From 587c175e76eefca5c421fbbd46854fe5635f3581 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Wed, 12 Aug 2015 10:48:33 -0700 Subject: [PATCH 1/2] coreos-kernel: bump to 4.1.5 --- ...coreos-kernel-4.1.4-r1.ebuild => coreos-kernel-4.1.5.ebuild} | 2 +- ...reos-sources-4.1.4-r1.ebuild => coreos-sources-4.1.5.ebuild} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.1.4-r1.ebuild => coreos-kernel-4.1.5.ebuild} (86%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-4.1.4-r1.ebuild => coreos-sources-4.1.5.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.1.4-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.1.5.ebuild similarity index 86% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.1.4-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.1.5.ebuild index 4cdc6203e3..ad6f2587f5 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.1.4-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.1.5.ebuild @@ -2,7 +2,7 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=5 -COREOS_SOURCE_REVISION="-r1" +COREOS_SOURCE_REVISION="" inherit coreos-kernel DESCRIPTION="CoreOS Linux kernel" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.1.4-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.1.5.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.1.4-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.1.5.ebuild From 357754137b53410e0105637ea0192a0b54d818eb Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Wed, 12 Aug 2015 11:04:04 -0700 Subject: [PATCH 2/2] coreos-kernel: drop old 4.0 kernel --- .../coreos-kernel/coreos-kernel-4.0.9.ebuild | 9 - .../coreos-kernel/files/amd64_defconfig-4.0 | 941 ------------------ .../coreos-kernel/files/arm64_defconfig-4.0 | 201 ---- .../coreos-sources-4.0.9.ebuild | 29 - .../4.0/01-Add-secure_modules-call.patch | 60 -- ...R-access-when-module-security-is-ena.patch | 113 --- ...-port-access-when-module-security-is.patch | 67 -- ...4-ACPI-Limit-access-to-custom_method.patch | 27 - ...t-debugfs-interface-when-module-load.patch | 50 - ...-and-dev-kmem-when-module-loading-is.patch | 38 - ..._rsdp-kernel-parameter-when-module-l.patch | 35 - ...-runtime-if-the-kernel-enforces-modu.patch | 40 - ...-access-when-module-loading-is-restr.patch | 39 - ...tomatically-enforce-module-signature.patch | 182 ---- ...ure-boot-if-shim-is-in-insecure-mode.patch | 54 - ...ECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch | 26 - .../4.0/13-efi-Add-EFI_SECURE_BOOT-bit.patch | 39 - ...able-in-a-signed-modules-environment.patch | 35 - 18 files changed, 1985 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.0.9.ebuild delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.0 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.0 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.0.9.ebuild delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/01-Add-secure_modules-call.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/03-x86-Lock-down-IO-port-access-when-module-security-is.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/04-ACPI-Limit-access-to-custom_method.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/10-Add-option-to-automatically-enforce-module-signature.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/11-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/13-efi-Add-EFI_SECURE_BOOT-bit.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/14-hibernate-Disable-in-a-signed-modules-environment.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.0.9.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.0.9.ebuild deleted file mode 100644 index ad6f2587f5..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.0.9.ebuild +++ /dev/null @@ -1,9 +0,0 @@ -# Copyright 2014 CoreOS, Inc. -# Distributed under the terms of the GNU General Public License v2 - -EAPI=5 -COREOS_SOURCE_REVISION="" -inherit coreos-kernel - -DESCRIPTION="CoreOS Linux kernel" -KEYWORDS="amd64 arm64" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.0 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.0 deleted file mode 100644 index bdb2880d97..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.0 +++ /dev/null @@ -1,941 +0,0 @@ -# CONFIG_LOCALVERSION_AUTO is not set -CONFIG_SYSVIPC=y -CONFIG_POSIX_MQUEUE=y -# CONFIG_CROSS_MEMORY_ATTACH is not set -CONFIG_FHANDLE=y -CONFIG_AUDIT=y -CONFIG_NO_HZ=y -CONFIG_HIGH_RES_TIMERS=y -CONFIG_IRQ_TIME_ACCOUNTING=y -CONFIG_BSD_PROCESS_ACCT=y -CONFIG_BSD_PROCESS_ACCT_V3=y -CONFIG_TASK_XACCT=y -CONFIG_TASK_IO_ACCOUNTING=y -CONFIG_IKCONFIG=y -CONFIG_IKCONFIG_PROC=y -CONFIG_LOG_BUF_SHIFT=18 -CONFIG_NUMA_BALANCING=y -CONFIG_CGROUP_FREEZER=y -CONFIG_CGROUP_DEVICE=y -CONFIG_CPUSETS=y -CONFIG_CGROUP_CPUACCT=y -CONFIG_MEMCG=y -CONFIG_MEMCG_SWAP=y -CONFIG_MEMCG_KMEM=y -CONFIG_CGROUP_PERF=y -CONFIG_CFS_BANDWIDTH=y -CONFIG_RT_GROUP_SCHED=y -CONFIG_BLK_CGROUP=y -CONFIG_CHECKPOINT_RESTORE=y -CONFIG_NAMESPACES=y -CONFIG_USER_NS=y -CONFIG_SCHED_AUTOGROUP=y -CONFIG_BLK_DEV_INITRD=y -CONFIG_INITRAMFS_SOURCE="bootengine.cpio" -CONFIG_EXPERT=y -# CONFIG_COMPAT_BRK is not set -CONFIG_PROFILING=y -CONFIG_JUMP_LABEL=y -CONFIG_CC_STACKPROTECTOR_REGULAR=y -CONFIG_MODULES=y -CONFIG_MODULE_UNLOAD=y -CONFIG_MODULE_SIG=y -CONFIG_MODULE_SIG_SHA256=y -CONFIG_BLK_DEV_THROTTLING=y -CONFIG_PARTITION_ADVANCED=y -CONFIG_BSD_DISKLABEL=y -CONFIG_MINIX_SUBPARTITION=y -CONFIG_SOLARIS_X86_PARTITION=y -CONFIG_UNIXWARE_DISKLABEL=y -CONFIG_CFQ_GROUP_IOSCHED=y -CONFIG_SMP=y -CONFIG_X86_X2APIC=y -# CONFIG_X86_MPPARSE is not set -# CONFIG_X86_EXTENDED_PLATFORM is not set -CONFIG_X86_INTEL_LPSS=y -CONFIG_IOSF_MBI=m -CONFIG_HYPERVISOR_GUEST=y -CONFIG_PARAVIRT=y -CONFIG_PARAVIRT_SPINLOCKS=y -CONFIG_XEN=y -CONFIG_XEN_DEBUG_FS=y -CONFIG_XEN_PVH=y -CONFIG_PARAVIRT_TIME_ACCOUNTING=y -CONFIG_MEMTEST=y -CONFIG_GART_IOMMU=y -CONFIG_NR_CPUS=128 -CONFIG_SCHED_SMT=y -CONFIG_PREEMPT_VOLUNTARY=y -CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y -# CONFIG_X86_16BIT is not set -CONFIG_MICROCODE=m -CONFIG_MICROCODE_AMD=y -CONFIG_X86_MSR=m -CONFIG_X86_CPUID=m -CONFIG_NUMA=y -CONFIG_NODES_SHIFT=7 -CONFIG_ARCH_MEMORY_PROBE=y -CONFIG_MEMORY_HOTPLUG=y -CONFIG_MEMORY_HOTREMOVE=y -CONFIG_KSM=y -CONFIG_MEMORY_FAILURE=y -CONFIG_TRANSPARENT_HUGEPAGE=y -CONFIG_CLEANCACHE=y -CONFIG_FRONTSWAP=y -CONFIG_ZSMALLOC=m -CONFIG_X86_CHECK_BIOS_CORRUPTION=y -# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set -CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=1 -CONFIG_EFI=y -CONFIG_EFI_STUB=y -CONFIG_HZ_1000=y -CONFIG_KEXEC=y -CONFIG_KEXEC_FILE=y -CONFIG_KEXEC_VERIFY_SIG=y -CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y -CONFIG_CRASH_DUMP=y -CONFIG_KEXEC_JUMP=y -CONFIG_PHYSICAL_ALIGN=0x1000000 -CONFIG_CMDLINE_BOOL=y -CONFIG_CMDLINE="init=/usr/lib/systemd/systemd rootflags=rw mount.usrflags=ro" -CONFIG_HIBERNATION=y -# CONFIG_ACPI_AC is not set -# CONFIG_ACPI_BATTERY is not set -CONFIG_ACPI_BUTTON=m -CONFIG_ACPI_FAN=m -CONFIG_ACPI_IPMI=m -CONFIG_ACPI_PROCESSOR_AGGREGATOR=y -CONFIG_ACPI_PCI_SLOT=y -CONFIG_ACPI_HOTPLUG_MEMORY=y -CONFIG_ACPI_APEI=y -CONFIG_ACPI_APEI_GHES=y -CONFIG_ACPI_APEI_PCIEAER=y -CONFIG_ACPI_APEI_MEMORY_FAILURE=y -CONFIG_ACPI_APEI_ERST_DEBUG=m -CONFIG_PMIC_OPREGION=y -CONFIG_CPU_FREQ=y -CONFIG_CPU_FREQ_STAT=m -CONFIG_CPU_FREQ_STAT_DETAILS=y -CONFIG_CPU_FREQ_GOV_POWERSAVE=m -CONFIG_CPU_FREQ_GOV_USERSPACE=m -CONFIG_CPU_FREQ_GOV_ONDEMAND=m -CONFIG_CPU_FREQ_GOV_CONSERVATIVE=m -CONFIG_X86_INTEL_PSTATE=y -CONFIG_X86_PCC_CPUFREQ=m -CONFIG_X86_ACPI_CPUFREQ=m -# CONFIG_X86_ACPI_CPUFREQ_CPB is not set -CONFIG_X86_AMD_FREQ_SENSITIVITY=m -CONFIG_INTEL_IDLE=y -CONFIG_I7300_IDLE=m -CONFIG_PCI_MMCONFIG=y -CONFIG_PCIEPORTBUS=y -CONFIG_HOTPLUG_PCI_PCIE=y -CONFIG_PCIE_ECRC=y -CONFIG_XEN_PCIDEV_FRONTEND=m -CONFIG_HOTPLUG_PCI=y -CONFIG_HOTPLUG_PCI_ACPI=y -CONFIG_HOTPLUG_PCI_ACPI_IBM=m -CONFIG_IA32_EMULATION=y -CONFIG_NET=y -CONFIG_PACKET=y -CONFIG_PACKET_DIAG=m -CONFIG_UNIX=y -CONFIG_UNIX_DIAG=m -CONFIG_XFRM_USER=m -CONFIG_XFRM_SUB_POLICY=y -CONFIG_XFRM_MIGRATE=y -CONFIG_XFRM_STATISTICS=y -CONFIG_NET_KEY=m -CONFIG_INET=y -CONFIG_IP_MULTICAST=y -CONFIG_IP_ADVANCED_ROUTER=y -CONFIG_IP_FIB_TRIE_STATS=y -CONFIG_IP_MULTIPLE_TABLES=y -CONFIG_IP_ROUTE_MULTIPATH=y -CONFIG_IP_ROUTE_VERBOSE=y -CONFIG_IP_PNP=y -CONFIG_IP_PNP_DHCP=y -CONFIG_IP_PNP_BOOTP=y -CONFIG_NET_IPIP=m -CONFIG_NET_IPGRE_DEMUX=m -CONFIG_NET_IPGRE=m -CONFIG_NET_IPGRE_BROADCAST=y -CONFIG_IP_MROUTE=y -CONFIG_IP_MROUTE_MULTIPLE_TABLES=y -CONFIG_IP_PIMSM_V1=y -CONFIG_IP_PIMSM_V2=y -CONFIG_NET_IPVTI=m -CONFIG_NET_FOU_IP_TUNNELS=y -CONFIG_GENEVE=m -CONFIG_INET_AH=m -CONFIG_INET_ESP=m -CONFIG_INET_IPCOMP=m -CONFIG_INET_XFRM_MODE_TRANSPORT=m -CONFIG_INET_XFRM_MODE_TUNNEL=m -CONFIG_INET_XFRM_MODE_BEET=m -CONFIG_INET_LRO=m -CONFIG_INET_DIAG=m -CONFIG_INET_UDP_DIAG=m -CONFIG_TCP_CONG_ADVANCED=y -# CONFIG_TCP_CONG_BIC is not set -# CONFIG_TCP_CONG_WESTWOOD is not set -# CONFIG_TCP_CONG_HTCP is not set -CONFIG_TCP_MD5SIG=y -CONFIG_IPV6=y -CONFIG_IPV6_ROUTER_PREF=y -CONFIG_IPV6_ROUTE_INFO=y -CONFIG_IPV6_OPTIMISTIC_DAD=y -CONFIG_INET6_AH=m -CONFIG_INET6_ESP=m -CONFIG_INET6_IPCOMP=m -CONFIG_IPV6_MIP6=m -CONFIG_INET6_XFRM_MODE_TRANSPORT=m -CONFIG_INET6_XFRM_MODE_TUNNEL=m -CONFIG_INET6_XFRM_MODE_BEET=m -CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m -CONFIG_IPV6_VTI=m -CONFIG_IPV6_SIT=m -CONFIG_IPV6_SIT_6RD=y -CONFIG_IPV6_GRE=m -CONFIG_IPV6_MULTIPLE_TABLES=y -CONFIG_IPV6_SUBTREES=y -CONFIG_IPV6_MROUTE=y -CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y -CONFIG_IPV6_PIMSM_V2=y -CONFIG_NETWORK_PHY_TIMESTAMPING=y -CONFIG_NETFILTER=y -CONFIG_NF_CONNTRACK=m -CONFIG_NF_CONNTRACK_SECMARK=y -CONFIG_NF_CONNTRACK_ZONES=y -CONFIG_NF_CONNTRACK_EVENTS=y -CONFIG_NF_CONNTRACK_TIMEOUT=y -CONFIG_NF_CONNTRACK_TIMESTAMP=y -CONFIG_NF_CT_PROTO_UDPLITE=m -CONFIG_NF_CONNTRACK_AMANDA=m -CONFIG_NF_CONNTRACK_FTP=m -CONFIG_NF_CONNTRACK_H323=m -CONFIG_NF_CONNTRACK_IRC=m -CONFIG_NF_CONNTRACK_NETBIOS_NS=m -CONFIG_NF_CONNTRACK_SNMP=m -CONFIG_NF_CONNTRACK_PPTP=m -CONFIG_NF_CONNTRACK_SANE=m -CONFIG_NF_CONNTRACK_SIP=m -CONFIG_NF_CONNTRACK_TFTP=m -CONFIG_NF_CT_NETLINK=m -CONFIG_NF_CT_NETLINK_TIMEOUT=m -CONFIG_NF_CT_NETLINK_HELPER=m -CONFIG_NETFILTER_NETLINK_QUEUE_CT=y -CONFIG_NETFILTER_XTABLES=y -CONFIG_NETFILTER_XT_SET=m -CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m -CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m -CONFIG_NETFILTER_XT_TARGET_CONNMARK=m -CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m -CONFIG_NETFILTER_XT_TARGET_CT=m -CONFIG_NETFILTER_XT_TARGET_DSCP=m -CONFIG_NETFILTER_XT_TARGET_HMARK=m -CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m -CONFIG_NETFILTER_XT_TARGET_LOG=m -CONFIG_NETFILTER_XT_TARGET_MARK=m -CONFIG_NETFILTER_XT_TARGET_NFLOG=m -CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_TEE=m -CONFIG_NETFILTER_XT_TARGET_TPROXY=m -CONFIG_NETFILTER_XT_TARGET_TRACE=m -CONFIG_NETFILTER_XT_TARGET_SECMARK=m -CONFIG_NETFILTER_XT_TARGET_TCPMSS=m -CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m -CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m -CONFIG_NETFILTER_XT_MATCH_BPF=m -CONFIG_NETFILTER_XT_MATCH_CGROUP=m -CONFIG_NETFILTER_XT_MATCH_CLUSTER=m -CONFIG_NETFILTER_XT_MATCH_COMMENT=m -CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m -CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m -CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m -CONFIG_NETFILTER_XT_MATCH_CONNMARK=m -CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m -CONFIG_NETFILTER_XT_MATCH_CPU=m -CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m -CONFIG_NETFILTER_XT_MATCH_DSCP=m -CONFIG_NETFILTER_XT_MATCH_ESP=m -CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m -CONFIG_NETFILTER_XT_MATCH_HELPER=m -CONFIG_NETFILTER_XT_MATCH_IPCOMP=m -CONFIG_NETFILTER_XT_MATCH_IPRANGE=m -CONFIG_NETFILTER_XT_MATCH_IPVS=m -CONFIG_NETFILTER_XT_MATCH_L2TP=m -CONFIG_NETFILTER_XT_MATCH_LENGTH=m -CONFIG_NETFILTER_XT_MATCH_LIMIT=m -CONFIG_NETFILTER_XT_MATCH_MAC=m -CONFIG_NETFILTER_XT_MATCH_MARK=m -CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m -CONFIG_NETFILTER_XT_MATCH_NFACCT=m -CONFIG_NETFILTER_XT_MATCH_OSF=m -CONFIG_NETFILTER_XT_MATCH_OWNER=m -CONFIG_NETFILTER_XT_MATCH_POLICY=m -CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m -CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m -CONFIG_NETFILTER_XT_MATCH_QUOTA=m -CONFIG_NETFILTER_XT_MATCH_RATEEST=m -CONFIG_NETFILTER_XT_MATCH_REALM=m -CONFIG_NETFILTER_XT_MATCH_RECENT=m -CONFIG_NETFILTER_XT_MATCH_SOCKET=m -CONFIG_NETFILTER_XT_MATCH_STATE=m -CONFIG_NETFILTER_XT_MATCH_STATISTIC=m -CONFIG_NETFILTER_XT_MATCH_STRING=m -CONFIG_NETFILTER_XT_MATCH_TCPMSS=m -CONFIG_NETFILTER_XT_MATCH_TIME=m -CONFIG_NETFILTER_XT_MATCH_U32=m -CONFIG_IP_SET=m -CONFIG_IP_SET_BITMAP_IP=m -CONFIG_IP_SET_BITMAP_IPMAC=m -CONFIG_IP_SET_BITMAP_PORT=m -CONFIG_IP_SET_HASH_IP=m -CONFIG_IP_SET_HASH_IPMARK=m -CONFIG_IP_SET_HASH_IPPORT=m -CONFIG_IP_SET_HASH_IPPORTIP=m -CONFIG_IP_SET_HASH_IPPORTNET=m -CONFIG_IP_SET_HASH_MAC=m -CONFIG_IP_SET_HASH_NETPORTNET=m -CONFIG_IP_SET_HASH_NET=m -CONFIG_IP_SET_HASH_NETNET=m -CONFIG_IP_SET_HASH_NETPORT=m -CONFIG_IP_SET_HASH_NETIFACE=m -CONFIG_IP_SET_LIST_SET=m -CONFIG_IP_VS=m -CONFIG_IP_VS_IPV6=y -CONFIG_IP_VS_PROTO_TCP=y -CONFIG_IP_VS_PROTO_UDP=y -CONFIG_IP_VS_PROTO_ESP=y -CONFIG_IP_VS_PROTO_AH=y -CONFIG_IP_VS_PROTO_SCTP=y -CONFIG_IP_VS_RR=m -CONFIG_IP_VS_WRR=m -CONFIG_IP_VS_LC=m -CONFIG_IP_VS_WLC=m -CONFIG_IP_VS_FO=m -CONFIG_IP_VS_LBLC=m -CONFIG_IP_VS_LBLCR=m -CONFIG_IP_VS_DH=m -CONFIG_IP_VS_SH=m -CONFIG_IP_VS_SED=m -CONFIG_IP_VS_NQ=m -CONFIG_IP_VS_FTP=m -CONFIG_IP_VS_PE_SIP=m -CONFIG_NF_CONNTRACK_IPV4=m -# CONFIG_NF_CONNTRACK_PROC_COMPAT is not set -CONFIG_IP_NF_IPTABLES=m -CONFIG_IP_NF_MATCH_AH=m -CONFIG_IP_NF_MATCH_ECN=m -CONFIG_IP_NF_MATCH_RPFILTER=m -CONFIG_IP_NF_MATCH_TTL=m -CONFIG_IP_NF_FILTER=m -CONFIG_IP_NF_TARGET_REJECT=m -CONFIG_IP_NF_TARGET_SYNPROXY=m -CONFIG_IP_NF_NAT=m -CONFIG_IP_NF_TARGET_MASQUERADE=m -CONFIG_IP_NF_TARGET_NETMAP=m -CONFIG_IP_NF_TARGET_REDIRECT=m -CONFIG_IP_NF_MANGLE=m -CONFIG_IP_NF_TARGET_CLUSTERIP=m -CONFIG_IP_NF_TARGET_ECN=m -CONFIG_IP_NF_TARGET_TTL=m -CONFIG_IP_NF_RAW=m -CONFIG_IP_NF_ARPTABLES=m -CONFIG_IP_NF_ARPFILTER=m -CONFIG_IP_NF_ARP_MANGLE=m -CONFIG_NF_CONNTRACK_IPV6=m -CONFIG_IP6_NF_MATCH_AH=m -CONFIG_IP6_NF_MATCH_EUI64=m -CONFIG_IP6_NF_MATCH_FRAG=m -CONFIG_IP6_NF_MATCH_OPTS=m -CONFIG_IP6_NF_MATCH_HL=m -CONFIG_IP6_NF_MATCH_IPV6HEADER=m -CONFIG_IP6_NF_MATCH_MH=m -CONFIG_IP6_NF_MATCH_RPFILTER=m -CONFIG_IP6_NF_MATCH_RT=m -CONFIG_IP6_NF_TARGET_HL=m -CONFIG_IP6_NF_FILTER=m -CONFIG_IP6_NF_TARGET_REJECT=m -CONFIG_IP6_NF_TARGET_SYNPROXY=m -CONFIG_IP6_NF_MANGLE=m -CONFIG_IP6_NF_RAW=m -CONFIG_IP6_NF_NAT=m -CONFIG_IP6_NF_TARGET_MASQUERADE=m -CONFIG_IP6_NF_TARGET_NPT=m -CONFIG_BRIDGE_NF_EBTABLES=m -CONFIG_BRIDGE_EBT_BROUTE=m -CONFIG_BRIDGE_EBT_T_FILTER=m -CONFIG_BRIDGE_EBT_T_NAT=m -CONFIG_BRIDGE_EBT_802_3=m -CONFIG_BRIDGE_EBT_AMONG=m -CONFIG_BRIDGE_EBT_ARP=m -CONFIG_BRIDGE_EBT_IP=m -CONFIG_BRIDGE_EBT_IP6=m -CONFIG_BRIDGE_EBT_LIMIT=m -CONFIG_BRIDGE_EBT_MARK=m -CONFIG_BRIDGE_EBT_PKTTYPE=m -CONFIG_BRIDGE_EBT_STP=m -CONFIG_BRIDGE_EBT_VLAN=m -CONFIG_BRIDGE_EBT_ARPREPLY=m -CONFIG_BRIDGE_EBT_DNAT=m -CONFIG_BRIDGE_EBT_MARK_T=m -CONFIG_BRIDGE_EBT_REDIRECT=m -CONFIG_BRIDGE_EBT_SNAT=m -CONFIG_BRIDGE_EBT_LOG=m -CONFIG_BRIDGE_EBT_NFLOG=m -CONFIG_IP_DCCP=m -CONFIG_IP_SCTP=m -CONFIG_SCTP_COOKIE_HMAC_SHA1=y -CONFIG_RDS=m -CONFIG_RDS_RDMA=m -CONFIG_RDS_TCP=m -CONFIG_BRIDGE=m -CONFIG_BRIDGE_VLAN_FILTERING=y -CONFIG_VLAN_8021Q=m -CONFIG_VLAN_8021Q_GVRP=y -CONFIG_VLAN_8021Q_MVRP=y -CONFIG_NET_SCHED=y -CONFIG_NET_SCH_CBQ=m -CONFIG_NET_SCH_HTB=m -CONFIG_NET_SCH_HFSC=m -CONFIG_NET_SCH_PRIO=m -CONFIG_NET_SCH_MULTIQ=m -CONFIG_NET_SCH_RED=m -CONFIG_NET_SCH_SFB=m -CONFIG_NET_SCH_SFQ=m -CONFIG_NET_SCH_TEQL=m -CONFIG_NET_SCH_TBF=m -CONFIG_NET_SCH_GRED=m -CONFIG_NET_SCH_DSMARK=m -CONFIG_NET_SCH_NETEM=m -CONFIG_NET_SCH_DRR=m -CONFIG_NET_SCH_MQPRIO=m -CONFIG_NET_SCH_CHOKE=m -CONFIG_NET_SCH_QFQ=m -CONFIG_NET_SCH_CODEL=m -CONFIG_NET_SCH_FQ_CODEL=m -CONFIG_NET_SCH_FQ=m -CONFIG_NET_SCH_HHF=m -CONFIG_NET_SCH_PIE=m -CONFIG_NET_SCH_INGRESS=m -CONFIG_NET_SCH_PLUG=m -CONFIG_NET_CLS_BASIC=m -CONFIG_NET_CLS_TCINDEX=m -CONFIG_NET_CLS_ROUTE4=m -CONFIG_NET_CLS_FW=m -CONFIG_NET_CLS_U32=m -CONFIG_CLS_U32_PERF=y -CONFIG_CLS_U32_MARK=y -CONFIG_NET_CLS_RSVP=m -CONFIG_NET_CLS_RSVP6=m -CONFIG_NET_CLS_FLOW=m -CONFIG_NET_CLS_CGROUP=m -CONFIG_NET_CLS_BPF=m -CONFIG_NET_EMATCH=y -CONFIG_NET_EMATCH_CMP=m -CONFIG_NET_EMATCH_NBYTE=m -CONFIG_NET_EMATCH_U32=m -CONFIG_NET_EMATCH_META=m -CONFIG_NET_EMATCH_TEXT=m -CONFIG_NET_EMATCH_IPSET=m -CONFIG_NET_CLS_ACT=y -CONFIG_NET_ACT_POLICE=m -CONFIG_NET_ACT_GACT=m -CONFIG_GACT_PROB=y -CONFIG_NET_ACT_MIRRED=m -CONFIG_NET_ACT_IPT=m -CONFIG_NET_ACT_NAT=m -CONFIG_NET_ACT_PEDIT=m -CONFIG_NET_ACT_SKBEDIT=m -CONFIG_NET_ACT_CSUM=m -CONFIG_NET_ACT_VLAN=m -CONFIG_NET_CLS_IND=y -CONFIG_DCB=y -CONFIG_OPENVSWITCH=m -CONFIG_VSOCKETS=m -CONFIG_VMWARE_VMCI_VSOCKETS=m -CONFIG_NETLINK_MMAP=y -CONFIG_NETLINK_DIAG=m -CONFIG_CGROUP_NET_PRIO=y -CONFIG_BPF_JIT=y -CONFIG_NET_DROP_MONITOR=m -# CONFIG_WIRELESS is not set -CONFIG_NET_9P=m -CONFIG_NET_9P_VIRTIO=m -CONFIG_NET_9P_RDMA=m -# CONFIG_UEVENT_HELPER is not set -CONFIG_DEVTMPFS=y -CONFIG_DEVTMPFS_MOUNT=y -CONFIG_FW_LOADER=m -# CONFIG_FIRMWARE_IN_KERNEL is not set -CONFIG_CONNECTOR=m -CONFIG_MTD=m -# CONFIG_PNP_DEBUG_MESSAGES is not set -CONFIG_BLK_DEV_PCIESSD_MTIP32XX=m -CONFIG_ZRAM=m -CONFIG_ZRAM_LZ4_COMPRESS=y -CONFIG_BLK_CPQ_CISS_DA=m -CONFIG_BLK_DEV_LOOP=m -CONFIG_BLK_DEV_NVME=m -CONFIG_BLK_DEV_RAM=m -CONFIG_XEN_BLKDEV_FRONTEND=m -CONFIG_XEN_BLKDEV_BACKEND=m -CONFIG_VIRTIO_BLK=m -CONFIG_BLK_DEV_RBD=m -CONFIG_HP_ILO=m -CONFIG_VMWARE_BALLOON=m -CONFIG_INTEL_MEI_ME=m -CONFIG_INTEL_MEI_TXE=m -CONFIG_VMWARE_VMCI=m -CONFIG_BLK_DEV_SD=m -CONFIG_BLK_DEV_SR=m -CONFIG_CHR_DEV_SG=m -CONFIG_SCSI_CONSTANTS=y -CONFIG_SCSI_LOGGING=y -CONFIG_SCSI_SCAN_ASYNC=y -CONFIG_SCSI_FC_ATTRS=m -CONFIG_SCSI_SAS_ATA=y -CONFIG_ISCSI_TCP=m -CONFIG_ISCSI_BOOT_SYSFS=m -CONFIG_SCSI_HPSA=m -CONFIG_SCSI_3W_9XXX=m -CONFIG_SCSI_3W_SAS=m -CONFIG_SCSI_AACRAID=m -CONFIG_SCSI_AIC94XX=m -# CONFIG_AIC94XX_DEBUG is not set -CONFIG_SCSI_MVSAS=m -# CONFIG_SCSI_MVSAS_DEBUG is not set -CONFIG_SCSI_MVSAS_TASKLET=y -CONFIG_SCSI_ARCMSR=m -CONFIG_MEGARAID_SAS=m -CONFIG_SCSI_MPT2SAS=m -CONFIG_SCSI_MPT3SAS=m -CONFIG_SCSI_BUSLOGIC=m -CONFIG_VMWARE_PVSCSI=m -CONFIG_XEN_SCSI_FRONTEND=m -CONFIG_SCSI_ISCI=m -CONFIG_SCSI_SYM53C8XX_2=m -CONFIG_SCSI_QLA_FC=m -CONFIG_SCSI_LPFC=m -CONFIG_SCSI_VIRTIO=m -CONFIG_SCSI_DH=m -CONFIG_ATA=m -CONFIG_SATA_AHCI=m -CONFIG_SATA_SIL24=m -CONFIG_PDC_ADMA=m -CONFIG_SATA_QSTOR=m -CONFIG_SATA_SX4=m -CONFIG_ATA_PIIX=m -CONFIG_SATA_MV=m -CONFIG_SATA_NV=m -CONFIG_SATA_PROMISE=m -CONFIG_SATA_SIS=m -CONFIG_SATA_VIA=m -CONFIG_SATA_VITESSE=m -CONFIG_PATA_VIA=m -CONFIG_MD=y -CONFIG_MD_LINEAR=m -CONFIG_MD_RAID0=m -CONFIG_BCACHE=m -CONFIG_BLK_DEV_DM=m -CONFIG_DM_CRYPT=m -CONFIG_DM_SNAPSHOT=m -CONFIG_DM_THIN_PROVISIONING=m -CONFIG_DM_MIRROR=m -CONFIG_DM_RAID=m -CONFIG_DM_ZERO=m -CONFIG_DM_MULTIPATH=m -CONFIG_DM_MULTIPATH_QL=m -CONFIG_DM_MULTIPATH_ST=m -CONFIG_DM_UEVENT=y -CONFIG_DM_VERITY=m -CONFIG_FUSION=y -CONFIG_FUSION_SPI=m -CONFIG_FUSION_SAS=m -CONFIG_FUSION_MAX_SGE=40 -CONFIG_FUSION_CTL=m -CONFIG_FUSION_LOGGING=y -CONFIG_NETDEVICES=y -CONFIG_BONDING=m -CONFIG_DUMMY=m -CONFIG_MACVLAN=m -CONFIG_MACVTAP=m -CONFIG_IPVLAN=m -CONFIG_VXLAN=m -CONFIG_NETCONSOLE=m -CONFIG_NETCONSOLE_DYNAMIC=y -CONFIG_TUN=m -CONFIG_VETH=m -CONFIG_VIRTIO_NET=m -CONFIG_VHOST_NET=m -# CONFIG_NET_VENDOR_3COM is not set -# CONFIG_NET_VENDOR_ADAPTEC is not set -# CONFIG_NET_VENDOR_AGERE is not set -CONFIG_ACENIC=m -CONFIG_AMD8111_ETH=m -CONFIG_PCNET32=m -# CONFIG_NET_VENDOR_ARC is not set -CONFIG_ATL2=m -CONFIG_ATL1=m -CONFIG_ATL1E=m -CONFIG_ATL1C=m -CONFIG_ALX=m -CONFIG_B44=m -CONFIG_CNIC=m -CONFIG_TIGON3=m -CONFIG_BNX2X=m -CONFIG_BNA=m -CONFIG_CHELSIO_T1=m -CONFIG_CHELSIO_T1_1G=y -CONFIG_CHELSIO_T3=m -CONFIG_CHELSIO_T4=m -CONFIG_CHELSIO_T4VF=m -CONFIG_NET_TULIP=y -CONFIG_TULIP=m -CONFIG_TULIP_MMIO=y -CONFIG_TULIP_NAPI=y -CONFIG_DL2K=m -CONFIG_SUNDANCE=m -CONFIG_S2IO=m -CONFIG_VXGE=m -CONFIG_HP100=m -CONFIG_E100=m -CONFIG_E1000=m -CONFIG_E1000E=m -CONFIG_IGB=m -CONFIG_IGBVF=m -CONFIG_IXGB=m -CONFIG_IXGBE=m -CONFIG_IXGBEVF=m -CONFIG_I40E=m -CONFIG_I40E_VXLAN=y -CONFIG_I40EVF=m -CONFIG_IP1000=m -CONFIG_JME=m -CONFIG_SKGE=m -CONFIG_SKY2=m -CONFIG_MLX4_EN=m -# CONFIG_MLX4_DEBUG is not set -# CONFIG_NET_VENDOR_MICREL is not set -CONFIG_MYRI10GE=m -# CONFIG_NET_VENDOR_NATSEMI is not set -CONFIG_FORCEDETH=m -# CONFIG_NET_VENDOR_OKI is not set -# CONFIG_NET_PACKET_ENGINE is not set -CONFIG_NETXEN_NIC=m -# CONFIG_NET_VENDOR_QUALCOMM is not set -CONFIG_8139CP=m -CONFIG_8139TOO=m -CONFIG_8139TOO_TUNE_TWISTER=y -CONFIG_8139TOO_8129=y -CONFIG_R8169=m -# CONFIG_NET_VENDOR_RDC is not set -# CONFIG_NET_VENDOR_ROCKER is not set -# CONFIG_NET_VENDOR_SAMSUNG is not set -# CONFIG_NET_VENDOR_SEEQ is not set -# CONFIG_NET_VENDOR_SILAN is not set -# CONFIG_NET_VENDOR_SIS is not set -CONFIG_SFC=m -# CONFIG_NET_VENDOR_SMSC is not set -# CONFIG_NET_VENDOR_STMICRO is not set -# CONFIG_NET_VENDOR_SUN is not set -# CONFIG_NET_VENDOR_TEHUTI is not set -# CONFIG_NET_VENDOR_TI is not set -# CONFIG_NET_VENDOR_VIA is not set -# CONFIG_NET_VENDOR_WIZNET is not set -CONFIG_AT803X_PHY=m -CONFIG_AMD_PHY=m -CONFIG_MARVELL_PHY=m -CONFIG_BROADCOM_PHY=m -CONFIG_BCM87XX_PHY=m -CONFIG_REALTEK_PHY=m -# CONFIG_USB_NET_DRIVERS is not set -# CONFIG_WLAN is not set -CONFIG_XEN_NETDEV_FRONTEND=m -CONFIG_XEN_NETDEV_BACKEND=m -CONFIG_VMXNET3=m -CONFIG_HYPERV_NET=m -CONFIG_INPUT_MOUSEDEV=m -# CONFIG_INPUT_MOUSEDEV_PSAUX is not set -CONFIG_INPUT_EVDEV=m -CONFIG_MOUSE_PS2=m -# CONFIG_MOUSE_PS2_ALPS is not set -# CONFIG_MOUSE_PS2_LOGIPS2PP is not set -# CONFIG_MOUSE_PS2_SYNAPTICS is not set -# CONFIG_MOUSE_PS2_CYPRESS is not set -# CONFIG_MOUSE_PS2_LIFEBOOK is not set -# CONFIG_MOUSE_PS2_TRACKPOINT is not set -# CONFIG_MOUSE_PS2_FOCALTECH is not set -CONFIG_INPUT_MISC=y -# CONFIG_SERIO_SERPORT is not set -CONFIG_DEVPTS_MULTIPLE_INSTANCES=y -# CONFIG_LEGACY_PTYS is not set -# CONFIG_DEVKMEM is not set -CONFIG_SERIAL_8250=y -CONFIG_SERIAL_8250_CONSOLE=y -CONFIG_SERIAL_8250_NR_UARTS=32 -CONFIG_SERIAL_8250_EXTENDED=y -CONFIG_SERIAL_8250_MANY_PORTS=y -CONFIG_SERIAL_8250_SHARE_IRQ=y -CONFIG_SERIAL_8250_RSA=y -CONFIG_TTY_PRINTK=y -CONFIG_VIRTIO_CONSOLE=m -CONFIG_IPMI_HANDLER=m -CONFIG_IPMI_PANIC_EVENT=y -CONFIG_IPMI_PANIC_STRING=y -CONFIG_IPMI_DEVICE_INTERFACE=m -CONFIG_IPMI_SI=m -CONFIG_IPMI_SSIF=m -CONFIG_IPMI_WATCHDOG=m -CONFIG_IPMI_POWEROFF=m -CONFIG_HW_RANDOM_TIMERIOMEM=m -CONFIG_HW_RANDOM_VIRTIO=m -CONFIG_NVRAM=m -CONFIG_RAW_DRIVER=m -CONFIG_MAX_RAW_DEVS=8192 -CONFIG_HPET=y -CONFIG_HANGCHECK_TIMER=m -CONFIG_TCG_TPM=m -CONFIG_TCG_TIS=m -CONFIG_TCG_TIS_I2C_ATMEL=m -CONFIG_TCG_TIS_I2C_INFINEON=m -CONFIG_TCG_TIS_I2C_NUVOTON=m -CONFIG_TCG_NSC=m -CONFIG_TCG_ATMEL=m -CONFIG_TCG_INFINEON=m -CONFIG_TCG_XEN=m -# CONFIG_I2C_COMPAT is not set -CONFIG_I2C_AMD756=m -CONFIG_I2C_AMD8111=m -CONFIG_I2C_I801=m -CONFIG_I2C_PIIX4=m -CONFIG_HWMON=m -CONFIG_SENSORS_K8TEMP=m -CONFIG_SENSORS_K10TEMP=m -CONFIG_SENSORS_FAM15H_POWER=m -CONFIG_SENSORS_I5500=m -CONFIG_SENSORS_CORETEMP=m -CONFIG_INT340X_THERMAL=m -CONFIG_WATCHDOG=y -CONFIG_SOFT_WATCHDOG=m -CONFIG_ITCO_WDT=m -CONFIG_ITCO_VENDOR_SUPPORT=y -CONFIG_XEN_WDT=m -CONFIG_FB=y -CONFIG_FB_VESA=y -CONFIG_FB_EFI=y -CONFIG_XEN_FBDEV_FRONTEND=m -CONFIG_FB_HYPERV=m -CONFIG_BACKLIGHT_LCD_SUPPORT=y -# CONFIG_LCD_CLASS_DEVICE is not set -# CONFIG_BACKLIGHT_CLASS_DEVICE is not set -CONFIG_VGACON_SOFT_SCROLLBACK=y -CONFIG_FRAMEBUFFER_CONSOLE=y -CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y -CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y -CONFIG_HID=m -CONFIG_HID_A4TECH=m -CONFIG_HID_APPLE=m -CONFIG_HID_BELKIN=m -CONFIG_HID_CHERRY=m -CONFIG_HID_EZKEY=m -CONFIG_HID_LOGITECH=m -CONFIG_HID_MICROSOFT=m -CONFIG_HID_MONTEREY=m -CONFIG_HID_HYPERV_MOUSE=m -CONFIG_USB=m -CONFIG_USB_XHCI_HCD=m -CONFIG_USB_EHCI_HCD=m -CONFIG_USB_OHCI_HCD=m -CONFIG_USB_OHCI_HCD_SSB=y -CONFIG_USB_UHCI_HCD=m -CONFIG_USB_STORAGE=m -CONFIG_USB_UAS=m -CONFIG_USB_SERIAL=m -CONFIG_USB_SERIAL_GENERIC=y -CONFIG_USB_SERIAL_CP210X=m -CONFIG_USB_SERIAL_FTDI_SIO=m -CONFIG_MMC=m -CONFIG_MMC_BLOCK_MINORS=16 -CONFIG_MMC_SDHCI=m -CONFIG_MMC_SDHCI_PCI=m -# CONFIG_MMC_RICOH_MMC is not set -CONFIG_MMC_SDHCI_ACPI=m -CONFIG_INFINIBAND=m -CONFIG_INFINIBAND_USER_MAD=m -CONFIG_INFINIBAND_MTHCA=m -CONFIG_INFINIBAND_IPATH=m -CONFIG_INFINIBAND_QIB=m -CONFIG_INFINIBAND_AMSO1100=m -CONFIG_INFINIBAND_CXGB3=m -CONFIG_INFINIBAND_CXGB4=m -CONFIG_MLX4_INFINIBAND=m -CONFIG_MLX5_INFINIBAND=m -CONFIG_INFINIBAND_NES=m -CONFIG_INFINIBAND_OCRDMA=m -CONFIG_INFINIBAND_USNIC=m -CONFIG_INFINIBAND_IPOIB=m -CONFIG_INFINIBAND_IPOIB_CM=y -CONFIG_INFINIBAND_IPOIB_DEBUG_DATA=y -CONFIG_INFINIBAND_SRP=m -CONFIG_INFINIBAND_ISER=m -CONFIG_EDAC=y -# CONFIG_EDAC_LEGACY_SYSFS is not set -CONFIG_EDAC_DECODE_MCE=m -CONFIG_EDAC_MCE_INJ=m -CONFIG_EDAC_MM_EDAC=m -CONFIG_EDAC_AMD64=m -CONFIG_EDAC_E752X=m -CONFIG_EDAC_I82975X=m -CONFIG_EDAC_I3000=m -CONFIG_EDAC_I3200=m -CONFIG_EDAC_X38=m -CONFIG_EDAC_I5400=m -CONFIG_EDAC_I7CORE=m -CONFIG_EDAC_I5000=m -CONFIG_EDAC_I5100=m -CONFIG_EDAC_I7300=m -CONFIG_EDAC_SBRIDGE=m -CONFIG_RTC_CLASS=y -CONFIG_DMADEVICES=y -CONFIG_INTEL_IOATDMA=y -CONFIG_VFIO=m -CONFIG_VFIO_PCI=m -CONFIG_VFIO_PCI_VGA=y -CONFIG_VIRT_DRIVERS=y -CONFIG_VIRTIO_PCI=m -CONFIG_VIRTIO_BALLOON=m -CONFIG_VIRTIO_MMIO=m -CONFIG_HYPERV=m -CONFIG_HYPERV_UTILS=m -CONFIG_HYPERV_BALLOON=m -CONFIG_XEN_SELFBALLOONING=y -CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y -CONFIG_XEN_DEV_EVTCHN=m -CONFIG_XENFS=m -CONFIG_XEN_MCE_LOG=y -CONFIG_PVPANIC=m -CONFIG_AMD_IOMMU=y -CONFIG_AMD_IOMMU_V2=m -CONFIG_INTEL_IOMMU=y -CONFIG_IRQ_REMAP=y -CONFIG_DELL_RBU=m -CONFIG_DCDBAS=m -CONFIG_DMI_SYSFS=m -CONFIG_ISCSI_IBFT_FIND=y -CONFIG_EFI_VARS=m -CONFIG_EXT4_FS=m -CONFIG_EXT4_FS_POSIX_ACL=y -CONFIG_EXT4_FS_SECURITY=y -CONFIG_XFS_FS=m -CONFIG_XFS_POSIX_ACL=y -CONFIG_BTRFS_FS=m -CONFIG_BTRFS_FS_POSIX_ACL=y -CONFIG_FANOTIFY=y -CONFIG_QUOTA=y -CONFIG_QUOTA_NETLINK_INTERFACE=y -# CONFIG_PRINT_QUOTA_WARNING is not set -CONFIG_QFMT_V2=m -CONFIG_AUTOFS4_FS=m -CONFIG_FUSE_FS=m -CONFIG_OVERLAY_FS=m -CONFIG_ISO9660_FS=m -CONFIG_JOLIET=y -CONFIG_ZISOFS=y -CONFIG_UDF_FS=m -CONFIG_MSDOS_FS=m -CONFIG_VFAT_FS=m -CONFIG_FAT_DEFAULT_IOCHARSET="ascii" -CONFIG_PROC_KCORE=y -CONFIG_TMPFS=y -CONFIG_TMPFS_POSIX_ACL=y -CONFIG_HUGETLBFS=y -CONFIG_CONFIGFS_FS=m -CONFIG_SQUASHFS=m -CONFIG_SQUASHFS_LZO=y -CONFIG_SQUASHFS_XZ=y -CONFIG_NFS_FS=m -CONFIG_NFS_V3_ACL=y -CONFIG_NFS_V4=m -CONFIG_NFS_V4_1=y -CONFIG_NFS_V4_2=y -CONFIG_NFSD=m -CONFIG_NFSD_V3_ACL=y -CONFIG_NFSD_V4=y -CONFIG_SUNRPC_DEBUG=y -CONFIG_CEPH_FS=m -CONFIG_CIFS=m -CONFIG_CIFS_STATS=y -CONFIG_CIFS_STATS2=y -CONFIG_CIFS_WEAK_PW_HASH=y -CONFIG_CIFS_UPCALL=y -CONFIG_CIFS_XATTR=y -CONFIG_CIFS_POSIX=y -CONFIG_CIFS_ACL=y -CONFIG_CIFS_DFS_UPCALL=y -CONFIG_CIFS_SMB2=y -CONFIG_9P_FS=m -CONFIG_9P_FS_POSIX_ACL=y -CONFIG_NLS_DEFAULT="utf8" -CONFIG_NLS_CODEPAGE_437=m -CONFIG_NLS_ASCII=m -CONFIG_NLS_UTF8=m -CONFIG_PRINTK_TIME=y -CONFIG_BOOT_PRINTK_DELAY=y -CONFIG_DYNAMIC_DEBUG=y -CONFIG_DEBUG_INFO=y -# CONFIG_ENABLE_WARN_DEPRECATED is not set -CONFIG_STRIP_ASM_SYMS=y -CONFIG_MAGIC_SYSRQ=y -CONFIG_DEBUG_STACKOVERFLOW=y -CONFIG_DEBUG_SHIRQ=y -CONFIG_LOCKUP_DETECTOR=y -CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y -CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y -CONFIG_PANIC_ON_OOPS=y -CONFIG_PANIC_TIMEOUT=60 -CONFIG_SCHED_STACK_END_CHECK=y -CONFIG_TIMER_STATS=y -CONFIG_RCU_CPU_STALL_TIMEOUT=60 -# CONFIG_RCU_CPU_STALL_INFO is not set -CONFIG_LATENCYTOP=y -CONFIG_DEBUG_STRICT_USER_COPY_CHECKS=y -CONFIG_SCHED_TRACER=y -CONFIG_FTRACE_SYSCALLS=y -CONFIG_STACK_TRACER=y -CONFIG_BLK_DEV_IO_TRACE=y -CONFIG_UPROBE_EVENT=y -CONFIG_FUNCTION_PROFILER=y -CONFIG_STRICT_DEVMEM=y -CONFIG_DEBUG_SET_MODULE_RONX=y -CONFIG_DEBUG_BOOT_PARAMS=y -CONFIG_OPTIMIZE_INLINING=y -CONFIG_TRUSTED_KEYS=m -CONFIG_ENCRYPTED_KEYS=m -CONFIG_SECURITY=y -CONFIG_SECURITY_NETWORK=y -CONFIG_SECURITY_NETWORK_XFRM=y -CONFIG_SECURITY_SELINUX=y -CONFIG_SECURITY_SELINUX_BOOTPARAM=y -CONFIG_SECURITY_SELINUX_DISABLE=y -# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set -CONFIG_CRYPTO_CRC32C_INTEL=m -CONFIG_CRYPTO_SHA1_SSSE3=m -CONFIG_CRYPTO_SHA256_SSSE3=m -CONFIG_CRYPTO_AES_NI_INTEL=m -# CONFIG_CRYPTO_ANSI_CPRNG is not set -CONFIG_CRYPTO_USER_API_HASH=m -CONFIG_CRYPTO_USER_API_SKCIPHER=m -CONFIG_PKCS7_MESSAGE_PARSER=y -CONFIG_SIGNED_PE_FILE_VERIFICATION=y -CONFIG_KVM=m -CONFIG_KVM_INTEL=m -CONFIG_KVM_AMD=m -# CONFIG_XZ_DEC_POWERPC is not set -# CONFIG_XZ_DEC_IA64 is not set -# CONFIG_XZ_DEC_ARM is not set -# CONFIG_XZ_DEC_ARMTHUMB is not set -# CONFIG_XZ_DEC_SPARC is not set -CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.0 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.0 deleted file mode 100644 index 9f653b9c9d..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.0 +++ /dev/null @@ -1,201 +0,0 @@ -# CONFIG_LOCALVERSION_AUTO is not set -CONFIG_SYSVIPC=y -CONFIG_POSIX_MQUEUE=y -CONFIG_FHANDLE=y -CONFIG_AUDIT=y -CONFIG_NO_HZ_IDLE=y -CONFIG_HIGH_RES_TIMERS=y -CONFIG_BSD_PROCESS_ACCT=y -CONFIG_BSD_PROCESS_ACCT_V3=y -CONFIG_TASKSTATS=y -CONFIG_TASK_DELAY_ACCT=y -CONFIG_TASK_XACCT=y -CONFIG_TASK_IO_ACCOUNTING=y -CONFIG_IKCONFIG=y -CONFIG_IKCONFIG_PROC=y -CONFIG_LOG_BUF_SHIFT=14 -CONFIG_CGROUP_FREEZER=y -CONFIG_CGROUP_DEVICE=y -CONFIG_CPUSETS=y -# CONFIG_PROC_PID_CPUSET is not set -CONFIG_CGROUP_CPUACCT=y -CONFIG_MEMCG=y -CONFIG_MEMCG_SWAP=y -CONFIG_MEMCG_KMEM=y -CONFIG_CGROUP_HUGETLB=y -CONFIG_CGROUP_PERF=y -CONFIG_CFS_BANDWIDTH=y -CONFIG_USER_NS=y -CONFIG_SCHED_AUTOGROUP=y -CONFIG_BLK_DEV_INITRD=y -CONFIG_KALLSYMS_ALL=y -# CONFIG_COMPAT_BRK is not set -CONFIG_PROFILING=y -CONFIG_JUMP_LABEL=y -CONFIG_MODULES=y -CONFIG_MODULE_UNLOAD=y -# CONFIG_IOSCHED_DEADLINE is not set -CONFIG_ARCH_FSL_LS2085A=y -CONFIG_ARCH_MEDIATEK=y -CONFIG_ARCH_THUNDER=y -CONFIG_ARCH_VEXPRESS=y -CONFIG_ARCH_XGENE=y -CONFIG_PCI=y -CONFIG_PCI_MSI=y -CONFIG_PCI_XGENE=y -CONFIG_SMP=y -CONFIG_PREEMPT=y -CONFIG_KSM=y -CONFIG_TRANSPARENT_HUGEPAGE=y -CONFIG_CMA=y -CONFIG_SECCOMP=y -CONFIG_KEXEC=y -CONFIG_CMDLINE="console=ttyAMA0" -# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set -CONFIG_COMPAT=y -CONFIG_CPU_IDLE=y -CONFIG_ARM64_CPUIDLE=y -CONFIG_NET=y -CONFIG_PACKET=y -CONFIG_UNIX=y -CONFIG_INET=y -CONFIG_IP_PNP=y -CONFIG_IP_PNP_DHCP=y -CONFIG_IP_PNP_BOOTP=y -# CONFIG_INET_LRO is not set -CONFIG_IPV6=y -CONFIG_NETFILTER=y -CONFIG_BRIDGE_NETFILTER=y -CONFIG_NF_CONNTRACK=y -CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y -CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y -CONFIG_NF_CONNTRACK_IPV4=y -# CONFIG_NF_CONNTRACK_PROC_COMPAT is not set -CONFIG_IP_NF_IPTABLES=y -CONFIG_IP_NF_FILTER=y -CONFIG_IP_NF_NAT=y -CONFIG_IP_NF_TARGET_MASQUERADE=y -CONFIG_BRIDGE=y -CONFIG_BPF_JIT=y -# CONFIG_WIRELESS