Merge pull request #1450 from marineam/kernel

Linux 4.1.5

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.1.4-r1.ebuild

@@ -1,9 +0,0 @@
-# Copyright 2014 CoreOS, Inc.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=5
-COREOS_SOURCE_REVISION="-r1"
-inherit coreos-kernel
-
-DESCRIPTION="CoreOS Linux kernel"
-KEYWORDS="amd64 arm64"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.0

@@ -1,941 +0,0 @@
-# CONFIG_LOCALVERSION_AUTO is not set
-CONFIG_SYSVIPC=y
-CONFIG_POSIX_MQUEUE=y
-# CONFIG_CROSS_MEMORY_ATTACH is not set
-CONFIG_FHANDLE=y
-CONFIG_AUDIT=y
-CONFIG_NO_HZ=y
-CONFIG_HIGH_RES_TIMERS=y
-CONFIG_IRQ_TIME_ACCOUNTING=y
-CONFIG_BSD_PROCESS_ACCT=y
-CONFIG_BSD_PROCESS_ACCT_V3=y
-CONFIG_TASK_XACCT=y
-CONFIG_TASK_IO_ACCOUNTING=y
-CONFIG_IKCONFIG=y
-CONFIG_IKCONFIG_PROC=y
-CONFIG_LOG_BUF_SHIFT=18
-CONFIG_NUMA_BALANCING=y
-CONFIG_CGROUP_FREEZER=y
-CONFIG_CGROUP_DEVICE=y
-CONFIG_CPUSETS=y
-CONFIG_CGROUP_CPUACCT=y
-CONFIG_MEMCG=y
-CONFIG_MEMCG_SWAP=y
-CONFIG_MEMCG_KMEM=y
-CONFIG_CGROUP_PERF=y
-CONFIG_CFS_BANDWIDTH=y
-CONFIG_RT_GROUP_SCHED=y
-CONFIG_BLK_CGROUP=y
-CONFIG_CHECKPOINT_RESTORE=y
-CONFIG_NAMESPACES=y
-CONFIG_USER_NS=y
-CONFIG_SCHED_AUTOGROUP=y
-CONFIG_BLK_DEV_INITRD=y
-CONFIG_INITRAMFS_SOURCE="bootengine.cpio"
-CONFIG_EXPERT=y
-# CONFIG_COMPAT_BRK is not set
-CONFIG_PROFILING=y
-CONFIG_JUMP_LABEL=y
-CONFIG_CC_STACKPROTECTOR_REGULAR=y
-CONFIG_MODULES=y
-CONFIG_MODULE_UNLOAD=y
-CONFIG_MODULE_SIG=y
-CONFIG_MODULE_SIG_SHA256=y
-CONFIG_BLK_DEV_THROTTLING=y
-CONFIG_PARTITION_ADVANCED=y
-CONFIG_BSD_DISKLABEL=y
-CONFIG_MINIX_SUBPARTITION=y
-CONFIG_SOLARIS_X86_PARTITION=y
-CONFIG_UNIXWARE_DISKLABEL=y
-CONFIG_CFQ_GROUP_IOSCHED=y
-CONFIG_SMP=y
-CONFIG_X86_X2APIC=y
-# CONFIG_X86_MPPARSE is not set
-# CONFIG_X86_EXTENDED_PLATFORM is not set
-CONFIG_X86_INTEL_LPSS=y
-CONFIG_IOSF_MBI=m
-CONFIG_HYPERVISOR_GUEST=y
-CONFIG_PARAVIRT=y
-CONFIG_PARAVIRT_SPINLOCKS=y
-CONFIG_XEN=y
-CONFIG_XEN_DEBUG_FS=y
-CONFIG_XEN_PVH=y
-CONFIG_PARAVIRT_TIME_ACCOUNTING=y
-CONFIG_MEMTEST=y
-CONFIG_GART_IOMMU=y
-CONFIG_NR_CPUS=128
-CONFIG_SCHED_SMT=y
-CONFIG_PREEMPT_VOLUNTARY=y
-CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y
-# CONFIG_X86_16BIT is not set
-CONFIG_MICROCODE=m
-CONFIG_MICROCODE_AMD=y
-CONFIG_X86_MSR=m
-CONFIG_X86_CPUID=m
-CONFIG_NUMA=y
-CONFIG_NODES_SHIFT=7
-CONFIG_ARCH_MEMORY_PROBE=y
-CONFIG_MEMORY_HOTPLUG=y
-CONFIG_MEMORY_HOTREMOVE=y
-CONFIG_KSM=y
-CONFIG_MEMORY_FAILURE=y
-CONFIG_TRANSPARENT_HUGEPAGE=y
-CONFIG_CLEANCACHE=y
-CONFIG_FRONTSWAP=y
-CONFIG_ZSMALLOC=m
-CONFIG_X86_CHECK_BIOS_CORRUPTION=y
-# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set
-CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=1
-CONFIG_EFI=y
-CONFIG_EFI_STUB=y
-CONFIG_HZ_1000=y
-CONFIG_KEXEC=y
-CONFIG_KEXEC_FILE=y
-CONFIG_KEXEC_VERIFY_SIG=y
-CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
-CONFIG_CRASH_DUMP=y
-CONFIG_KEXEC_JUMP=y
-CONFIG_PHYSICAL_ALIGN=0x1000000
-CONFIG_CMDLINE_BOOL=y
-CONFIG_CMDLINE="init=/usr/lib/systemd/systemd rootflags=rw mount.usrflags=ro"
-CONFIG_HIBERNATION=y
-# CONFIG_ACPI_AC is not set
-# CONFIG_ACPI_BATTERY is not set
-CONFIG_ACPI_BUTTON=m
-CONFIG_ACPI_FAN=m
-CONFIG_ACPI_IPMI=m
-CONFIG_ACPI_PROCESSOR_AGGREGATOR=y
-CONFIG_ACPI_PCI_SLOT=y
-CONFIG_ACPI_HOTPLUG_MEMORY=y
-CONFIG_ACPI_APEI=y
-CONFIG_ACPI_APEI_GHES=y
-CONFIG_ACPI_APEI_PCIEAER=y
-CONFIG_ACPI_APEI_MEMORY_FAILURE=y
-CONFIG_ACPI_APEI_ERST_DEBUG=m
