diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13.10.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.14_rc7.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13.10.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.14_rc7.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13.10.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.14_rc7.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13.10.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.14_rc7.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.13 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.14
similarity index 98%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.13
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.14
index 15b3e792bb..1ecd12887a 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.13
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.14
@@ -22,8 +22,6 @@ CONFIG_MEM_SOFT_DIRTY=y
 CONFIG_X86_CHECK_BIOS_CORRUPTION=y
 # CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set
 CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=1
-CONFIG_LOCK_DOWN_KERNEL=y
-CONFIG_EFI_SECURE_BOOT_LOCK_DOWN=y
 CONFIG_KEXEC=y
 CONFIG_KEXEC_FILE=y
 CONFIG_KEXEC_VERIFY_SIG=y
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.13 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.14
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.13
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.14
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.13 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.14
similarity index 99%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.13
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.14
index a961e2ea38..4d1eb9cd1b 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.13
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.14
@@ -187,6 +187,7 @@ CONFIG_NFT_HASH=m
 CONFIG_NFT_FIB_INET=m
 CONFIG_NFT_DUP_NETDEV=m
 CONFIG_NFT_FWD_NETDEV=m
+CONFIG_NFT_FIB_NETDEV=m
 CONFIG_NF_SOCKET_IPV4=m
 CONFIG_NF_TABLES_IPV4=m
 CONFIG_NFT_CHAIN_ROUTE_IPV4=m
@@ -455,7 +456,6 @@ CONFIG_CONNECTOR=m
 CONFIG_MTD=m
 CONFIG_BLK_DEV_PCIESSD_MTIP32XX=m
 CONFIG_ZRAM=m
-CONFIG_BLK_CPQ_CISS_DA=m
 CONFIG_BLK_DEV_DRBD=m
 CONFIG_BLK_DEV_NBD=m
 CONFIG_BLK_DEV_RAM=m
@@ -706,6 +706,7 @@ CONFIG_HWMON=m
 CONFIG_WATCHDOG=y
 CONFIG_SOFT_WATCHDOG=m
 CONFIG_XEN_WDT=m
+# CONFIG_RC_CORE is not set
 CONFIG_FB=y
 CONFIG_FB_EFI=y
 CONFIG_XEN_FBDEV_FRONTEND=m
@@ -861,6 +862,7 @@ CONFIG_KPROBE_EVENTS=y
 CONFIG_BPF_EVENTS=y
 CONFIG_MEMTEST=y
 CONFIG_SLAB_FREELIST_RANDOM=y
+CONFIG_SLAB_FREELIST_HARDENED=y
 CONFIG_STRICT_DEVMEM=y
 CONFIG_IO_STRICT_DEVMEM=y
 CONFIG_TRUSTED_KEYS=m
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest
index f4d15b4dbc..6fa56fcfb0 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest
@@ -1,2 +1,2 @@
 DIST linux-4.13.tar.xz 100579888 SHA256 2db3d6066c3ad93eb25b973a3d2951e022a7e975ee2fa7cbe5bddf84d9a49a2c SHA512 a557c2f0303ae618910b7106ff63d9978afddf470f03cb72aa748213e099a0ecd5f3119aea6cbd7b61df30ca6ef3ec57044d524b7babbaabddf8b08b8bafa7d2 WHIRLPOOL d3d332e02cd3c5056c76c28cf1f81504c6f7b8f2caed7238e7dd7866747fb03154b88d8d7aec4d0eddf5760624bc7d6c5485fb52a3e32d098a2742eba96c0d05
-DIST patch-4.13.10.xz 212680 SHA256 b9efa9c6375f79f6a041a5f0666d4ced1a49bfe8c4662d26517a6b4cfd9bf2f6 SHA512 634d81ea509aac5555d8d11631babe9bb04ea771c873f084cea7067313a566d5cad291b0c311002ae8d1d6dd498a93a9a43517923aa449eebb405fb4c1e34753 WHIRLPOOL f033d0bd9e6b95cdcb356a69ee4ea3054b96f991973445e94aeba664f3e91dcadd46a6c0620ad4f044503ccfa28a6deb2ed20890ef0c65b34f27a83b1847b8b1
+DIST patch-4.14-rc7.patch 51715185 SHA256 35e1f2d42c383c5796331c08a9536e2bd1604ee284ce063a41c567fa3fc582e0 SHA512 4b33b60a223359936e546498f9651f7bad21528beac404ca580ba6fd725fe6637845a80ba1079fa0cf4c6f614768d4b361e1e1b04ce7edde6dde686e623f1ed1 WHIRLPOOL e266a98b221fc84d73a3073f934137cbb077224f784f029f65a5f25108dc4ffedd5b1a548cde6f5396dec32343bd74ec97c502207b74f5b99c5dd97c06b1d334
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.10.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.10.ebuild
deleted file mode 100644
index c052bee923..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.10.ebuild
+++ /dev/null
@@ -1,59 +0,0 @@
-# Copyright 2014 CoreOS, Inc.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-ETYPE="sources"
-
-# -rc releases should be versioned L.M_rcN
-# Final releases should be versioned L.M.N, even for n == 0
-
-# Only needed for RCs
-K_BASE_VER="4.13"
-
-inherit kernel-2
-detect_version
-
-DESCRIPTION="Full sources for the CoreOS Linux kernel"
-HOMEPAGE="http://www.kernel.org"
-if [[ "${PV%%_rc*}" != "${PV}" ]]; then
-	SRC_URI="https://git.kernel.org/torvalds/p/v${KV%-coreos}/v${OKV} -> patch-${KV%-coreos}.patch ${KERNEL_BASE_URI}/linux-${OKV}.tar.xz"
-	PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_PATCH}"
-else
-	SRC_URI="${KERNEL_URI}"
-	PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
-fi
-
-KEYWORDS="amd64 arm64"
-IUSE=""
-
-# XXX: Note we must prefix the patch filenames with "z" to ensure they are
-# applied _after_ a potential patch-${KV}.patch file, present when building a
-# patchlevel revision.  We mustn't apply our patches first, it fails when the
-# local patches overlap with the upstream patch.