is not set -CONFIG_NET_9P=y -CONFIG_NET_9P_VIRTIO=y -CONFIG_DEVTMPFS=y -CONFIG_DEVTMPFS_MOUNT=y -CONFIG_DMA_CMA=y -CONFIG_BLK_DEV_LOOP=y -CONFIG_VIRTIO_BLK=y -# CONFIG_SCSI_PROC_FS is not set -CONFIG_BLK_DEV_SD=y -# CONFIG_SCSI_LOWLEVEL is not set -CONFIG_ATA=y -CONFIG_SATA_AHCI=y -CONFIG_SATA_AHCI_PLATFORM=y -CONFIG_AHCI_XGENE=y -CONFIG_PATA_PLATFORM=y -CONFIG_PATA_OF_PLATFORM=y -CONFIG_MD=y -CONFIG_BLK_DEV_DM=y -CONFIG_DM_DEBUG=y -CONFIG_DM_THIN_PROVISIONING=y -CONFIG_NETDEVICES=y -CONFIG_MACVLAN=y -CONFIG_MACVTAP=y -CONFIG_TUN=y -CONFIG_VETH=y -CONFIG_VIRTIO_NET=y -CONFIG_NET_XGENE=y -CONFIG_SMC91X=y -CONFIG_SMSC911X=y -# CONFIG_WLAN is not set -CONFIG_INPUT_EVDEV=y -# CONFIG_SERIO_SERPORT is not set -CONFIG_SERIO_AMBAKMI=y -CONFIG_DEVPTS_MULTIPLE_INSTANCES=y -CONFIG_LEGACY_PTY_COUNT=16 -CONFIG_SERIAL_8250=y -CONFIG_SERIAL_8250_CONSOLE=y -CONFIG_SERIAL_8250_MT6577=y -CONFIG_SERIAL_AMBA_PL011=y -CONFIG_SERIAL_AMBA_PL011_CONSOLE=y -CONFIG_SERIAL_OF_PLATFORM=y -CONFIG_VIRTIO_CONSOLE=y -# CONFIG_HW_RANDOM is not set -CONFIG_SPI=y -CONFIG_SPI_PL022=y -CONFIG_GPIO_PL061=y -CONFIG_GPIO_XGENE=y -# CONFIG_HWMON is not set -CONFIG_REGULATOR=y -CONFIG_REGULATOR_FIXED_VOLTAGE=y -CONFIG_FB=y -CONFIG_FB_ARMCLCD=y -CONFIG_FRAMEBUFFER_CONSOLE=y -CONFIG_LOGO=y -# CONFIG_LOGO_LINUX_MONO is not set -# CONFIG_LOGO_LINUX_VGA16 is not set -CONFIG_USB=y -CONFIG_USB_EHCI_HCD=y -CONFIG_USB_EHCI_HCD_PLATFORM=y -CONFIG_USB_OHCI_HCD=y -CONFIG_USB_OHCI_HCD_PLATFORM=y -CONFIG_USB_STORAGE=y -CONFIG_USB_ULPI=y -CONFIG_MMC=y -CONFIG_MMC_ARMMMCI=y -CONFIG_MMC_SDHCI=y -CONFIG_MMC_SDHCI_PLTFM=y -CONFIG_MMC_SPI=y -CONFIG_RTC_CLASS=y -CONFIG_RTC_DRV_EFI=y -CONFIG_RTC_DRV_XGENE=y -CONFIG_VIRTIO_BALLOON=y -CONFIG_VIRTIO_MMIO=y -# CONFIG_IOMMU_SUPPORT is not set -CONFIG_PHY_XGENE=y -CONFIG_EXT2_FS=y -CONFIG_EXT3_FS=y -# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set -# CONFIG_EXT3_FS_XATTR is not set -CONFIG_EXT4_FS=y -CONFIG_EXT4_FS_POSIX_ACL=y -CONFIG_EXT4_FS_SECURITY=y -CONFIG_BTRFS_FS=y -CONFIG_BTRFS_FS_POSIX_ACL=y -CONFIG_FANOTIFY=y -CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y -CONFIG_QUOTA=y -CONFIG_AUTOFS4_FS=y -CONFIG_FUSE_FS=y -CONFIG_CUSE=y -CONFIG_OVERLAY_FS=y -CONFIG_VFAT_FS=y -CONFIG_TMPFS=y -CONFIG_TMPFS_POSIX_ACL=y -CONFIG_HUGETLBFS=y -CONFIG_EFIVAR_FS=y -# CONFIG_MISC_FILESYSTEMS is not set -CONFIG_NFS_FS=y -CONFIG_ROOT_NFS=y -CONFIG_9P_FS=y -CONFIG_NLS_CODEPAGE_437=y -CONFIG_NLS_ISO8859_1=y -CONFIG_VIRTUALIZATION=y -CONFIG_DEBUG_INFO=y -CONFIG_DEBUG_FS=y -CONFIG_MAGIC_SYSRQ=y -CONFIG_DEBUG_KERNEL=y -CONFIG_LOCKUP_DETECTOR=y -CONFIG_SCHEDSTATS=y -# CONFIG_DEBUG_PREEMPT is not set -# CONFIG_FTRACE is not set -CONFIG_KEYS=y -CONFIG_SECURITY=y -CONFIG_CRYPTO_ANSI_CPRNG=y -CONFIG_ARM64_CRYPTO=y -CONFIG_CRYPTO_SHA1_ARM64_CE=y -CONFIG_CRYPTO_SHA2_ARM64_CE=y -CONFIG_CRYPTO_GHASH_ARM64_CE=y -CONFIG_CRYPTO_AES_ARM64_CE_CCM=y -CONFIG_CRYPTO_AES_ARM64_CE_BLK=y -CONFIG_CRYPTO_AES_ARM64_NEON_BLK=y diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.0.9.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.0.9.ebuild deleted file mode 100644 index 17c23d2991..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.0.9.ebuild +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright 2014 CoreOS, Inc. -# Distributed under the terms of the GNU General Public License v2 - -EAPI="5" -ETYPE="sources" -inherit kernel-2 -detect_version - -DESCRIPTION="Full sources for the CoreOS Linux kernel" -HOMEPAGE="http://www.kernel.org" -SRC_URI="${KERNEL_URI}" - -KEYWORDS="amd64 arm64" -IUSE="" - -PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}" -UNIPATCH_LIST="${PATCH_DIR}/01-Add-secure_modules-call.patch \ -${PATCH_DIR}/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \ -${PATCH_DIR}/03-x86-Lock-down-IO-port-access-when-module-security-is.patch \ -${PATCH_DIR}/04-ACPI-Limit-access-to-custom_method.patch \ -${PATCH_DIR}/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \ -${PATCH_DIR}/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \ -${PATCH_DIR}/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \ -${PATCH_DIR}/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \ -${PATCH_DIR}/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \ -${PATCH_DIR}/10-Add-option-to-automatically-enforce-module-signature.patch \ -${PATCH_DIR}/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \ -${PATCH_DIR}/13-efi-Add-EFI_SECURE_BOOT-bit.patch \ -${PATCH_DIR}/14-hibernate-Disable-in-a-signed-modules-environment.patch" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/01-Add-secure_modules-call.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/01-Add-secure_modules-call.patch deleted file mode 100644 index 63b825134b..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/01-Add-secure_modules-call.patch +++ /dev/null @@ -1,60 +0,0 @@ -From: Matthew Garrett -Date: Fri, 9 Aug 2013 17:58:15 -0400 -Subject: [PATCH] Add secure_modules() call - -Provide a single call to allow kernel code to determine whether the system -has been configured to either disable module loading entirely or to load -only modules signed with a trusted key. - -Bugzilla: N/A -Upstream-status: Fedora mustard. Replaced by securelevels, but that was nak'd - -Signed-off-by: Matthew Garrett ---- - include/linux/module.h | 7 +++++++ - kernel/module.c | 10 ++++++++++ - 2 files changed, 17 insertions(+) - -diff --git a/include/linux/module.h b/include/linux/module.h -index b03485bcb82a..b033dab5c8bf 100644 ---- a/include/linux/module.h -+++ b/include/linux/module.h -@@ -506,6 +506,8 @@ int unregister_module_notifier(struct notifier_block *nb); - - extern void print_modules(void); - -+extern bool secure_modules(void); -+ - #else /* !CONFIG_MODULES... */ - - /* Given an address, look for it in the exception tables. */ -@@ -616,6 +618,11 @@ static inline int unregister_module_notifier(struct notifier_block *nb) - static inline void print_modules(void) - { - } -+ -+static inline bool secure_modules(void) -+{ -+ return false; -+} - #endif /* CONFIG_MODULES */ - - #ifdef CONFIG_SYSFS -diff --git a/kernel/module.c b/kernel/module.c -index 538794ce3cc7..f3489ef9e409 100644 ---- a/kernel/module.c -+++ b/kernel/module.c -@@ -3911,3 +3911,13 @@ void module_layout(struct module *mod, - } - EXPORT_SYMBOL(module_layout); - #endif -+ -+bool secure_modules(void) -+{ -+#ifdef CONFIG_MODULE_SIG -+ return (sig_enforce || modules_disabled); -+#else -+ return modules_disabled; -+#endif -+} -+EXPORT_SYMBOL(secure_modules); diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch deleted file mode 100644 index 92e028d070..