-CONFIG_PMIC_OPREGION=y
-CONFIG_CPU_FREQ=y
-CONFIG_CPU_FREQ_STAT=m
-CONFIG_CPU_FREQ_STAT_DETAILS=y
-CONFIG_CPU_FREQ_GOV_POWERSAVE=m
-CONFIG_CPU_FREQ_GOV_USERSPACE=m
-CONFIG_CPU_FREQ_GOV_ONDEMAND=m
-CONFIG_CPU_FREQ_GOV_CONSERVATIVE=m
-CONFIG_X86_INTEL_PSTATE=y
-CONFIG_X86_PCC_CPUFREQ=m
-CONFIG_X86_ACPI_CPUFREQ=m
-# CONFIG_X86_ACPI_CPUFREQ_CPB is not set
-CONFIG_X86_AMD_FREQ_SENSITIVITY=m
-CONFIG_INTEL_IDLE=y
-CONFIG_I7300_IDLE=m
-CONFIG_PCI_MMCONFIG=y
-CONFIG_PCIEPORTBUS=y
-CONFIG_HOTPLUG_PCI_PCIE=y
-CONFIG_PCIE_ECRC=y
-CONFIG_XEN_PCIDEV_FRONTEND=m
-CONFIG_HOTPLUG_PCI=y
-CONFIG_HOTPLUG_PCI_ACPI=y
-CONFIG_HOTPLUG_PCI_ACPI_IBM=m
-CONFIG_IA32_EMULATION=y
-CONFIG_NET=y
-CONFIG_PACKET=y
-CONFIG_PACKET_DIAG=m
-CONFIG_UNIX=y
-CONFIG_UNIX_DIAG=m
-CONFIG_XFRM_USER=m
-CONFIG_XFRM_SUB_POLICY=y
-CONFIG_XFRM_MIGRATE=y
-CONFIG_XFRM_STATISTICS=y
-CONFIG_NET_KEY=m
-CONFIG_INET=y
-CONFIG_IP_MULTICAST=y
-CONFIG_IP_ADVANCED_ROUTER=y
-CONFIG_IP_FIB_TRIE_STATS=y
-CONFIG_IP_MULTIPLE_TABLES=y
-CONFIG_IP_ROUTE_MULTIPATH=y
-CONFIG_IP_ROUTE_VERBOSE=y
-CONFIG_IP_PNP=y
-CONFIG_IP_PNP_DHCP=y
-CONFIG_IP_PNP_BOOTP=y
-CONFIG_NET_IPIP=m
-CONFIG_NET_IPGRE_DEMUX=m
-CONFIG_NET_IPGRE=m
-CONFIG_NET_IPGRE_BROADCAST=y
-CONFIG_IP_MROUTE=y
-CONFIG_IP_MROUTE_MULTIPLE_TABLES=y
-CONFIG_IP_PIMSM_V1=y
-CONFIG_IP_PIMSM_V2=y
-CONFIG_NET_IPVTI=m
-CONFIG_NET_FOU_IP_TUNNELS=y
-CONFIG_GENEVE=m
-CONFIG_INET_AH=m
-CONFIG_INET_ESP=m
-CONFIG_INET_IPCOMP=m
-CONFIG_INET_XFRM_MODE_TRANSPORT=m
-CONFIG_INET_XFRM_MODE_TUNNEL=m
-CONFIG_INET_XFRM_MODE_BEET=m
-CONFIG_INET_LRO=m
-CONFIG_INET_DIAG=m
-CONFIG_INET_UDP_DIAG=m
-CONFIG_TCP_CONG_ADVANCED=y
-# CONFIG_TCP_CONG_BIC is not set
-# CONFIG_TCP_CONG_WESTWOOD is not set
-# CONFIG_TCP_CONG_HTCP is not set
-CONFIG_TCP_MD5SIG=y
-CONFIG_IPV6=y
-CONFIG_IPV6_ROUTER_PREF=y
-CONFIG_IPV6_ROUTE_INFO=y
-CONFIG_IPV6_OPTIMISTIC_DAD=y
-CONFIG_INET6_AH=m
-CONFIG_INET6_ESP=m
-CONFIG_INET6_IPCOMP=m
-CONFIG_IPV6_MIP6=m
-CONFIG_INET6_XFRM_MODE_TRANSPORT=m
-CONFIG_INET6_XFRM_MODE_TUNNEL=m
-CONFIG_INET6_XFRM_MODE_BEET=m
-CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
-CONFIG_IPV6_VTI=m
-CONFIG_IPV6_SIT=m
-CONFIG_IPV6_SIT_6RD=y
-CONFIG_IPV6_GRE=m
-CONFIG_IPV6_MULTIPLE_TABLES=y
-CONFIG_IPV6_SUBTREES=y
-CONFIG_IPV6_MROUTE=y
-CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y
-CONFIG_IPV6_PIMSM_V2=y
-CONFIG_NETWORK_PHY_TIMESTAMPING=y
-CONFIG_NETFILTER=y
-CONFIG_NF_CONNTRACK=m
-CONFIG_NF_CONNTRACK_SECMARK=y
-CONFIG_NF_CONNTRACK_ZONES=y
-CONFIG_NF_CONNTRACK_EVENTS=y
-CONFIG_NF_CONNTRACK_TIMEOUT=y
-CONFIG_NF_CONNTRACK_TIMESTAMP=y
-CONFIG_NF_CT_PROTO_UDPLITE=m
-CONFIG_NF_CONNTRACK_AMANDA=m
-CONFIG_NF_CONNTRACK_FTP=m
-CONFIG_NF_CONNTRACK_H323=m
-CONFIG_NF_CONNTRACK_IRC=m
-CONFIG_NF_CONNTRACK_NETBIOS_NS=m
-CONFIG_NF_CONNTRACK_SNMP=m
-CONFIG_NF_CONNTRACK_PPTP=m
-CONFIG_NF_CONNTRACK_SANE=m
-CONFIG_NF_CONNTRACK_SIP=m
-CONFIG_NF_CONNTRACK_TFTP=m
-CONFIG_NF_CT_NETLINK=m
-CONFIG_NF_CT_NETLINK_TIMEOUT=m
-CONFIG_NF_CT_NETLINK_HELPER=m
-CONFIG_NETFILTER_NETLINK_QUEUE_CT=y
-CONFIG_NETFILTER_XTABLES=y
-CONFIG_NETFILTER_XT_SET=m
-CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
-CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
-CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
-CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
-CONFIG_NETFILTER_XT_TARGET_CT=m
-CONFIG_NETFILTER_XT_TARGET_DSCP=m
-CONFIG_NETFILTER_XT_TARGET_HMARK=m
-CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