-UNIPATCH_LIST="
-	${PATCH_DIR}/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch \
-	${PATCH_DIR}/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch \
-	${PATCH_DIR}/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch \
-	${PATCH_DIR}/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch \
-	${PATCH_DIR}/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch \
-	${PATCH_DIR}/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch \
-	${PATCH_DIR}/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch \
-	${PATCH_DIR}/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch \
-	${PATCH_DIR}/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch \
-	${PATCH_DIR}/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch \
-	${PATCH_DIR}/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch \
-	${PATCH_DIR}/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch \
-	${PATCH_DIR}/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch \
-	${PATCH_DIR}/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch \
-	${PATCH_DIR}/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch \
-	${PATCH_DIR}/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch \
-	${PATCH_DIR}/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch \
-	${PATCH_DIR}/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch \
-	${PATCH_DIR}/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch \
-	${PATCH_DIR}/z0020-scsi-Lock-down-the-eata-driver.patch \
-	${PATCH_DIR}/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch \
-	${PATCH_DIR}/z0022-Lock-down-TIOCSSERIAL.patch \
-	${PATCH_DIR}/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
-	${PATCH_DIR}/z0024-Add-arm64-coreos-verity-hash.patch \
-	${PATCH_DIR}/z0025-cifs-Select-all-required-crypto-modules.patch \
-"
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.14_rc7.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.14_rc7.ebuild
new file mode 100644
index 0000000000..4585ed4836
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.14_rc7.ebuild
@@ -0,0 +1,39 @@
+# Copyright 2014 CoreOS, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+ETYPE="sources"
+
+# -rc releases should be versioned L.M_rcN
+# Final releases should be versioned L.M.N, even for N == 0
+
+# Only needed for RCs
+K_BASE_VER="4.13"
+
+# Avoid failures when an -rc patch adds a file that replaces a symlink
+K_FROM_GIT=1
+
+inherit kernel-2
+detect_version
+
+DESCRIPTION="Full sources for the CoreOS Linux kernel"
+HOMEPAGE="http://www.kernel.org"
+if [[ "${PV%%_rc*}" != "${PV}" ]]; then
+	SRC_URI="https://git.kernel.org/torvalds/p/v${KV%-coreos}/v${OKV} -> patch-${KV%-coreos}.patch ${KERNEL_BASE_URI}/linux-${OKV}.tar.xz"
+	PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_PATCH}"
+else
+	SRC_URI="${KERNEL_URI}"
+	PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
+fi
+
+KEYWORDS="amd64 arm64"
+IUSE=""
+
+# XXX: Note we must prefix the patch filenames with "z" to ensure they are
+# applied _after_ a potential patch-${KV}.patch file, present when building a
+# patchlevel revision.  We mustn't apply our patches first, it fails when the
+# local patches overlap with the upstream patch.
+UNIPATCH_LIST="
+	${PATCH_DIR}/z0001-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
+	${PATCH_DIR}/z0002-Add-arm64-coreos-verity-hash.patch \
+"
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch
deleted file mode 100644
index 1c6c6b5b83..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 10b38041f4d82de14cbc2183c86f96bfbbff0980 Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@fedoraproject.org>
-Date: Mon, 21 Nov 2016 23:55:55 +0000
-Subject: [PATCH 01/25] efi: Add EFI_SECURE_BOOT bit
-
-UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
-that can be passed to efi_enabled() to find out whether secure boot is
-enabled.
-
-This will be used by the SysRq+x handler, registered by the x86 arch, to find
-out whether secure boot mode is enabled so that it can be disabled.
-
-Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- arch/x86/kernel/setup.c | 1 +
- include/linux/efi.h     | 1 +
- 2 files changed, 2 insertions(+)
-
-diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 3486d0498800..319995f58345 100644
---- a/arch/x86/kernel/setup.c
-+++ b/arch/x86/kernel/setup.c
-@@ -1190,6 +1190,7 @@ void __init setup_arch(char **cmdline_p)
- 			pr_info("Secure boot disabled\n");
- 			break;
- 		case efi_secureboot_mode_enabled:
-+			set_bit(EFI_SECURE_BOOT, &efi.flags);
- 			pr_info("Secure boot enabled\n");
- 			break;
- 		default:
-diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 8269bcb8ccf7..7952dd3ffa73 100644
---- a/include/linux/efi.h
-+++ b/include/linux/efi.h
-@@ -1081,6 +1081,7 @@ extern int __init efi_setup_pcdp_console(char *);
- #define EFI_DBG			8	/* Print additional debug info at runtime */
- #define EFI_NX_PE_DATA		9	/* Can runtime data regions be mapped non-executable? */
- #define EFI_MEM_ATTR		10	/* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
-+#define EFI_SECURE_BOOT		11	/* Are we in Secure Boot mode? */
- 
- #ifdef CONFIG_EFI
- /*
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch
deleted file mode 100644
index 3df68ed420..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch
+++ /dev/null
@@ -1,149 +0,0 @@
-From 5a941458bb16c1c3c5e5f9bc1311a58d952d5c9f Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 21 Nov 2016 23:36:17 +0000
-Subject: [PATCH 02/25] Add the ability to lock down access to the running
- kernel image
-
-Provide a single call to allow kernel code to determine whether the system
-should be locked down, thereby disallowing various accesses that might
-allow the running kernel image to be changed including the loading of
-modules that aren't validly signed with a key we recognise, fiddling with
-MSR registers and disallowing hibernation,
-
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- include/linux/kernel.h   |  9 +++++++++
- include/linux/security.h | 11 +++++++++++
- security/Kconfig         | 15 +++++++++++++++
- security/Makefile        |  3 +++
- security/lock_down.c     | 40 ++++++++++++++++++++++++++++++++++++++++
- 5 files changed, 78 insertions(+)
- create mode 100644 security/lock_down.c
-
-diff --git a/include/linux/kernel.h b/include/linux/kernel.h
-index bd6d96cf80b1..65692c80aa1a 100644
---- a/include/linux/kernel.h
-+++ b/include/linux/kernel.h
-@@ -277,6 +277,15 @@ extern int oops_may_print(void);
- void do_exit(long error_code) __noreturn;
- void complete_and_exit(struct completion *, long) __noreturn;
- 
-+#ifdef CONFIG_LOCK_DOWN_KERNEL
-+extern bool kernel_is_locked_down(void);
-+#else
-+static inline bool kernel_is_locked_down(void)
-+{
-+	return false;
-+}
-+#endif
-+
- /* Internal, do not use. */
- int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
- int __must_check _kstrtol(const char *s, unsigned int base, long *res);
-diff --git a/include/linux/security.h b/include/linux/security.h
-index b6ea1dc9cc9d..834b355fa298 100644
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -1764,5 +1764,16 @@ static inline void free_secdata(void *secdata)
- { }
- #endif /* CONFIG_SECURITY */
- 
-+#ifdef CONFIG_LOCK_DOWN_KERNEL
-+extern void lock_kernel_down(void);
-+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT
-+extern void lift_kernel_lockdown(void);
-+#endif
-+#else
-+static inline void lock_kernel_down(void)
-+{
-+}
-+#endif
-+
- #endif /* ! __LINUX_SECURITY_H */
- 
-diff --git a/security/Kconfig b/security/Kconfig
-index e8e449444e65..1a84ed33c09a 100644
---- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -205,6 +205,21 @@ config STATIC_USERMODEHELPER_PATH
- 	  If you wish for all usermode helper programs to be disabled,
- 	  specify an empty string here (i.e. "").