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch +++ /dev/null @@ -1,113 +0,0 @@ -From: Matthew Garrett -Date: Thu, 8 Mar 2012 10:10:38 -0500 -Subject: [PATCH] PCI: Lock down BAR access when module security is enabled - -Any hardware that can potentially generate DMA has to be locked down from -userspace in order to avoid it being possible for an attacker to modify -kernel code, allowing them to circumvent disabled module loading or module -signing. Default to paranoid - in future we can potentially relax this for -sufficiently IOMMU-isolated devices. - -Signed-off-by: Matthew Garrett ---- - drivers/pci/pci-sysfs.c | 10 ++++++++++ - drivers/pci/proc.c | 8 +++++++- - drivers/pci/syscall.c | 3 ++- - 3 files changed, 19 insertions(+), 2 deletions(-) - -diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index 312f23a8429c..93e6ac103dd0 100644 ---- a/drivers/pci/pci-sysfs.c -+++ b/drivers/pci/pci-sysfs.c -@@ -30,6 +30,7 @@ - #include - #include - #include -+#include - #include "pci.h" - - static int sysfs_initialized; /* = 0 */ -@@ -710,6 +711,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, - loff_t init_off = off; - u8 *data = (u8 *) buf; - -+ if (secure_modules()) -+ return -EPERM; -+ - if (off > dev->cfg_size) - return 0; - if (off + count > dev->cfg_size) { -@@ -1004,6 +1008,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, - resource_size_t start, end; - int i; - -+ if (secure_modules()) -+ return -EPERM; -+ - for (i = 0; i < PCI_ROM_RESOURCE; i++) - if (res == &pdev->resource[i]) - break; -@@ -1105,6 +1112,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, - struct bin_attribute *attr, char *buf, - loff_t off, size_t count) - { -+ if (secure_modules()) -+ return -EPERM; -+ - return pci_resource_io(filp, kobj, attr, buf, off, count, true); - } - -diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c -index 3f155e78513f..4265ea07e3b0 100644 ---- a/drivers/pci/proc.c -+++ b/drivers/pci/proc.c -@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, - int size = dev->cfg_size; - int cnt; - -+ if (secure_modules()) -+ return -EPERM; -+ - if (pos >= size) - return 0; - if (nbytes >= size) -@@ -195,6 +198,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, - #endif /* HAVE_PCI_MMAP */ - int ret = 0; - -+ if (secure_modules()) -+ return -EPERM; -+ - switch (cmd) { - case PCIIOC_CONTROLLER: - ret = pci_domain_nr(dev->bus); -@@ -233,7 +239,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) - struct pci_filp_private *fpriv = file->private_data; - int i, ret; - -- if (!capable(CAP_SYS_RAWIO)) -+ if (!capable(CAP_SYS_RAWIO) || secure_modules()) - return -EPERM; - - /* Make sure the caller is mapping a real resource for this device */ -diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c -index b91c4da68365..98f5637304d1 100644 ---- a/drivers/pci/syscall.c -+++ b/drivers/pci/syscall.c -@@ -10,6 +10,7 @@ - #include - #include - #include -+#include - #include - #include "pci.h" - -@@ -92,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, - u32 dword; - int err = 0; - -- if (!capable(CAP_SYS_ADMIN)) -+ if (!capable(CAP_SYS_ADMIN) || secure_modules()) - return -EPERM; - - dev = pci_get_bus_and_slot(bus, dfn); diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/03-x86-Lock-down-IO-port-access-when-module-security-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/03-x86-Lock-down-IO-port-access-when-module-security-is.patch deleted file mode 100644 index 697f5b1034..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/03-x86-Lock-down-IO-port-access-when-module-security-is.patch +++ /dev/null @@ -1,67 +0,0 @@ -From: Matthew Garrett -Date: Thu, 8 Mar 2012 10:35:59 -0500 -Subject: [PATCH] x86: Lock down IO port access when module security is enabled - -IO port access would permit users to gain access to PCI configuration -registers, which in turn (on a lot of hardware) give access to MMIO register -space. This would potentially permit root to trigger arbitrary DMA, so lock -it down by default. - -Signed-off-by: Matthew Garrett ---- - arch/x86/kernel/ioport.c | 5 +++-- - drivers/char/mem.c | 4 ++++ - 2 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c -index 4ddaf66ea35f..00b440307419 100644 ---- a/arch/x86/kernel/ioport.c -+++ b/arch/x86/kernel/ioport.c -@@ -15,6 +15,7 @@ - #include - #include - #include -+#include - #include - - /* -@@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) - - if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) - return -EINVAL; -- if (turn_on && !capable(CAP_SYS_RAWIO)) -+ if (turn_on && (!capable(CAP_SYS_RAWIO) || secure_modules())) - return -EPERM; - - /* -@@ -103,7 +104,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) - return -EINVAL; - /* Trying to gain more privileges? */ - if (level > old) { -- if (!capable(CAP_SYS_RAWIO)) -+ if (!capable(CAP_SYS_RAWIO) || secure_modules()) - return -EPERM; - } - regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12); -diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index 297110c12635..efe38c1bc234 100644 ---- a/drivers/char/mem.c -+++ b/drivers/char/mem.c -@@ -27,6 +27,7 @@ - #include - #include - #include -+#include - - #include - -@@ -577,6 +578,9 @@ static ssize_t write_port(struct file *file, const char __user *buf, - unsigned long i = *ppos; - const char __user *tmp = buf; - -+ if (secure_modules()) -+ return -EPERM; -+ - if (!access_ok(VERIFY_READ, buf, count)) - return -EFAULT; - while (count-- > 0 && i < 65536) { diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/04-ACPI-Limit-access-to-custom_method.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/04-ACPI-Limit-access-to-custom_method.patch deleted file mode 100644 index 88709a324b..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/04-ACPI-Limit-access-to-custom_method.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Matthew Garrett -Date: Fri, 9 Mar 2012 08:39:37 -0500 -Subject: [PATCH] ACPI: Limit access to custom_method - -custom_method effectively allows arbitrary access to system memory, making -it possible for an attacker to circumvent restrictions on module loading. -Disable it if any such restrictions have been enabled. - -Signed-off-by: Matthew Garrett ---- - drivers/acpi/custom_method.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c -index c68e72414a67..4277938af700 100644 ---- a/drivers/acpi/custom_method.c -+++ b/drivers/acpi/custom_method.c -@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, - struct acpi_table_header table; - acpi_status status; - -+ if (secure_modules()) -+ return -EPERM; -+ - if (!(*ppos)) { - /* parse the table header to get the table length */ - if (count <= sizeof(struct acpi_table_header)) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch deleted file mode 100644 index 9298532013..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Matthew Garrett -Date: Fri, 9 Mar 2012 08:46:50 -0500 -Subject: [PATCH] asus-wmi: Restrict debugfs interface when module loading is - restricted - -We have no way of validating what all of the Asus WMI methods do on a -given machine, and there's a risk that some will allow hardware state to -be manipulated in such a way that arbitrary code can be executed in the -kernel, circumventing module loading restrictions. Prevent that if any of -these features are enabled. - -Signed-off-by: Matthew Garrett ---- - drivers/platform/x86/asus-wmi.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c -index 7543a56e0f45..93b5a6998371 100644 ---- a/drivers/platform/x86/asus-wmi.c -+++ b/drivers/platform/x86/asus-wmi.c -@@ -1589,6 +1589,9 @@ static int show_dsts(struct seq_file *m, void *data) - int err; - u32 retval = -1; - -+ if (secure_modules()) -+ return -EPERM; -+ - err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval); - - if (err < 0) -@@ -1605,6 +1608,9 @@ static int show_devs(struct seq_file *m, void *data) - int err; - u32 retval = -1; - -+ if (secure_modules()) -+ return -EPERM; -+ - err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param, - &retval); - -@@ -1629,6 +1635,9 @@ static int show_call(struct seq_file *m, void *data) - union acpi_object *obj; - acpi_status status; - -+ if (secure_modules()) -+ return -EPERM; -+ - status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID, - 1, asus->debug.method_id, - &input, &output); diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch deleted file mode 100644 index 99cae0a0a5..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Matthew Garrett -Date: Fri, 9 Mar 2012 09:28:15 -0500 -Subject: [PATCH] Restrict /dev/mem and /dev/kmem when module loading is - restricted - -Allowing users to write to address space makes it possible for the kernel -to be subverted, avoiding module loading restrictions. Prevent this when -any restrictions have been imposed on loading modules. - -Signed-off-by: Matthew Garrett ---- - drivers/char/mem.