-CONFIG_NETFILTER_XT_TARGET_LOG=m
-CONFIG_NETFILTER_XT_TARGET_MARK=m
-CONFIG_NETFILTER_XT_TARGET_NFLOG=m
-CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
-CONFIG_NETFILTER_XT_TARGET_TEE=m
-CONFIG_NETFILTER_XT_TARGET_TPROXY=m
-CONFIG_NETFILTER_XT_TARGET_TRACE=m
-CONFIG_NETFILTER_XT_TARGET_SECMARK=m
-CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
-CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
-CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
-CONFIG_NETFILTER_XT_MATCH_BPF=m
-CONFIG_NETFILTER_XT_MATCH_CGROUP=m
-CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
-CONFIG_NETFILTER_XT_MATCH_COMMENT=m
-CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
-CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m
-CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
-CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
-CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
-CONFIG_NETFILTER_XT_MATCH_CPU=m
-CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m
-CONFIG_NETFILTER_XT_MATCH_DSCP=m
-CONFIG_NETFILTER_XT_MATCH_ESP=m
-CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
-CONFIG_NETFILTER_XT_MATCH_HELPER=m
-CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
-CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
-CONFIG_NETFILTER_XT_MATCH_IPVS=m
-CONFIG_NETFILTER_XT_MATCH_L2TP=m
-CONFIG_NETFILTER_XT_MATCH_LENGTH=m
-CONFIG_NETFILTER_XT_MATCH_LIMIT=m
-CONFIG_NETFILTER_XT_MATCH_MAC=m
-CONFIG_NETFILTER_XT_MATCH_MARK=m
-CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
-CONFIG_NETFILTER_XT_MATCH_NFACCT=m
-CONFIG_NETFILTER_XT_MATCH_OSF=m
-CONFIG_NETFILTER_XT_MATCH_OWNER=m
-CONFIG_NETFILTER_XT_MATCH_POLICY=m
-CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
-CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
-CONFIG_NETFILTER_XT_MATCH_QUOTA=m
-CONFIG_NETFILTER_XT_MATCH_RATEEST=m
-CONFIG_NETFILTER_XT_MATCH_REALM=m
-CONFIG_NETFILTER_XT_MATCH_RECENT=m
-CONFIG_NETFILTER_XT_MATCH_SOCKET=m
-CONFIG_NETFILTER_XT_MATCH_STATE=m
-CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
-CONFIG_NETFILTER_XT_MATCH_STRING=m
-CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
-CONFIG_NETFILTER_XT_MATCH_TIME=m
-CONFIG_NETFILTER_XT_MATCH_U32=m
-CONFIG_IP_SET=m
-CONFIG_IP_SET_BITMAP_IP=m
-CONFIG_IP_SET_BITMAP_IPMAC=m
-CONFIG_IP_SET_BITMAP_PORT=m
-CONFIG_IP_SET_HASH_IP=m
-CONFIG_IP_SET_HASH_IPMARK=m
-CONFIG_IP_SET_HASH_IPPORT=m
-CONFIG_IP_SET_HASH_IPPORTIP=m
-CONFIG_IP_SET_HASH_IPPORTNET=m
-CONFIG_IP_SET_HASH_MAC=m
-CONFIG_IP_SET_HASH_NETPORTNET=m
-CONFIG_IP_SET_HASH_NET=m
-CONFIG_IP_SET_HASH_NETNET=m
-CONFIG_IP_SET_HASH_NETPORT=m
-CONFIG_IP_SET_HASH_NETIFACE=m
-CONFIG_IP_SET_LIST_SET=m
-CONFIG_IP_VS=m
-CONFIG_IP_VS_IPV6=y
-CONFIG_IP_VS_PROTO_TCP=y
-CONFIG_IP_VS_PROTO_UDP=y
-CONFIG_IP_VS_PROTO_ESP=y
-CONFIG_IP_VS_PROTO_AH=y
-CONFIG_IP_VS_PROTO_SCTP=y
-CONFIG_IP_VS_RR=m
-CONFIG_IP_VS_WRR=m
-CONFIG_IP_VS_LC=m
-CONFIG_IP_VS_WLC=m
-CONFIG_IP_VS_FO=m
-CONFIG_IP_VS_LBLC=m
-CONFIG_IP_VS_LBLCR=m
-CONFIG_IP_VS_DH=m
-CONFIG_IP_VS_SH=m
-CONFIG_IP_VS_SED=m
-CONFIG_IP_VS_NQ=m
-CONFIG_IP_VS_FTP=m
-CONFIG_IP_VS_PE_SIP=m
-CONFIG_NF_CONNTRACK_IPV4=m
-# CONFIG_NF_CONNTRACK_PROC_COMPAT is not set
-CONFIG_IP_NF_IPTABLES=m
-CONFIG_IP_NF_MATCH_AH=m
-CONFIG_IP_NF_MATCH_ECN=m
-CONFIG_IP_NF_MATCH_RPFILTER=m
-CONFIG_IP_NF_MATCH_TTL=m
-CONFIG_IP_NF_FILTER=m
-CONFIG_IP_NF_TARGET_REJECT=m
-CONFIG_IP_NF_TARGET_SYNPROXY=m