- 
-+config LOCK_DOWN_KERNEL
-+	bool "Allow the kernel to be 'locked down'"
-+	help
-+	  Allow the kernel to be locked down under certain circumstances, for
-+	  instance if UEFI secure boot is enabled.  Locking down the kernel
-+	  turns off various features that might otherwise allow access to the
-+	  kernel image (eg. setting MSR registers).
-+
-+config ALLOW_LOCKDOWN_LIFT
-+	bool
-+	help
-+	  Allow the lockdown on a kernel to be lifted, thereby restoring the
-+	  ability of userspace to access the kernel image (eg. by SysRq+x under
-+	  x86).
-+
- source security/selinux/Kconfig
- source security/smack/Kconfig
- source security/tomoyo/Kconfig
-diff --git a/security/Makefile b/security/Makefile
-index f2d71cdb8e19..8c4a43e3d4e0 100644
---- a/security/Makefile
-+++ b/security/Makefile
-@@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
- # Object integrity file lists
- subdir-$(CONFIG_INTEGRITY)		+= integrity
- obj-$(CONFIG_INTEGRITY)			+= integrity/
-+
-+# Allow the kernel to be locked down
-+obj-$(CONFIG_LOCK_DOWN_KERNEL)		+= lock_down.o
-diff --git a/security/lock_down.c b/security/lock_down.c
-new file mode 100644
-index 000000000000..5788c60ff4e1
---- /dev/null
-+++ b/security/lock_down.c
-@@ -0,0 +1,40 @@
-+/* Lock down the kernel
-+ *
-+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
-+ * Written by David Howells (dhowells@redhat.com)
-+ *
-+ * This program is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU General Public Licence
-+ * as published by the Free Software Foundation; either version
-+ * 2 of the Licence, or (at your option) any later version.
-+ */
-+
-+#include <linux/security.h>
-+#include <linux/export.h>
-+
-+static __read_mostly bool kernel_locked_down;
-+
-+/*
-+ * Put the kernel into lock-down mode.
-+ */
-+void lock_kernel_down(void)
-+{
-+	kernel_locked_down = true;
-+}
-+
-+/*
-+ * Take the kernel out of lockdown mode.
-+ */
-+void lift_kernel_lockdown(void)
-+{
-+	kernel_locked_down = false;
-+}
-+
-+/**
-+ * kernel_is_locked_down - Find out if the kernel is locked down
-+ */
-+bool kernel_is_locked_down(void)
-+{
-+	return kernel_locked_down;
-+}
-+EXPORT_SYMBOL(kernel_is_locked_down);
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
deleted file mode 100644
index d3e4b49f1f..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 56f553942d8b99fe5eff6e329cc6844cbb6ee4b7 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 21 Nov 2016 23:55:55 +0000
-Subject: [PATCH 03/25] efi: Lock down the kernel if booted in secure boot mode
-
-UEFI Secure Boot provides a mechanism for ensuring that the firmware will
-only load signed bootloaders and kernels.  Certain use cases may also
-require that all kernel modules also be signed.  Add a configuration option
-that to lock down the kernel - which includes requiring validly signed
-modules - if the kernel is secure-booted.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- arch/x86/Kconfig        | 12 ++++++++++++
- arch/x86/kernel/setup.c |  8 +++++++-
- 2 files changed, 19 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 323cb065be5e..8e41d54d6498 100644
---- a/arch/x86/Kconfig
-+++ b/arch/x86/Kconfig
-@@ -1836,6 +1836,18 @@ config EFI_MIXED
- 
- 	   If unsure, say N.
- 
-+config EFI_SECURE_BOOT_LOCK_DOWN
-+	def_bool n
-+	depends on EFI
-+	prompt "Lock down the kernel when UEFI Secure Boot is enabled"
-+	---help---
-+	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
-+	  will only load signed bootloaders and kernels.  Certain use cases may
-+	  also require that all kernel modules also be signed and that
-+	  userspace is prevented from directly changing the running kernel
-+	  image.  Say Y here to automatically lock down the kernel when a
-+	  system boots with UEFI Secure Boot enabled.
