXEC_VERIFY_SIG=y
+CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
 CONFIG_CRASH_DUMP=y
 CONFIG_KEXEC_JUMP=y
 CONFIG_PHYSICAL_START=0x1000000
@@ -3659,7 +3670,7 @@ CONFIG_CRYPTO_SHA1=m
 CONFIG_CRYPTO_SHA1_SSSE3=m
 CONFIG_CRYPTO_SHA256_SSSE3=m
 # CONFIG_CRYPTO_SHA512_SSSE3 is not set
-CONFIG_CRYPTO_SHA256=m
+CONFIG_CRYPTO_SHA256=y
 # CONFIG_CRYPTO_SHA512 is not set
 # CONFIG_CRYPTO_TGR192 is not set
 # CONFIG_CRYPTO_WP512 is not set
@@ -3722,11 +3733,13 @@ CONFIG_CRYPTO_HW=y
 # CONFIG_CRYPTO_DEV_PADLOCK is not set
 # CONFIG_CRYPTO_DEV_CCP is not set
 # CONFIG_CRYPTO_DEV_QAT_DH895xCC is not set
-CONFIG_ASYMMETRIC_KEY_TYPE=m
-CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=m
-CONFIG_PUBLIC_KEY_ALGO_RSA=m
-CONFIG_X509_CERTIFICATE_PARSER=m
-# CONFIG_PKCS7_MESSAGE_PARSER is not set
+CONFIG_ASYMMETRIC_KEY_TYPE=y
+CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
+CONFIG_PUBLIC_KEY_ALGO_RSA=y
+CONFIG_X509_CERTIFICATE_PARSER=y
+CONFIG_PKCS7_MESSAGE_PARSER=y
+# CONFIG_PKCS7_TEST_KEY is not set
+CONFIG_SIGNED_PE_FILE_VERIFICATION=y
 CONFIG_HAVE_KVM=y
 CONFIG_HAVE_KVM_IRQCHIP=y
 CONFIG_HAVE_KVM_IRQFD=y
@@ -3816,8 +3829,8 @@ CONFIG_AVERAGE=y
 CONFIG_CLZ_TAB=y
 # CONFIG_CORDIC is not set
 # CONFIG_DDR is not set
-CONFIG_MPILIB=m
-CONFIG_OID_REGISTRY=m
+CONFIG_MPILIB=y
+CONFIG_OID_REGISTRY=y
 CONFIG_UCS2_STRING=y
 CONFIG_FONT_SUPPORT=y
 # CONFIG_FONTS is not set