-CONFIG_IP_NF_NAT=m
-CONFIG_IP_NF_TARGET_MASQUERADE=m
-CONFIG_IP_NF_TARGET_NETMAP=m
-CONFIG_IP_NF_TARGET_REDIRECT=m
-CONFIG_IP_NF_MANGLE=m
-CONFIG_IP_NF_TARGET_CLUSTERIP=m
-CONFIG_IP_NF_TARGET_ECN=m
-CONFIG_IP_NF_TARGET_TTL=m
-CONFIG_IP_NF_RAW=m
-CONFIG_IP_NF_ARPTABLES=m
-CONFIG_IP_NF_ARPFILTER=m
-CONFIG_IP_NF_ARP_MANGLE=m
-CONFIG_NF_CONNTRACK_IPV6=m
-CONFIG_IP6_NF_MATCH_AH=m
-CONFIG_IP6_NF_MATCH_EUI64=m
-CONFIG_IP6_NF_MATCH_FRAG=m
-CONFIG_IP6_NF_MATCH_OPTS=m
-CONFIG_IP6_NF_MATCH_HL=m
-CONFIG_IP6_NF_MATCH_IPV6HEADER=m
-CONFIG_IP6_NF_MATCH_MH=m
-CONFIG_IP6_NF_MATCH_RPFILTER=m
-CONFIG_IP6_NF_MATCH_RT=m
-CONFIG_IP6_NF_TARGET_HL=m
-CONFIG_IP6_NF_FILTER=m
-CONFIG_IP6_NF_TARGET_REJECT=m
-CONFIG_IP6_NF_TARGET_SYNPROXY=m
-CONFIG_IP6_NF_MANGLE=m
-CONFIG_IP6_NF_RAW=m
-CONFIG_IP6_NF_NAT=m
-CONFIG_IP6_NF_TARGET_MASQUERADE=m
-CONFIG_IP6_NF_TARGET_NPT=m
-CONFIG_BRIDGE_NF_EBTABLES=m
-CONFIG_BRIDGE_EBT_BROUTE=m
-CONFIG_BRIDGE_EBT_T_FILTER=m
-CONFIG_BRIDGE_EBT_T_NAT=m
-CONFIG_BRIDGE_EBT_802_3=m
-CONFIG_BRIDGE_EBT_AMONG=m
-CONFIG_BRIDGE_EBT_ARP=m
-CONFIG_BRIDGE_EBT_IP=m
-CONFIG_BRIDGE_EBT_IP6=m
-CONFIG_BRIDGE_EBT_LIMIT=m
-CONFIG_BRIDGE_EBT_MARK=m
-CONFIG_BRIDGE_EBT_PKTTYPE=m
-CONFIG_BRIDGE_EBT_STP=m
-CONFIG_BRIDGE_EBT_VLAN=m
-CONFIG_BRIDGE_EBT_ARPREPLY=m
-CONFIG_BRIDGE_EBT_DNAT=m
-CONFIG_BRIDGE_EBT_MARK_T=m
-CONFIG_BRIDGE_EBT_REDIRECT=m
-CONFIG_BRIDGE_EBT_SNAT=m
-CONFIG_BRIDGE_EBT_LOG=m
-CONFIG_BRIDGE_EBT_NFLOG=m
-CONFIG_IP_DCCP=m
-CONFIG_IP_SCTP=m
-CONFIG_SCTP_COOKIE_HMAC_SHA1=y
-CONFIG_RDS=m
-CONFIG_RDS_RDMA=m
-CONFIG_RDS_TCP=m
-CONFIG_BRIDGE=m
-CONFIG_BRIDGE_VLAN_FILTERING=y
-CONFIG_VLAN_8021Q=m
-CONFIG_VLAN_8021Q_GVRP=y
-CONFIG_VLAN_8021Q_MVRP=y
-CONFIG_NET_SCHED=y
-CONFIG_NET_SCH_CBQ=m
-CONFIG_NET_SCH_HTB=m
-CONFIG_NET_SCH_HFSC=m
-CONFIG_NET_SCH_PRIO=m
-CONFIG_NET_SCH_MULTIQ=m
-CONFIG_NET_SCH_RED=m
-CONFIG_NET_SCH_SFB=m
-CONFIG_NET_SCH_SFQ=m
-CONFIG_NET_SCH_TEQL=m
-CONFIG_NET_SCH_TBF=m
-CONFIG_NET_SCH_GRED=m
-CONFIG_NET_SCH_DSMARK=m
-CONFIG_NET_SCH_NETEM=m
-CONFIG_NET_SCH_DRR=m
-CONFIG_NET_SCH_MQPRIO=m
-CONFIG_NET_SCH_CHOKE=m
-CONFIG_NET_SCH_QFQ=m
-CONFIG_NET_SCH_CODEL=m
-CONFIG_NET_SCH_FQ_CODEL=m
-CONFIG_NET_SCH_FQ=m
-CONFIG_NET_SCH_HHF=m
-CONFIG_NET_SCH_PIE=m
-CONFIG_NET_SCH_INGRESS=m
-CONFIG_NET_SCH_PLUG=m
-CONFIG_NET_CLS_BASIC=m
-CONFIG_NET_CLS_TCINDEX=m
-CONFIG_NET_CLS_ROUTE4=m
-CONFIG_NET_CLS_FW=m
-CONFIG_NET_CLS_U32=m
-CONFIG_CLS_U32_PERF=y
-CONFIG_CLS_U32_MARK=y
-CONFIG_NET_CLS_RSVP=m
-CONFIG_NET_CLS_RSVP6=m
-CONFIG_NET_CLS_FLOW=m
-CONFIG_NET_CLS_CGROUP=m
-CONFIG_NET_CLS_BPF=m
-CONFIG_NET_EMATCH=y
-CONFIG_NET_EMATCH_CMP=m
-CONFIG_NET_EMATCH_NBYTE=m
-CONFIG_NET_EMATCH_U32=m
-CONFIG_NET_EMATCH_META=m
-CONFIG_NET_EMATCH_TEXT=m
-CONFIG_NET_EMATCH_IPSET=m
-CONFIG_NET_CLS_ACT=y
-CONFIG_NET_ACT_POLICE=m
-CONFIG_NET_ACT_GACT=m
-CONFIG_GACT_PROB=y
-CONFIG_NET_ACT_MIRRED=m
-CONFIG_NET_ACT_IPT=m
-CONFIG_NET_ACT_NAT=m
-CONFIG_NET_ACT_PEDIT=m
-CONFIG_NET_ACT_SKBEDIT=m
-CONFIG_NET_ACT_CSUM=m
-CONFIG_NET_ACT_VLAN=m
-CONFIG_NET_CLS_IND=y
-CONFIG_DCB=y
-CONFIG_OPENVSWITCH=m
-CONFIG_VSOCKETS=m
-CONFIG_VMWARE_VMCI_VSOCKETS=m
-CONFIG_NETLINK_MMAP=y
-CONFIG_NETLINK_DIAG=m
-CONFIG_CGROUP_NET_PRIO=y
-CONFIG_BPF_JIT=y
-CONFIG_NET_DROP_MONITOR=m
-# CONFIG_WIRELESS is not set
-CONFIG_NET_9P=m
-CONFIG_NET_9P_VIRTIO=m
-CONFIG_NET_9P_RDMA=m
-# CONFIG_UEVENT_HELPER is not set
-CONFIG_DEVTMPFS=y
-CONFIG_DEVTMPFS_MOUNT=y
-CONFIG_FW_LOADER=m