-+
- config SECCOMP
- 	def_bool y
- 	prompt "Enable seccomp to safely compute untrusted bytecode"
-diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 319995f58345..d0128aef43ce 100644
---- a/arch/x86/kernel/setup.c
-+++ b/arch/x86/kernel/setup.c
-@@ -69,6 +69,7 @@
- #include <linux/crash_dump.h>
- #include <linux/tboot.h>
- #include <linux/jiffies.h>
-+#include <linux/security.h>
- 
- #include <linux/usb/xhci-dbgp.h>
- #include <video/edid.h>
-@@ -1191,7 +1192,12 @@ void __init setup_arch(char **cmdline_p)
- 			break;
- 		case efi_secureboot_mode_enabled:
- 			set_bit(EFI_SECURE_BOOT, &efi.flags);
--			pr_info("Secure boot enabled\n");
-+			if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT_LOCK_DOWN)) {
-+				lock_kernel_down();
-+				pr_info("Secure boot enabled and kernel locked down\n");
-+			} else {
-+				pr_info("Secure boot enabled\n");
-+			}
- 			break;
- 		default:
- 			pr_info("Secure boot could not be determined\n");
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch
deleted file mode 100644
index d57d345977..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From cc5ea82adefc9d4039a713e8b5cf99baa917636e Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Wed, 23 Nov 2016 13:22:22 +0000
-Subject: [PATCH 04/25] Enforce module signatures if the kernel is locked down
-
-If the kernel is locked down, require that all modules have valid
-signatures that we can verify.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- kernel/module.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/kernel/module.c b/kernel/module.c
-index 40f983cbea81..e5b878b26906 100644
---- a/kernel/module.c
-+++ b/kernel/module.c
-@@ -2781,7 +2781,7 @@ static int module_sig_check(struct load_info *info, int flags)
- 	}
- 
- 	/* Not having a signature is only an error if we're strict. */
--	if (err == -ENOKEY && !sig_enforce)
-+	if (err == -ENOKEY && !sig_enforce && !kernel_is_locked_down())
- 		err = 0;
- 
- 	return err;
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch
deleted file mode 100644
index 4c61cffec7..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 235ba6af59f7cee12187cf733b447fe8d3463184 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 05/25] Restrict /dev/mem and /dev/kmem when the kernel is
- locked down
-
-Allowing users to write to address space makes it possible for the kernel to
-be subverted, avoiding module loading restrictions.  Prevent this when the
-kernel has been locked down.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- drivers/char/mem.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 593a8818aca9..ba68add9677f 100644
---- a/drivers/char/mem.c
-+++ b/drivers/char/mem.c
-@@ -179,6 +179,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
- 	if (p != *ppos)
- 		return -EFBIG;
- 
-+	if (kernel_is_locked_down())
-+		return -EPERM;
-+
- 	if (!valid_phys_addr_range(p, count))
- 		return -EFAULT;
- 
-@@ -540,6 +543,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
- 	char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
- 	int err = 0;
- 
-+	if (kernel_is_locked_down())
-+		return -EPERM;
-+
- 	if (p < (unsigned long) high_memory) {
- 		unsigned long to_write = min_t(unsigned long, count,
- 					       (unsigned long)high_memory - p);
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch
deleted file mode 100644
index 75cc36c14e..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 75d101e041cef9ffd5c4320183ed9120c33384bd Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Tue, 22 Nov 2016 08:46:15 +0000
-Subject: [PATCH 06/25] kexec: Disable at runtime if the kernel is locked down
-
-kexec permits the loading and execution of arbitrary code in ring 0, which
-is something that lock-down is meant to prevent. It makes sense to disable
-kexec in this situation.
-
-This does not affect kexec_file_load() which can check for a signature on the
-image to be booted.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- kernel/kexec.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/kernel/kexec.c b/kernel/kexec.c
-index e62ec4dc6620..37f75d0b75de 100644
---- a/kernel/kexec.c
-+++ b/kernel/kexec.c
-@@ -201,6 +201,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
- 	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
- 		return -EPERM;
- 
-+	/*
-+	 * kexec can be used to circumvent module loading restrictions, so
-+	 * prevent loading in that case
-+	 */
-+	if (kernel_is_locked_down())
-+		return -EPERM;
-+
- 	/*
- 	 * Verify we have a legal set of flags
- 	 * This leaves us room for future extensions.
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch
deleted file mode 100644
index a00d1fd6e8..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 9e5f94ab9e11f46c91612db0e82077f9e56066d3 Mon Sep 17 00:00:00 2001
-From: Dave Young <dyoung@redhat.com>
-Date: Tue, 22 Nov 2016 08:46:15 +0000
-Subject: [PATCH 07/25] Copy secure_boot flag in boot params across kexec
- reboot
-
-Kexec reboot in case secure boot being enabled does not keep the secure
-boot mode in new kernel, so later one can load unsigned kernel via legacy
-kexec_load.  In this state, the system is missing the protections provided
-by secure boot.
-
-Adding a patch to fix this by retain the secure_boot flag in original
-kernel.
-
-secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
-stub.  Fixing this issue by copying secure_boot flag across kexec reboot.
-
-Signed-off-by: Dave Young <dyoung@redhat.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- arch/x86/kernel/kexec-bzimage64.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
-index fb095ba0c02f..7d0fac5bcbbe 100644
---- a/arch/x86/kernel/kexec-bzimage64.c
-+++ b/arch/x86/kernel/kexec-bzimage64.c
-@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
- 	if (efi_enabled(EFI_OLD_MEMMAP))
- 		return 0;
- 
-+	params->secure_boot = boot_params.secure_boot;
- 	ei->efi_loader_signature = current_ei->efi_loader_signature;
- 	ei->efi_systab = current_ei->efi_systab;
- 	ei->efi_systab_hi = current_ei->efi_systab_hi;
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch
deleted file mode 100644
index 36f330f85e..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 72726c9e0d1063885f9226a78f1aa70c508d9284 Mon Sep 17 00:00:00 2001
-From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
-Date: Wed, 23 Nov 2016 13:49:19 +0000
-Subject: [PATCH 08/25] kexec_file: Disable at runtime if securelevel has been
- set
-
-When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
-through kexec_file systemcall if securelevel has been set.
-
-This code was showed in Matthew's patch but not in git:
-https://lkml.org/lkml/2015/3/13/778
-
-Cc: Matthew Garrett <mjg59@srcf.ucam.org>
-Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- kernel/kexec_file.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
-index 9f48f4412297..7da87007c202 100644
---- a/kernel/kexec_file.c
-+++ b/kernel/kexec_file.c
-@@ -255,6 +255,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
- 	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
- 		return -EPERM;
- 
-+	/* Don't permit images to be loaded into trusted kernels if we're not
-+	 * going to verify the signature on them
-+	 */
-+	if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
-+		return -EPERM;
-+
- 	/* Make sure we have a legal set of flags */
- 	if (flags != (flags & KEXEC_FILE_FLAGS))
- 		return -EINVAL;
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch
deleted file mode 100644
index a969217653..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 62487920402b56b8eab77f515d7890df6473ca29 Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@fedoraproject.org>
-Date: Tue, 22 Nov 2016 08:46:15 +0000
-Subject: [PATCH 09/25] hibernate: Disable when the kernel is locked down
-
-There is currently no way to verify the resume image when returning
-from hibernate.  This might compromise the signed modules trust model,
-so until we can work with signed hibernate images we disable it when the
-kernel is locked down.