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index efe38c1bc234..16b8af1188e1 100644 ---- a/drivers/char/mem.c -+++ b/drivers/char/mem.c -@@ -167,6 +167,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, - if (p != *ppos) - return -EFBIG; - -+ if (secure_modules()) -+ return -EPERM; -+ - if (!valid_phys_addr_range(p, count)) - return -EFAULT; - -@@ -513,6 +516,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, - char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ - int err = 0; - -+ if (secure_modules()) -+ return -EPERM; -+ - if (p < (unsigned long) high_memory) { - unsigned long to_write = min_t(unsigned long, count, - (unsigned long)high_memory - p); diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch deleted file mode 100644 index 7a83415cf4..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Josh Boyer -Date: Mon, 25 Jun 2012 19:57:30 -0400 -Subject: [PATCH] acpi: Ignore acpi_rsdp kernel parameter when module loading - is restricted - -This option allows userspace to pass the RSDP address to the kernel, which -makes it possible for a user to circumvent any restrictions imposed on -loading modules. Disable it in that case. - -Signed-off-by: Josh Boyer ---- - drivers/acpi/osl.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index 5aa1f6e281d2..58ae459937a4 100644 ---- a/drivers/acpi/osl.c -+++ b/drivers/acpi/osl.c -@@ -44,6 +44,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -252,7 +253,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); - acpi_physical_address __init acpi_os_get_root_pointer(void) - { - #ifdef CONFIG_KEXEC -- if (acpi_rsdp) -+ if (acpi_rsdp && !secure_modules()) - return acpi_rsdp; - #endif - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch deleted file mode 100644 index 5e2d79ec32..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Matthew Garrett -Date: Fri, 9 Aug 2013 03:33:56 -0400 -Subject: [PATCH] kexec: Disable at runtime if the kernel enforces module - loading restrictions - -kexec permits the loading and execution of arbitrary code in ring 0, which -is something that module signing enforcement is meant to prevent. It makes -sense to disable kexec in this situation. - -Signed-off-by: Matthew Garrett ---- - kernel/kexec.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/kernel/kexec.c b/kernel/kexec.c -index 38c25b1f2fd5..f2b5272156ce 100644 ---- a/kernel/kexec.c -+++ b/kernel/kexec.c -@@ -36,6 +36,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -1247,6 +1248,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, - return -EPERM; - - /* -+ * kexec can be used to circumvent module loading restrictions, so -+ * prevent loading in that case -+ */ -+ if (secure_modules()) -+ return -EPERM; -+ -+ /* - * Verify we have a legal set of flags - * This leaves us room for future extensions. - */ diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch deleted file mode 100644 index 9053f2aea8..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Matthew Garrett -Date: Fri, 8 Feb 2013 11:12:13 -0800 -Subject: [PATCH] x86: Restrict MSR access when module loading is restricted - -Writing to MSRs should not be allowed if module loading is restricted, -since it could lead to execution of arbitrary code in kernel mode. Based -on a patch by Kees Cook. - -Cc: Kees Cook -Signed-off-by: Matthew Garrett ---- - arch/x86/kernel/msr.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index 113e70784854..26c2f83fc470 100644 ---- a/arch/x86/kernel/msr.c -+++ b/arch/x86/kernel/msr.c -@@ -105,6 +105,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, - int err = 0; - ssize_t bytes = 0; - -+ if (secure_modules()) -+ return -EPERM; -+ - if (count % 8) - return -EINVAL; /* Invalid chunk size */ - -@@ -152,6 +155,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) - err = -EBADF; - break; - } -+ if (secure_modules()) { -+ err = -EPERM; -+ break; -+ } - if (copy_from_user(®s, uregs, sizeof regs)) { - err = -EFAULT; - break; diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/10-Add-option-to-automatically-enforce-module-signature.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/10-Add-option-to-automatically-enforce-module-signature.patch deleted file mode 100644 index 4d375fa1d6..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/10-Add-option-to-automatically-enforce-module-signature.patch +++ /dev/null @@ -1,182 +0,0 @@ -From: Matthew Garrett -Date: Fri, 9 Aug 2013 18:36:30 -0400 -Subject: [PATCH] Add option to automatically enforce module signatures when in - Secure Boot mode - -UEFI Secure Boot provides a mechanism for ensuring that the firmware will -only load signed bootloaders and kernels. Certain use cases may also -require that all kernel modules also be signed. Add a configuration option -that enforces this automatically when enabled. - -Signed-off-by: Matthew Garrett ---- - Documentation/x86/zero-page.txt | 2 ++ - arch/x86/Kconfig | 10 ++++++++++ - arch/x86/boot/compressed/eboot.c | 36 +++++++++++++++++++++++++++++++++++ - arch/x86/include/uapi/asm/bootparam.h | 3 ++- - arch/x86/kernel/setup.c | 6 ++++++ - include/linux/module.h | 6 ++++++ - kernel/module.c | 7 +++++++ - 7 files changed, 69 insertions(+), 1 deletion(-) - -diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt -index 82fbdbc1e0b0..a811210ad486 100644 ---- a/Documentation/x86/zero-page.txt -+++ b/Documentation/x86/zero-page.txt -@@ -30,6 +30,8 @@ Offset Proto Name Meaning - 1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below) - 1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer - (below) -+1EB/001 ALL kbd_status Numlock is enabled -+1EC/001 ALL secure_boot Secure boot is enabled in the firmware - 1EF/001 ALL sentinel Used to detect broken bootloaders - 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures - 2D0/A00 ALL e820_map E820 memory map table -diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index b7d31ca55187..ab403a636357 100644 ---- a/arch/x86/Kconfig -+++ b/arch/x86/Kconfig -@@ -1695,6 +1695,16 @@ config EFI_MIXED - - If unsure, say N. - -+config EFI_SECURE_BOOT_SIG_ENFORCE -+ def_bool n -+ prompt "Force module signing when UEFI Secure Boot is enabled" -+ ---help--- -+ UEFI Secure Boot provides a mechanism for ensuring that the -+ firmware will only load signed bootloaders and kernels. Certain -+ use cases may also require that all kernel modules also be signed. -+ Say Y here to automatically enable module signature enforcement -+ when a system boots with UEFI Secure Boot enabled. -+ - config SECCOMP - def_bool y - prompt "Enable seccomp to safely compute untrusted bytecode" -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index ef17683484e9..105e7360d747 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -12,6 +12,7 @@ - #include - #include - #include -+#include - - #include "../string.h" - #include "eboot.h" -@@ -827,6 +828,37 @@ out: - return status; - } - -+static int get_secure_boot(void) -+{ -+ u8 sb, setup; -+ unsigned long datasize = sizeof(sb); -+ efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; -+ efi_status_t status; -+ -+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, -+ L"SecureBoot", &var_guid, NULL, &datasize, &sb); -+ -+ if (status != EFI_SUCCESS) -+ return 0; -+ -+ if (sb == 0) -+ return 0; -+ -+ -+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, -+ L"SetupMode", &var_guid, NULL, &datasize, -+ &setup); -+ -+ if (status != EFI_SUCCESS) -+ return 0; -+ -+ if (setup == 1) -+ return 0; -+ -+ return 1; -+} -+ -+ - /* - * See if we have Graphics Output Protocol - */ -@@ -1406,6 +1438,10 @@ struct boot_params *efi_main(struct efi_config *c, - else - setup_boot_services32(efi_early); - -+ sanitize_boot_params(boot_params); -+ -+ boot_params->secure_boot = get_secure_boot(); -+ - setup_graphics(boot_params); - - setup_efi_pci(boot_params); -diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h -index 225b0988043a..90dbfb73e11f 100644 ---- a/arch/x86/include/uapi/asm/bootparam.h -+++ b/arch/x86/include/uapi/asm/bootparam.h -@@ -133,7 +133,8 @@ struct boot_params { - __u8 eddbuf_entries; /* 0x1e9 */ - __u8 edd_mbr_sig_buf_entries; /* 0x1ea */ - __u8 kbd_status; /* 0x1eb */ -- __u8 _pad5[3]; /* 0x1ec */ -+ __u8 secure_boot; /* 0x1ec */ -+ __u8 _pad5[2]; /* 0x1ed */ - /* - * The sentinel is set to a nonzero value (0xff) in header.S. - * -diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 0a2421cca01f..a3d8174dedf9 100644 ---- a/arch/x86/kernel/setup.c -+++ b/arch/x86/kernel/setup.c -@@ -1151,6 +1151,12 @@ void __init setup_arch(char **cmdline_p) - - io_delay_init(); - -+#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE -+ if (boot_params.secure_boot) { -+ enforce_signed_modules(); -+ } -+#endif -+ - /* - * Parse the ACPI tables for possible boot-time SMP configuration. - */ -diff --git a/include/linux/module.h b/include/linux/module.h -index b033dab5c8bf..f526b6e02f59 100644 ---- a/include/linux/module.h -+++ b/include/linux/module.h -@@ -188,6 +188,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); - - struct notifier_block; - -+#ifdef CONFIG_MODULE_SIG -+extern void enforce_signed_modules(void); -+#else -+static inline void enforce_signed_modules(void) {}; -+#endif -+ - #ifdef CONFIG_MODULES - - extern int modules_disabled; /* for sysctl */ -diff --git a/kernel/module.c b/kernel/module.c -index f3489ef9e409..3bb7c01b3c9f 100644 ---- a/kernel/module.c -+++ b/kernel/module.c -@@ -3912,6 +3912,13 @@ void module_layout(struct module *mod, - EXPORT_SYMBOL(module_layout); - #endif - -+#ifdef CONFIG_MODULE_SIG -+void enforce_signed_modules(void) -+{ -+ sig_enforce = true; -+} -+#endif -+ - bool secure_modules(void) - { - #ifdef CONFIG_MODULE_SIG diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/11-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/11-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch deleted file mode 100644 index 4e0861ce82..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/11-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch +++ /dev/null @@ -1,54 +0,0 @@ -From: Josh Boyer -Date: Tue, 5 Feb 2013 19:25:05 -0500 -Subject: [PATCH] efi: Disable secure boot if shim is in insecure mode - -A user can manually tell the shim boot loader to disable validation of -images it loads. When a user does this, it creates a UEFI variable called -MokSBState that does not have the runtime attribute set. Given that the -user explicitly disabled validation, we can honor that and not enable -secure boot mode if that variable is set. - -Signed-off-by: Josh Boyer ---- - arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++- - 1 file changed, 19 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 105e7360d747..83fc4e9888ee 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -830,8 +830,9 @@ out: - - static int get_secure_boot(void) - { -- u8 sb, setup; -+ u8 sb, setup, moksbstate; - unsigned long datasize = sizeof(sb); -+ u32 attr; - efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; - efi_status_t status; - -@@ -855,6 +856,23 @@ static int get_secure_boot(void) - if (setup == 1) - return 0; - -+ /* See if a user has put shim into insecure_mode. If so, and the variable -+ * doesn't have the runtime attribute set, we might as well honor that. -+ */ -+ var_guid = EFI_SHIM_LOCK_GUID; -+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, -+ L"MokSBState", &var_guid, &attr, &datasize, -+ &moksbstate); -+ -+ /* If it fails, we don't care why. Default to secure */ -+ if (status != EFI_SUCCESS) -+ return 1; -+ -+ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) { -+ if (moksbstate == 1) -+ return 0; -+ } -+ - return 1; - } - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch deleted file mode 100644 index 2b9410db84..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Josh Boyer -Date: Tue, 27 Aug 2013 13:28:43 -0400 -Subject: [PATCH] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI - -The functionality of the config option is dependent upon the platform being -UEFI based. Reflect this in the config deps. - -Signed-off-by: Josh Boyer ---- - arch/x86/Kconfig | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index ab403a636357..5dac78119fa7 100644 ---- a/arch/x86/Kconfig -+++ b/arch/x86/Kconfig -@@ -1696,7 +1696,8 @@ config EFI_MIXED - If unsure, say N. - - config EFI_SECURE_BOOT_SIG_ENFORCE -- def_bool n -+ def_bool n -+ depends on EFI - prompt "Force module signing when UEFI Secure Boot is enabled" - ---help--- - UEFI Secure Boot provides a mechanism for ensuring that the diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/13-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/13-efi-Add-EFI_SECURE_BOOT-bit.patch deleted file mode 100644 index 1ca9af69eb..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/13-efi-Add-EFI_SECURE_BOOT-bit.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Josh Boyer -Date: Tue, 27 Aug 2013 13:33:03 -0400 -Subject: [PATCH] efi: Add EFI_SECURE_BOOT bit - -UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit -for use with efi_enabled. - -Signed-off-by: Josh Boyer ---- - arch/x86/kernel/setup.c | 2 ++ - include/linux/efi.h | 1 + - 2 files changed, 3 insertions(+) - -diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index a3d8174dedf9..26c5d54124c1 100644 ---- a/arch/x86/kernel/setup.c -+++ b/arch/x86/kernel/setup.c -@@ -1153,7 +1153,9 @@ void __init setup_arch(char **cmdline_p) - - #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE - if (boot_params.secure_boot) { -+ set_bit(EFI_SECURE_BOOT, &efi.flags); - enforce_signed_modules(); -+ pr_info("Secure boot enabled\n"); - } - #endif - -diff --git a/include/linux/efi.h b/include/linux/efi.h -index cf7e431cbc73..c74cbd892032 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -942,6 +942,7 @@ extern int __init efi_setup_pcdp_console(char *); - #define EFI_64BIT 5 /* Is the firmware 64-bit? */ - #define EFI_PARAVIRT 6 /* Access is via a paravirt interface */ - #define EFI_ARCH_1 7 /* First arch-specific bit */ -+#define EFI_SECURE_BOOT 8 /* Are we in Secure Boot mode? */ - - #ifdef CONFIG_EFI - /* diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/14-hibernate-Disable-in-a-signed-modules-environment.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/14-hibernate-Disable-in-a-signed-modules-environment.patch deleted file mode 100644 index 77e1e70368..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/14-hibernate-Disable-in-a-signed-modules-environment.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Josh Boyer -Date: Fri, 20 Jun 2014 08:53:24 -0400 -Subject: [PATCH] hibernate: Disable in a signed modules environment - -There is currently no way to verify the resume image when returning -from hibernate. This might compromise the signed modules trust model, -so until we can work with signed hibernate images we disable it in -a secure modules environment. - -Signed-off-by: Josh Boyer ---- - kernel/power/hibernate.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index 2329daae5255..48a8e82c7e2e 100644 ---- a/kernel/power/hibernate.c -+++ b/kernel/power/hibernate.c -@@ -29,6 +29,7 @@ - #include - #include - #include -+#include - #include - - #include "power.h" -@@ -66,7 +67,7 @@ static const struct platform_hibernation_ops *hibernation_ops; - - bool hibernation_available(void) - { -- return (nohibernate == 0); -+ return ((nohibernate == 0) && !secure_modules()); - } - - /**