-# CONFIG_FIRMWARE_IN_KERNEL is not set
-CONFIG_CONNECTOR=m
-CONFIG_MTD=m
-# CONFIG_PNP_DEBUG_MESSAGES is not set
-CONFIG_BLK_DEV_PCIESSD_MTIP32XX=m
-CONFIG_ZRAM=m
-CONFIG_ZRAM_LZ4_COMPRESS=y
-CONFIG_BLK_CPQ_CISS_DA=m
-CONFIG_BLK_DEV_LOOP=m
-CONFIG_BLK_DEV_NVME=m
-CONFIG_BLK_DEV_RAM=m
-CONFIG_XEN_BLKDEV_FRONTEND=m
-CONFIG_XEN_BLKDEV_BACKEND=m
-CONFIG_VIRTIO_BLK=m
-CONFIG_BLK_DEV_RBD=m
-CONFIG_HP_ILO=m
-CONFIG_VMWARE_BALLOON=m
-CONFIG_INTEL_MEI_ME=m
-CONFIG_INTEL_MEI_TXE=m
-CONFIG_VMWARE_VMCI=m
-CONFIG_BLK_DEV_SD=m
-CONFIG_BLK_DEV_SR=m
-CONFIG_CHR_DEV_SG=m
-CONFIG_SCSI_CONSTANTS=y
-CONFIG_SCSI_LOGGING=y
-CONFIG_SCSI_SCAN_ASYNC=y
-CONFIG_SCSI_FC_ATTRS=m
-CONFIG_SCSI_SAS_ATA=y
-CONFIG_ISCSI_TCP=m
-CONFIG_ISCSI_BOOT_SYSFS=m
-CONFIG_SCSI_HPSA=m
-CONFIG_SCSI_3W_9XXX=m
-CONFIG_SCSI_3W_SAS=m
-CONFIG_SCSI_AACRAID=m
-CONFIG_SCSI_AIC94XX=m
-# CONFIG_AIC94XX_DEBUG is not set
-CONFIG_SCSI_MVSAS=m
-# CONFIG_SCSI_MVSAS_DEBUG is not set
-CONFIG_SCSI_MVSAS_TASKLET=y
-CONFIG_SCSI_ARCMSR=m
-CONFIG_MEGARAID_SAS=m
-CONFIG_SCSI_MPT2SAS=m
-CONFIG_SCSI_MPT3SAS=m
-CONFIG_SCSI_BUSLOGIC=m
-CONFIG_VMWARE_PVSCSI=m
-CONFIG_XEN_SCSI_FRONTEND=m
-CONFIG_SCSI_ISCI=m
-CONFIG_SCSI_SYM53C8XX_2=m
-CONFIG_SCSI_QLA_FC=m
-CONFIG_SCSI_LPFC=m
-CONFIG_SCSI_VIRTIO=m
-CONFIG_SCSI_DH=m
-CONFIG_ATA=m
-CONFIG_SATA_AHCI=m
-CONFIG_SATA_SIL24=m
-CONFIG_PDC_ADMA=m
-CONFIG_SATA_QSTOR=m
-CONFIG_SATA_SX4=m
-CONFIG_ATA_PIIX=m
-CONFIG_SATA_MV=m
-CONFIG_SATA_NV=m
-CONFIG_SATA_PROMISE=m
-CONFIG_SATA_SIS=m
-CONFIG_SATA_VIA=m
-CONFIG_SATA_VITESSE=m
-CONFIG_PATA_VIA=m
-CONFIG_MD=y
-CONFIG_MD_LINEAR=m
-CONFIG_MD_RAID0=m
-CONFIG_BCACHE=m
-CONFIG_BLK_DEV_DM=m
-CONFIG_DM_CRYPT=m
-CONFIG_DM_SNAPSHOT=m
-CONFIG_DM_THIN_PROVISIONING=m
-CONFIG_DM_MIRROR=m
-CONFIG_DM_RAID=m
-CONFIG_DM_ZERO=m
-CONFIG_DM_MULTIPATH=m
-CONFIG_DM_MULTIPATH_QL=m
-CONFIG_DM_MULTIPATH_ST=m
-CONFIG_DM_UEVENT=y
-CONFIG_DM_VERITY=m
-CONFIG_FUSION=y
-CONFIG_FUSION_SPI=m
-CONFIG_FUSION_SAS=m
-CONFIG_FUSION_MAX_SGE=40
-CONFIG_FUSION_CTL=m
-CONFIG_FUSION_LOGGING=y
-CONFIG_NETDEVICES=y
-CONFIG_BONDING=m
-CONFIG_DUMMY=m
-CONFIG_MACVLAN=m
-CONFIG_MACVTAP=m
-CONFIG_IPVLAN=m
-CONFIG_VXLAN=m
-CONFIG_NETCONSOLE=m
-CONFIG_NETCONSOLE_DYNAMIC=y
-CONFIG_TUN=m
-CONFIG_VETH=m
-CONFIG_VIRTIO_NET=m
-CONFIG_VHOST_NET=m
-# CONFIG_NET_VENDOR_3COM is not set
-# CONFIG_NET_VENDOR_ADAPTEC is not set
-# CONFIG_NET_VENDOR_AGERE is not set
-CONFIG_ACENIC=m
-CONFIG_AMD8111_ETH=m
-CONFIG_PCNET32=m
-# CONFIG_NET_VENDOR_ARC is not set
-CONFIG_ATL2=m
-CONFIG_ATL1=m
-CONFIG_ATL1E=m
-CONFIG_ATL1C=m
-CONFIG_ALX=m
-CONFIG_B44=m
-CONFIG_CNIC=m
-CONFIG_TIGON3=m
-CONFIG_BNX2X=m
-CONFIG_BNA=m
-CONFIG_CHELSIO_T1=m
-CONFIG_CHELSIO_T1_1G=y
-CONFIG_CHELSIO_T3=m
-CONFIG_CHELSIO_T4=m
-CONFIG_CHELSIO_T4VF=m
-CONFIG_NET_TULIP=y
-CONFIG_TULIP=m
-CONFIG_TULIP_MMIO=y
-CONFIG_TULIP_NAPI=y
-CONFIG_DL2K=m
-CONFIG_SUNDANCE=m
-CONFIG_S2IO=m
-CONFIG_VXGE=m
-CONFIG_HP100=m
-CONFIG_E100=m
-CONFIG_E1000=m
-CONFIG_E1000E=m
-CONFIG_IGB=m
-CONFIG_IGBVF=m
-CONFIG_IXGB=m
-CONFIG_IXGBE=m
-CONFIG_IXGBEVF=m
-CONFIG_I40E=m
-CONFIG_I40E_VXLAN=y
-CONFIG_I40EVF=m
-CONFIG_IP1000=m
-CONFIG_JME=m
-CONFIG_SKGE=m
-CONFIG_SKY2=m
-CONFIG_MLX4_EN=m
-# CONFIG_MLX4_DEBUG is not set
-# CONFIG_NET_VENDOR_MICREL is not set
-CONFIG_MYRI10GE=m
-# CONFIG_NET_VENDOR_NATSEMI is not set
-CONFIG_FORCEDETH=m
-# CONFIG_NET_VENDOR_OKI is not set
-# CONFIG_NET_PACKET_ENGINE is not set
-CONFIG_NETXEN_NIC=m
-# CONFIG_NET_VENDOR_QUALCOMM is not set