-
-Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- kernel/power/hibernate.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
-index e1914c7b85b1..7859ba79e181 100644
---- a/kernel/power/hibernate.c
-+++ b/kernel/power/hibernate.c
-@@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
- 
- bool hibernation_available(void)
- {
--	return (nohibernate == 0);
-+	return nohibernate == 0 && !kernel_is_locked_down();
- }
- 
- /**
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch
deleted file mode 100644
index b652e63b9c..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 203bff56c8b1a2c0ae98944258daa3c684994054 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@srcf.ucam.org>
-Date: Wed, 23 Nov 2016 13:28:17 +0000
-Subject: [PATCH 10/25] uswsusp: Disable when the kernel is locked down
-
-uswsusp allows a user process to dump and then restore kernel state, which
-makes it possible to modify the running kernel.  Disable this if the kernel
-is locked down.
-
-Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- kernel/power/user.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/kernel/power/user.c b/kernel/power/user.c
-index 22df9f7ff672..e4b926d329b7 100644
---- a/kernel/power/user.c
-+++ b/kernel/power/user.c
-@@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
- 	if (!hibernation_available())
- 		return -EPERM;
- 
-+	if (kernel_is_locked_down())
-+		return -EPERM;
-+
- 	lock_system_sleep();
- 
- 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch
deleted file mode 100644
index 68843a969e..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-From 973da35b4b6b11f677d991efab6e54f93b0f0e2c Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Tue, 22 Nov 2016 08:46:15 +0000
-Subject: [PATCH 11/25] PCI: Lock down BAR access when the kernel is locked
- down
-
-Any hardware that can potentially generate DMA has to be locked down in
-order to avoid it being possible for an attacker to modify kernel code,
-allowing them to circumvent disabled module loading or module signing.
-Default to paranoid - in future we can potentially relax this for
-sufficiently IOMMU-isolated devices.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- drivers/pci/pci-sysfs.c | 9 +++++++++
- drivers/pci/proc.c      | 8 +++++++-
- drivers/pci/syscall.c   | 2 +-
- 3 files changed, 17 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
-index 6337bce27c36..eb7c0dcca351 100644
---- a/drivers/pci/pci-sysfs.c
-+++ b/drivers/pci/pci-sysfs.c
-@@ -888,6 +888,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
- 	loff_t init_off = off;
- 	u8 *data = (u8 *) buf;
- 
-+	if (kernel_is_locked_down())
-+		return -EPERM;
-+
- 	if (off > dev->cfg_size)
- 		return 0;
- 	if (off + count > dev->cfg_size) {
-@@ -1182,6 +1185,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
- 	enum pci_mmap_state mmap_type;
- 	struct resource *res = &pdev->resource[bar];
- 
-+	if (kernel_is_locked_down())
-+		return -EPERM;
-+
- 	if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
- 		return -EINVAL;
- 
-@@ -1265,6 +1271,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
- 				     struct bin_attribute *attr, char *buf,
- 				     loff_t off, size_t count)
- {
-+	if (kernel_is_locked_down())
-+		return -EPERM;
-+
- 	return pci_resource_io(filp, kobj, attr, buf, off, count, true);
- }
- 
-diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
-index 098360d7ff81..ef16fccb1923 100644
---- a/drivers/pci/proc.c
-+++ b/drivers/pci/proc.c
-@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
- 	int size = dev->cfg_size;
- 	int cnt;
- 
-+	if (kernel_is_locked_down())
-+		return -EPERM;
-+
- 	if (pos >= size)
- 		return 0;
- 	if (nbytes >= size)
-@@ -195,6 +198,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
- #endif /* HAVE_PCI_MMAP */
- 	int ret = 0;
- 
-+	if (kernel_is_locked_down())
-+		return -EPERM;
-+
- 	switch (cmd) {
- 	case PCIIOC_CONTROLLER:
- 		ret = pci_domain_nr(dev->bus);
-@@ -236,7 +242,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
- 	struct pci_filp_private *fpriv = file->private_data;
- 	int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM;
- 
--	if (!capable(CAP_SYS_RAWIO))
-+	if (!capable(CAP_SYS_RAWIO) || kernel_is_locked_down())
- 		return -EPERM;
- 
- 	if (fpriv->mmap_state == pci_mmap_io) {
-diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
-index 9bf993e1f71e..c09524738ceb 100644
---- a/drivers/pci/syscall.c
-+++ b/drivers/pci/syscall.c
-@@ -92,7 +92,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
- 	u32 dword;
- 	int err = 0;
- 
--	if (!capable(CAP_SYS_ADMIN))
-+	if (!capable(CAP_SYS_ADMIN) || kernel_is_locked_down())
- 		return -EPERM;
- 
- 	dev = pci_get_bus_and_slot(bus, dfn);
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch
deleted file mode 100644
index f29c50993b..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From bcf04501de6a0db26d11994d4e3757da793fec96 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 12/25] x86: Lock down IO port access when the kernel is locked
- down
-
-IO port access would permit users to gain access to PCI configuration
-registers, which in turn (on a lot of hardware) give access to MMIO
-register space. This would potentially permit root to trigger arbitrary
-DMA, so lock it down by default.
-
-This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
-KDDISABIO console ioctls.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- arch/x86/kernel/ioport.c | 4 ++--
- drivers/char/mem.c       | 2 ++
- 2 files changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
-index 9c3cf0944bce..4a613fed94b6 100644
---- a/arch/x86/kernel/ioport.c
-+++ b/arch/x86/kernel/ioport.c
-@@ -30,7 +30,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
- 
- 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
- 		return -EINVAL;
--	if (turn_on && !capable(CAP_SYS_RAWIO))
-+	if (turn_on && (!capable(CAP_SYS_RAWIO) || kernel_is_locked_down()))
- 		return -EPERM;
- 
- 	/*
-@@ -120,7 +120,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
- 		return -EINVAL;
- 	/* Trying to gain more privileges? */
- 	if (level > old) {
--		if (!capable(CAP_SYS_RAWIO))
-+		if (!capable(CAP_SYS_RAWIO) || kernel_is_locked_down())
- 			return -EPERM;
- 	}
- 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
-diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index ba68add9677f..5e2a260fb89f 100644
---- a/drivers/char/mem.c
-+++ b/drivers/char/mem.c
-@@ -768,6 +768,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
- 
- static int open_port(struct inode *inode, struct file *filp)
- {
-+	if (kernel_is_locked_down())
-+		return -EPERM;
- 	return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
- }
- 
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch
deleted file mode 100644
index 15710804e3..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 205948d870a1e995e0b5f332b5a0e3fc15371327 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Tue, 22 Nov 2016 08:46:17 +0000
-Subject: [PATCH 13/25] x86: Restrict MSR access when the kernel is locked down
-
-Writing to MSRs should not be allowed if the kernel is locked down, since
-it could lead to execution of arbitrary code in kernel mode.  Based on a
-patch by Kees Cook.
-
-Cc: Kees Cook <keescook@chromium.org>
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- arch/x86/kernel/msr.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
-index ef688804f80d..fbcce028e502 100644
---- a/arch/x86/kernel/msr.c
-+++ b/arch/x86/kernel/msr.c
-@@ -84,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
- 	int err = 0;
- 	ssize_t bytes = 0;
- 
-+	if (kernel_is_locked_down())
-+		return -EPERM;
-+
- 	if (count % 8)
- 		return -EINVAL;	/* Invalid chunk size */
- 
-@@ -131,6 +134,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
- 			err = -EBADF;
- 			break;
- 		}
-+		if (kernel_is_locked_down()) {
-+			err = -EPERM;
-+			break;
-+		}
- 		if (copy_from_user(&regs, uregs, sizeof regs)) {
- 			err = -EFAULT;
- 			break;
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch
deleted file mode 100644
index 474c6351b6..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 5b4be098985432633142dee28ad9176499af5f9d Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 14/25] asus-wmi: Restrict debugfs interface when the kernel is
- locked down
-
-We have no way of validating what all of the Asus WMI methods do on a given
-machine - and there's a risk that some will allow hardware state to be
-manipulated in such a way that arbitrary code can be executed in the
-kernel, circumventing module loading restrictions.  Prevent that if the
-kernel is locked down.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- drivers/platform/x86/asus-wmi.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
-index 709e3a67391a..2d8db47698b2 100644
---- a/drivers/platform/x86/asus-wmi.c
-+++ b/drivers/platform/x86/asus-wmi.c
-@@ -1905,6 +1905,9 @@ static int show_dsts(struct seq_file *m, void *data)
- 	int err;
- 	u32 retval = -1;
- 
-+	if (kernel_is_locked_down())
-+		return -EPERM;
-+
- 	err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
- 
- 	if (err < 0)
-@@ -1921,6 +1924,9 @@ static int show_devs(struct seq_file *m, void *data)
- 	int err;
- 	u32 retval = -1;
- 
-+	if (kernel_is_locked_down())
-+		return -EPERM;
-+
- 	err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
- 				    &retval);
- 
-@@ -1945,6 +1951,9 @@ static int show_call(struct seq_file *m, void *data)
- 	union acpi_object *obj;
- 	acpi_status status;
- 
-+	if (kernel_is_locked_down())
-+		return -EPERM;
-+
- 	status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
- 				     1, asus->debug.method_id,
- 				     &input, &output);
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch
deleted file mode 100644
index f170f9ecf7..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 8b0ac11c7a779c7e3410309a2a3149e3569d4be3 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 15/25] ACPI: Limit access to custom_method when the kernel is
- locked down
-
-custom_method effectively allows arbitrary access to system memory, making
-it possible for an attacker to circumvent restrictions on module loading.
-Disable it if the kernel is locked down.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- drivers/acpi/custom_method.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
-index c68e72414a67..e4d721c330c0 100644
---- a/drivers/acpi/custom_method.c
-+++ b/drivers/acpi/custom_method.c
-@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
- 	struct acpi_table_header table;
- 	acpi_status status;
- 
-+	if (kernel_is_locked_down())
-+		return -EPERM;
-+
- 	if (!(*ppos)) {
- 		/* parse the table header to get the table length */
- 		if (count <= sizeof(struct acpi_table_header))
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch
deleted file mode 100644
index 0a3b9cfc8a..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 32ed0045e519827e0d28461e917f33fb2a06e096 Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@redhat.com>
-Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 16/25] acpi: Ignore acpi_rsdp kernel param when the kernel has
- been locked down
-
-This option allows userspace to pass the RSDP address to the kernel, which
-makes it possible for a user to circumvent any restrictions imposed on
-loading modules.  Ignore the option when the kernel is locked down.
-
-Signed-off-by: Josh Boyer <jwboyer@redhat.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- drivers/acpi/osl.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index db78d353bab1..d4d4ba348451 100644
---- a/drivers/acpi/osl.c
-+++ b/drivers/acpi/osl.c
-@@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
- 	acpi_physical_address pa = 0;
- 
- #ifdef CONFIG_KEXEC
--	if (acpi_rsdp)
-+	if (acpi_rsdp && !kernel_is_locked_down())
- 		return acpi_rsdp;
- #endif
- 
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
deleted file mode 100644
index c4fa5c4cf4..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 86e762ccc5c54715db1bacaa3af07b3e78853fa0 Mon Sep 17 00:00:00 2001
-From: Linn Crosetto <linn@hpe.com>
-Date: Wed, 23 Nov 2016 13:32:27 +0000
-Subject: [PATCH 17/25] acpi: Disable ACPI table override if the kernel is
- locked down
-
-From the kernel documentation (initrd_table_override.txt):
-
-  If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
-  to override nearly any ACPI table provided by the BIOS with an
-  instrumented, modified one.
-
-When securelevel is set, the kernel should disallow any unauthenticated
-changes to kernel space.  ACPI tables contain code invoked by the kernel,
-so do not allow ACPI tables to be overridden if the kernel is locked down.