-CONFIG_8139CP=m
-CONFIG_8139TOO=m
-CONFIG_8139TOO_TUNE_TWISTER=y
-CONFIG_8139TOO_8129=y
-CONFIG_R8169=m
-# CONFIG_NET_VENDOR_RDC is not set
-# CONFIG_NET_VENDOR_ROCKER is not set
-# CONFIG_NET_VENDOR_SAMSUNG is not set
-# CONFIG_NET_VENDOR_SEEQ is not set
-# CONFIG_NET_VENDOR_SILAN is not set
-# CONFIG_NET_VENDOR_SIS is not set
-CONFIG_SFC=m
-# CONFIG_NET_VENDOR_SMSC is not set
-# CONFIG_NET_VENDOR_STMICRO is not set
-# CONFIG_NET_VENDOR_SUN is not set
-# CONFIG_NET_VENDOR_TEHUTI is not set
-# CONFIG_NET_VENDOR_TI is not set
-# CONFIG_NET_VENDOR_VIA is not set
-# CONFIG_NET_VENDOR_WIZNET is not set
-CONFIG_AT803X_PHY=m
-CONFIG_AMD_PHY=m
-CONFIG_MARVELL_PHY=m
-CONFIG_BROADCOM_PHY=m
-CONFIG_BCM87XX_PHY=m
-CONFIG_REALTEK_PHY=m
-# CONFIG_USB_NET_DRIVERS is not set
-# CONFIG_WLAN is not set
-CONFIG_XEN_NETDEV_FRONTEND=m
-CONFIG_XEN_NETDEV_BACKEND=m
-CONFIG_VMXNET3=m
-CONFIG_HYPERV_NET=m
-CONFIG_INPUT_MOUSEDEV=m
-# CONFIG_INPUT_MOUSEDEV_PSAUX is not set
-CONFIG_INPUT_EVDEV=m
-CONFIG_MOUSE_PS2=m
-# CONFIG_MOUSE_PS2_ALPS is not set
-# CONFIG_MOUSE_PS2_LOGIPS2PP is not set
-# CONFIG_MOUSE_PS2_SYNAPTICS is not set
-# CONFIG_MOUSE_PS2_CYPRESS is not set
-# CONFIG_MOUSE_PS2_LIFEBOOK is not set
-# CONFIG_MOUSE_PS2_TRACKPOINT is not set
-# CONFIG_MOUSE_PS2_FOCALTECH is not set
-CONFIG_INPUT_MISC=y
-# CONFIG_SERIO_SERPORT is not set
-CONFIG_DEVPTS_MULTIPLE_INSTANCES=y
-# CONFIG_LEGACY_PTYS is not set
-# CONFIG_DEVKMEM is not set
-CONFIG_SERIAL_8250=y
-CONFIG_SERIAL_8250_CONSOLE=y
-CONFIG_SERIAL_8250_NR_UARTS=32
-CONFIG_SERIAL_8250_EXTENDED=y
-CONFIG_SERIAL_8250_MANY_PORTS=y
-CONFIG_SERIAL_8250_SHARE_IRQ=y
-CONFIG_SERIAL_8250_RSA=y
-CONFIG_TTY_PRINTK=y
-CONFIG_VIRTIO_CONSOLE=m
-CONFIG_IPMI_HANDLER=m
-CONFIG_IPMI_PANIC_EVENT=y
-CONFIG_IPMI_PANIC_STRING=y
-CONFIG_IPMI_DEVICE_INTERFACE=m
-CONFIG_IPMI_SI=m
-CONFIG_IPMI_SSIF=m
-CONFIG_IPMI_WATCHDOG=m
-CONFIG_IPMI_POWEROFF=m
-CONFIG_HW_RANDOM_TIMERIOMEM=m
-CONFIG_HW_RANDOM_VIRTIO=m
-CONFIG_NVRAM=m
-CONFIG_RAW_DRIVER=m
-CONFIG_MAX_RAW_DEVS=8192
-CONFIG_HPET=y
-CONFIG_HANGCHECK_TIMER=m
-CONFIG_TCG_TPM=m
-CONFIG_TCG_TIS=m
-CONFIG_TCG_TIS_I2C_ATMEL=m
-CONFIG_TCG_TIS_I2C_INFINEON=m
-CONFIG_TCG_TIS_I2C_NUVOTON=m
-CONFIG_TCG_NSC=m
-CONFIG_TCG_ATMEL=m
-CONFIG_TCG_INFINEON=m
-CONFIG_TCG_XEN=m
-# CONFIG_I2C_COMPAT is not set
-CONFIG_I2C_AMD756=m
-CONFIG_I2C_AMD8111=m
-CONFIG_I2C_I801=m
-CONFIG_I2C_PIIX4=m
-CONFIG_HWMON=m
-CONFIG_SENSORS_K8TEMP=m
-CONFIG_SENSORS_K10TEMP=m
-CONFIG_SENSORS_FAM15H_POWER=m
-CONFIG_SENSORS_I5500=m
-CONFIG_SENSORS_CORETEMP=m
-CONFIG_INT340X_THERMAL=m
-CONFIG_WATCHDOG=y
-CONFIG_SOFT_WATCHDOG=m
-CONFIG_ITCO_WDT=m
-CONFIG_ITCO_VENDOR_SUPPORT=y
-CONFIG_XEN_WDT=m
-CONFIG_FB=y
-CONFIG_FB_VESA=y
-CONFIG_FB_EFI=y
-CONFIG_XEN_FBDEV_FRONTEND=m
-CONFIG_FB_HYPERV=m
-CONFIG_BACKLIGHT_LCD_SUPPORT=y
-# CONFIG_LCD_CLASS_DEVICE is not set
-# CONFIG_BACKLIGHT_CLASS_DEVICE is not set
-CONFIG_VGACON_SOFT_SCROLLBACK=y
-CONFIG_FRAMEBUFFER_CONSOLE=y
-CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
-CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y
-CONFIG_HID=m
-CONFIG_HID_A4TECH=m
-CONFIG_HID_APPLE=m
-CONFIG_HID_BELKIN=m
-CONFIG_HID_CHERRY=m
-CONFIG_HID_EZKEY=m
-CONFIG_HID_LOGITECH=m
-CONFIG_HID_MICROSOFT=m
-CONFIG_HID_MONTEREY=m
-CONFIG_HID_HYPERV_MOUSE=m
-CONFIG_USB=m
-CONFIG_USB_XHCI_HCD=m
-CONFIG_USB_EHCI_HCD=m
-CONFIG_USB_OHCI_HCD=m
-CONFIG_USB_OHCI_HCD_SSB=y
-CONFIG_USB_UHCI_HCD=m