-
-Signed-off-by: Linn Crosetto <linn@hpe.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- drivers/acpi/tables.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
-index ff425390bfa8..c72bfa97888a 100644
---- a/drivers/acpi/tables.c
-+++ b/drivers/acpi/tables.c
-@@ -526,6 +526,11 @@ void __init acpi_table_upgrade(void)
- 	if (table_nr == 0)
- 		return;
- 
-+	if (kernel_is_locked_down()) {
-+		pr_notice("kernel is locked down, ignoring table override\n");
-+		return;
-+	}
-+
- 	acpi_tables_addr =
- 		memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
- 				       all_tables_size, PAGE_SIZE);
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch
deleted file mode 100644
index c22d977fd6..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From a8524e54341eaec538518b84404a2750cc54726e Mon Sep 17 00:00:00 2001
-From: Linn Crosetto <linn@hpe.com>
-Date: Wed, 23 Nov 2016 13:39:41 +0000
-Subject: [PATCH 18/25] acpi: Disable APEI error injection if the kernel is
- locked down
-
-ACPI provides an error injection mechanism, EINJ, for debugging and testing
-the ACPI Platform Error Interface (APEI) and other RAS features.  If
-supported by the firmware, ACPI specification 5.0 and later provide for a
-way to specify a physical memory address to which to inject the error.
-
-Injecting errors through EINJ can produce errors which to the platform are
-indistinguishable from real hardware errors.  This can have undesirable
-side-effects, such as causing the platform to mark hardware as needing
-replacement.
-
-While it does not provide a method to load unauthenticated privileged code,
-the effect of these errors may persist across reboots and affect trust in
-the underlying hardware, so disable error injection through EINJ if
-the kernel is locked down.
-
-Signed-off-by: Linn Crosetto <linn@hpe.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- drivers/acpi/apei/einj.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c
-index ec50c32ea3da..e082718d01c2 100644
---- a/drivers/acpi/apei/einj.c
-+++ b/drivers/acpi/apei/einj.c
-@@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
- 	int rc;
- 	u64 base_addr, size;
- 
-+	if (kernel_is_locked_down())
-+		return -EPERM;
-+
- 	/* If user manually set "flags", make sure it is legal */
- 	if (flags && (flags &
- 		~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch
deleted file mode 100644
index 2529bbcf4d..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 7ef44d71258767987f7eb9707d6931dd14a6dabb Mon Sep 17 00:00:00 2001
-From: "Lee, Chun-Yi" <jlee@suse.com>
-Date: Wed, 23 Nov 2016 13:52:16 +0000
-Subject: [PATCH 19/25] bpf: Restrict kernel image access functions when the
- kernel is locked down
-
-There are some bpf functions can be used to read kernel memory:
-bpf_probe_read, bpf_probe_write_user and bpf_trace_printk.  These allow
-private keys in kernel memory (e.g. the hibernation image signing key) to
-be read by an eBPF program.  Prohibit those functions when the kernel is
-locked down.
-
-Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- kernel/trace/bpf_trace.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
-index dc498b605d5d..fb240222b89b 100644
---- a/kernel/trace/bpf_trace.c
-+++ b/kernel/trace/bpf_trace.c
-@@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr)
- {
- 	int ret;
- 
-+	if (kernel_is_locked_down()) {
-+		memset(dst, 0, size);
-+		return -EPERM;
-+	}
-+
- 	ret = probe_kernel_read(dst, unsafe_ptr, size);
- 	if (unlikely(ret < 0))
- 		memset(dst, 0, size);
-@@ -84,6 +89,9 @@ static const struct bpf_func_proto bpf_probe_read_proto = {
- BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src,
- 	   u32, size)
- {
-+	if (kernel_is_locked_down())
-+		return -EPERM;
-+
- 	/*
- 	 * Ensure we're in user context which is safe for the helper to
- 	 * run. This helper has no business in a kthread.
-@@ -143,6 +151,9 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1,
- 	if (fmt[--fmt_size] != 0)
- 		return -EINVAL;
- 
-+	if (kernel_is_locked_down())
-+		return __trace_printk(1, fmt, 0, 0, 0);
-+
- 	/* check format string for allowed specifiers */
- 	for (i = 0; i < fmt_size; i++) {
- 		if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i]))
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0020-scsi-Lock-down-the-eata-driver.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0020-scsi-Lock-down-the-eata-driver.patch
deleted file mode 100644
index e55d2a5515..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0020-scsi-Lock-down-the-eata-driver.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From d6318af7b03564be2094d496321d797e7e5fff38 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Tue, 22 Nov 2016 10:10:34 +0000
-Subject: [PATCH 20/25] scsi: Lock down the eata driver
-
-When the kernel is running in secure boot mode, we lock down the kernel to
-prevent userspace from modifying the running kernel image.  Whilst this
-includes prohibiting access to things like /dev/mem, it must also prevent
-access by means of configuring driver modules in such a way as to cause a
-device to access or modify the kernel image.
-
-The eata driver takes a single string parameter that contains a slew of
-settings, including hardware resource configuration.  Prohibit use of the
-parameter if the kernel is locked down.
-
-Suggested-by: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: Dario Ballabio <ballabio_dario@emc.com>
-cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>
-cc: "Martin K. Petersen" <martin.petersen@oracle.com>
-cc: linux-scsi@vger.kernel.org
----
- drivers/scsi/eata.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/scsi/eata.c b/drivers/scsi/eata.c
-index 227dd2c2ec2f..5c036d10c18b 100644
---- a/drivers/scsi/eata.c
-+++ b/drivers/scsi/eata.c
-@@ -1552,8 +1552,13 @@ static int eata2x_detect(struct scsi_host_template *tpnt)
- 
- 	tpnt->proc_name = "eata2x";
- 
--	if (strlen(boot_options))
-+	if (strlen(boot_options)) {
-+		if (kernel_is_locked_down()) {
-+			pr_err("Command line-specified device addresses, irqs and dma channels are not permitted when the kernel is locked down\n");
-+			return -EPERM;
-+		}
- 		option_setup(boot_options);
-+	}
- 
- #if defined(MODULE)
- 	/* io_port could have been modified when loading as a module */
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch
deleted file mode 100644
index 9447db9c2c..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 8a34e69703cc6ee10538aa6139cac1cd7707e2b7 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Fri, 25 Nov 2016 14:37:45 +0000
-Subject: [PATCH 21/25] Prohibit PCMCIA CIS storage when the kernel is locked
- down
-
-Prohibit replacement of the PCMCIA Card Information Structure when the
-kernel is locked down.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- drivers/pcmcia/cistpl.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
-index 55ef7d1fd8da..193e4f7b73b1 100644
---- a/drivers/pcmcia/cistpl.c
-+++ b/drivers/pcmcia/cistpl.c
-@@ -1578,6 +1578,11 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
- 	struct pcmcia_socket *s;
- 	int error;
- 
-+	if (kernel_is_locked_down()) {
-+		pr_err("Direct CIS storage isn't permitted when the kernel is locked down\n");
-+		return -EPERM;
-+	}
-+
- 	s = to_socket(container_of(kobj, struct device, kobj));
- 
- 	if (off)
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0022-Lock-down-TIOCSSERIAL.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0022-Lock-down-TIOCSSERIAL.patch
deleted file mode 100644
index f020fe6b27..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0022-Lock-down-TIOCSSERIAL.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 69b2167a1b1521b6e5fc30df84afbebc428c9616 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Wed, 7 Dec 2016 10:28:39 +0000
-Subject: [PATCH 22/25] Lock down TIOCSSERIAL
-
-Lock down TIOCSSERIAL as that can be used to change the ioport and irq
-settings on a serial port.  This only appears to be an issue for the serial
-drivers that use the core serial code.  All other drivers seem to either
-ignore attempts to change port/irq or give an error.
-
-Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- drivers/tty/serial/serial_core.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
-index f534a40aebde..e32c0179f423 100644
---- a/drivers/tty/serial/serial_core.c
-+++ b/drivers/tty/serial/serial_core.c
-@@ -821,6 +821,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
- 	new_flags = new_info->flags;
- 	old_custom_divisor = uport->custom_divisor;
- 
-+	if ((change_port || change_irq) && kernel_is_locked_down()) {
-+		pr_err("Using TIOCSSERIAL to change device addresses, irqs and dma channels is not permitted when the kernel is locked down\n");
-+		retval = -EPERM;
-+		goto exit;
-+	}
-+
- 	if (!capable(CAP_SYS_ADMIN)) {
- 		retval = -EPERM;
- 		if (change_irq || change_port ||
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0025-cifs-Select-all-required-crypto-modules.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0025-cifs-Select-all-required-crypto-modules.patch
deleted file mode 100644
index 800e1bc1c3..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0025-cifs-Select-all-required-crypto-modules.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From c9232d15690a040d3145df1524feb16adc7cc1e2 Mon Sep 17 00:00:00 2001
-From: Benjamin Gilbert <benjamin.gilbert@coreos.com>
-Date: Thu, 19 Oct 2017 11:36:02 -0700
-Subject: [PATCH 25/25] cifs: Select all required crypto modules
-
-Some dependencies were lost when CIFS_SMB2 was merged into CIFS.
-
-Fixes: 2a38e12053b7 ("[SMB3] Remove ifdef since SMB3 (and later) now STRONGLY preferred")
-Signed-off-by: Benjamin Gilbert <benjamin.gilbert@coreos.com>
----
- fs/cifs/Kconfig | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/fs/cifs/Kconfig b/fs/cifs/Kconfig
-index f7243617316c..d5b2e12b5d02 100644
---- a/fs/cifs/Kconfig
-+++ b/fs/cifs/Kconfig
-@@ -5,9 +5,14 @@ config CIFS
- 	select CRYPTO
- 	select CRYPTO_MD4
- 	select CRYPTO_MD5
-+	select CRYPTO_SHA256
-+	select CRYPTO_CMAC
- 	select CRYPTO_HMAC
- 	select CRYPTO_ARC4
-+	select CRYPTO_AEAD2
-+	select CRYPTO_CCM
- 	select CRYPTO_ECB
-+	select CRYPTO_AES
- 	select CRYPTO_DES
- 	help
- 	  This is the client VFS module for the SMB3 family of NAS protocols,
--- 
-2.14.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0001-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
similarity index 83%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0001-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
index 13fb64743f..11e81409dc 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0001-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
@@ -1,7 +1,7 @@
-From 6c2e0596ec4e0ece32270d154fba77bdb935c90f Mon Sep 17 00:00:00 2001
+From 7329baa990ea7d362c3309d632c643369a19b3b9 Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 23/25] kbuild: derive relative path for KBUILD_SRC from CURDIR
+Subject: [PATCH 1/2] kbuild: derive relative path for KBUILD_SRC from CURDIR
 
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for
@@ -12,7 +12,7 @@ by some undesirable path component.
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index 0e30a0d282e8..7e77d910cfe3 100644
+index 5f91a28a3cea..3e1a2bf33df4 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -142,7 +142,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
@@ -26,5 +26,5 @@ index 0e30a0d282e8..7e77d910cfe3 100644
  
  # Leave processing to above invocation of make
 -- 
-2.14.1
+2.13.6
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0024-Add-arm64-coreos-verity-hash.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0002-Add-arm64-coreos-verity-hash.patch
similarity index 85%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0024-Add-arm64-coreos-verity-hash.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0002-Add-arm64-coreos-verity-hash.patch
index 66a2559b59..82e26fa0cf 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0024-Add-arm64-coreos-verity-hash.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0002-Add-arm64-coreos-verity-hash.patch
@@ -1,7 +1,7 @@
-From 593c5f6202f0119be99c8d677fda9935e72cd2c5 Mon Sep 17 00:00:00 2001
+From 62e678f4c3d7f967e61843c7d6887c09464f815d Mon Sep 17 00:00:00 2001
 From: Geoff Levand <geoff@infradead.org>
 Date: Fri, 11 Nov 2016 17:28:52 -0800
-Subject: [PATCH 24/25] Add arm64 coreos verity hash
+Subject: [PATCH 2/2] Add arm64 coreos verity hash
 
 Signed-off-by: Geoff Levand <geoff@infradead.org>
 ---
@@ -25,5 +25,5 @@ index 613fc3000677..fdaf86c78332 100644
  	/*
  	 * The debug table is referenced via its Relative Virtual Address (RVA),
 -- 
-2.14.1
+2.13.6