-CONFIG_USB_STORAGE=m
-CONFIG_USB_UAS=m
-CONFIG_USB_SERIAL=m
-CONFIG_USB_SERIAL_GENERIC=y
-CONFIG_USB_SERIAL_CP210X=m
-CONFIG_USB_SERIAL_FTDI_SIO=m
-CONFIG_MMC=m
-CONFIG_MMC_BLOCK_MINORS=16
-CONFIG_MMC_SDHCI=m
-CONFIG_MMC_SDHCI_PCI=m
-# CONFIG_MMC_RICOH_MMC is not set
-CONFIG_MMC_SDHCI_ACPI=m
-CONFIG_INFINIBAND=m
-CONFIG_INFINIBAND_USER_MAD=m
-CONFIG_INFINIBAND_MTHCA=m
-CONFIG_INFINIBAND_IPATH=m
-CONFIG_INFINIBAND_QIB=m
-CONFIG_INFINIBAND_AMSO1100=m
-CONFIG_INFINIBAND_CXGB3=m
-CONFIG_INFINIBAND_CXGB4=m
-CONFIG_MLX4_INFINIBAND=m
-CONFIG_MLX5_INFINIBAND=m
-CONFIG_INFINIBAND_NES=m
-CONFIG_INFINIBAND_OCRDMA=m
-CONFIG_INFINIBAND_USNIC=m
-CONFIG_INFINIBAND_IPOIB=m
-CONFIG_INFINIBAND_IPOIB_CM=y
-CONFIG_INFINIBAND_IPOIB_DEBUG_DATA=y
-CONFIG_INFINIBAND_SRP=m
-CONFIG_INFINIBAND_ISER=m
-CONFIG_EDAC=y
-# CONFIG_EDAC_LEGACY_SYSFS is not set
-CONFIG_EDAC_DECODE_MCE=m
-CONFIG_EDAC_MCE_INJ=m
-CONFIG_EDAC_MM_EDAC=m
-CONFIG_EDAC_AMD64=m
-CONFIG_EDAC_E752X=m
-CONFIG_EDAC_I82975X=m
-CONFIG_EDAC_I3000=m
-CONFIG_EDAC_I3200=m
-CONFIG_EDAC_X38=m
-CONFIG_EDAC_I5400=m
-CONFIG_EDAC_I7CORE=m
-CONFIG_EDAC_I5000=m
-CONFIG_EDAC_I5100=m
-CONFIG_EDAC_I7300=m
-CONFIG_EDAC_SBRIDGE=m
-CONFIG_RTC_CLASS=y
-CONFIG_DMADEVICES=y
-CONFIG_INTEL_IOATDMA=y
-CONFIG_VFIO=m
-CONFIG_VFIO_PCI=m
-CONFIG_VFIO_PCI_VGA=y
-CONFIG_VIRT_DRIVERS=y
-CONFIG_VIRTIO_PCI=m
-CONFIG_VIRTIO_BALLOON=m
-CONFIG_VIRTIO_MMIO=m
-CONFIG_HYPERV=m
-CONFIG_HYPERV_UTILS=m
-CONFIG_HYPERV_BALLOON=m
-CONFIG_XEN_SELFBALLOONING=y
-CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y
-CONFIG_XEN_DEV_EVTCHN=m
-CONFIG_XENFS=m
-CONFIG_XEN_MCE_LOG=y
-CONFIG_PVPANIC=m
-CONFIG_AMD_IOMMU=y
-CONFIG_AMD_IOMMU_V2=m
-CONFIG_INTEL_IOMMU=y
-CONFIG_IRQ_REMAP=y
-CONFIG_DELL_RBU=m
-CONFIG_DCDBAS=m
-CONFIG_DMI_SYSFS=m
-CONFIG_ISCSI_IBFT_FIND=y
-CONFIG_EFI_VARS=m
-CONFIG_EXT4_FS=m
-CONFIG_EXT4_FS_POSIX_ACL=y
-CONFIG_EXT4_FS_SECURITY=y
-CONFIG_XFS_FS=m
-CONFIG_XFS_POSIX_ACL=y
-CONFIG_BTRFS_FS=m
-CONFIG_BTRFS_FS_POSIX_ACL=y
-CONFIG_FANOTIFY=y
-CONFIG_QUOTA=y
-CONFIG_QUOTA_NETLINK_INTERFACE=y
-# CONFIG_PRINT_QUOTA_WARNING is not set
-CONFIG_QFMT_V2=m
-CONFIG_AUTOFS4_FS=m
-CONFIG_FUSE_FS=m
-CONFIG_OVERLAY_FS=m
-CONFIG_ISO9660_FS=m
-CONFIG_JOLIET=y
-CONFIG_ZISOFS=y
-CONFIG_UDF_FS=m
-CONFIG_MSDOS_FS=m
-CONFIG_VFAT_FS=m
-CONFIG_FAT_DEFAULT_IOCHARSET="ascii"
-CONFIG_PROC_KCORE=y
-CONFIG_TMPFS=y
-CONFIG_TMPFS_POSIX_ACL=y
-CONFIG_HUGETLBFS=y
-CONFIG_CONFIGFS_FS=m
-CONFIG_SQUASHFS=m
-CONFIG_SQUASHFS_LZO=y
-CONFIG_SQUASHFS_XZ=y
-CONFIG_NFS_FS=m
-CONFIG_NFS_V3_ACL=y
-CONFIG_NFS_V4=m
-CONFIG_NFS_V4_1=y
-CONFIG_NFS_V4_2=y
-CONFIG_NFSD=m
-CONFIG_NFSD_V3_ACL=y
-CONFIG_NFSD_V4=y
-CONFIG_SUNRPC_DEBUG=y
-CONFIG_CEPH_FS=m
-CONFIG_CIFS=m
-CONFIG_CIFS_STATS=y
-CONFIG_CIFS_STATS2=y
-CONFIG_CIFS_WEAK_PW_HASH=y
-CONFIG_CIFS_UPCALL=y
-CONFIG_CIFS_XATTR=y
-CONFIG_CIFS_POSIX=y
-CONFIG_CIFS_ACL=y
-CONFIG_CIFS_DFS_UPCALL=y
-CONFIG_CIFS_SMB2=y
-CONFIG_9P_FS=m
-CONFIG_9P_FS_POSIX_ACL=y
-CONFIG_NLS_DEFAULT="utf8"
-CONFIG_NLS_CODEPAGE_437=m
-CONFIG_NLS_ASCII=m
-CONFIG_NLS_UTF8=m
-CONFIG_PRINTK_TIME=y
-CONFIG_BOOT_PRINTK_DELAY=y
-CONFIG_DYNAMIC_DEBUG=y
-CONFIG_DEBUG_INFO=y
-# CONFIG_ENABLE_WARN_DEPRECATED is not set
-CONFIG_STRIP_ASM_SYMS=y
-CONFIG_MAGIC_SYSRQ=y
-CONFIG_DEBUG_STACKOVERFLOW=y
-CONFIG_DEBUG_SHIRQ=y
-CONFIG_LOCKUP_DETECTOR=y
-CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y
-CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
-CONFIG_PANIC_ON_OOPS=y
-CONFIG_PANIC_TIMEOUT=60
-CONFIG_SCHED_STACK_END_CHECK=y
-CONFIG_TIMER_STATS=y
-CONFIG_RCU_CPU_STALL_TIMEOUT=60
-# CONFIG_RCU_CPU_STALL_INFO is not set
-CONFIG_LATENCYTOP=y
-CONFIG_DEBUG_STRICT_USER_COPY_CHECKS=y
-CONFIG_SCHED_TRACER=y
-CONFIG_FTRACE_SYSCALLS=y
-CONFIG_STACK_TRACER=y
-CONFIG_BLK_DEV_IO_TRACE=y
-CONFIG_UPROBE_EVENT=y
-CONFIG_FUNCTION_PROFILER=y
-CONFIG_STRICT_DEVMEM=y
-CONFIG_DEBUG_SET_MODULE_RONX=y
-CONFIG_DEBUG_BOOT_PARAMS=y
-CONFIG_OPTIMIZE_INLINING=y
-CONFIG_TRUSTED_KEYS=m
-CONFIG_ENCRYPTED_KEYS=m
-CONFIG_SECURITY=y
-CONFIG_SECURITY_NETWORK=y
-CONFIG_SECURITY_NETWORK_XFRM=y
-CONFIG_SECURITY_SELINUX=y
-CONFIG_SECURITY_SELINUX_BOOTPARAM=y
-CONFIG_SECURITY_SELINUX_DISABLE=y
-# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
-CONFIG_CRYPTO_CRC32C_INTEL=m
-CONFIG_CRYPTO_SHA1_SSSE3=m
-CONFIG_CRYPTO_SHA256_SSSE3=m
-CONFIG_CRYPTO_AES_NI_INTEL=m
-# CONFIG_CRYPTO_ANSI_CPRNG is not set
-CONFIG_CRYPTO_USER_API_HASH=m
-CONFIG_CRYPTO_USER_API_SKCIPHER=m
-CONFIG_PKCS7_MESSAGE_PARSER=y
-CONFIG_SIGNED_PE_FILE_VERIFICATION=y
-CONFIG_KVM=m
-CONFIG_KVM_INTEL=m
-CONFIG_KVM_AMD=m
-# CONFIG_XZ_DEC_POWERPC is not set
-# CONFIG_XZ_DEC_IA64 is not set
-# CONFIG_XZ_DEC_ARM is not set
-# CONFIG_XZ_DEC_ARMTHUMB is not set
-# CONFIG_XZ_DEC_SPARC is not set
-CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.0

@@ -1,201 +0,0 @@
-# CONFIG_LOCALVERSION_AUTO is not set
-CONFIG_SYSVIPC=y
-CONFIG_POSIX_MQUEUE=y
-CONFIG_FHANDLE=y
-CONFIG_AUDIT=y
-CONFIG_NO_HZ_IDLE=y
-CONFIG_HIGH_RES_TIMERS=y
-CONFIG_BSD_PROCESS_ACCT=y
-CONFIG_BSD_PROCESS_ACCT_V3=y
-CONFIG_TASKSTATS=y
-CONFIG_TASK_DELAY_ACCT=y
-CONFIG_TASK_XACCT=y
-CONFIG_TASK_IO_ACCOUNTING=y
-CONFIG_IKCONFIG=y
-CONFIG_IKCONFIG_PROC=y
-CONFIG_LOG_BUF_SHIFT=14
-CONFIG_CGROUP_FREEZER=y
-CONFIG_CGROUP_DEVICE=y
-CONFIG_CPUSETS=y
-# CONFIG_PROC_PID_CPUSET is not set
-CONFIG_CGROUP_CPUACCT=y
-CONFIG_MEMCG=y
-CONFIG_MEMCG_SWAP=y
-CONFIG_MEMCG_KMEM=y
-CONFIG_CGROUP_HUGETLB=y
-CONFIG_CGROUP_PERF=y
-CONFIG_CFS_BANDWIDTH=y
-CONFIG_USER_NS=y
-CONFIG_SCHED_AUTOGROUP=y
-CONFIG_BLK_DEV_INITRD=y
-CONFIG_KALLSYMS_ALL=y
-# CONFIG_COMPAT_BRK is not set
-CONFIG_PROFILING=y
-CONFIG_JUMP_LABEL=y
-CONFIG_MODULES=y
-CONFIG_MODULE_UNLOAD=y
-# CONFIG_IOSCHED_DEADLINE is not set
-CONFIG_ARCH_FSL_LS2085A=y
-CONFIG_ARCH_MEDIATEK=y
-CONFIG_ARCH_THUNDER=y
-CONFIG_ARCH_VEXPRESS=y
-CONFIG_ARCH_XGENE=y
-CONFIG_PCI=y
-CONFIG_PCI_MSI=y
-CONFIG_PCI_XGENE=y
-CONFIG_SMP=y
-CONFIG_PREEMPT=y
-CONFIG_KSM=y
-CONFIG_TRANSPARENT_HUGEPAGE=y
-CONFIG_CMA=y
-CONFIG_SECCOMP=y
-CONFIG_KEXEC=y
-CONFIG_CMDLINE="console=ttyAMA0"
-# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
-CONFIG_COMPAT=y
-CONFIG_CPU_IDLE=y
-CONFIG_ARM64_CPUIDLE=y
-CONFIG_NET=y
-CONFIG_PACKET=y
-CONFIG_UNIX=y
-CONFIG_INET=y
-CONFIG_IP_PNP=y
-CONFIG_IP_PNP_DHCP=y
-CONFIG_IP_PNP_BOOTP=y
-# CONFIG_INET_LRO is not set
-CONFIG_IPV6=y
-CONFIG_NETFILTER=y
-CONFIG_BRIDGE_NETFILTER=y
-CONFIG_NF_CONNTRACK=y
-CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
-CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
-CONFIG_NF_CONNTRACK_IPV4=y
-# CONFIG_NF_CONNTRACK_PROC_COMPAT is not set
-CONFIG_IP_NF_IPTABLES=y
-CONFIG_IP_NF_FILTER=y
-CONFIG_IP_NF_NAT=y
-CONFIG_IP_NF_TARGET_MASQUERADE=y
-CONFIG_BRIDGE=y
-CONFIG_BPF_JIT=y
-# CONFIG_WIRELESS is not set
-CONFIG_NET_9P=y
-CONFIG_NET_9P_VIRTIO=y
-CONFIG_DEVTMPFS=y
-CONFIG_DEVTMPFS_MOUNT=y
-CONFIG_DMA_CMA=y
-CONFIG_BLK_DEV_LOOP=y
-CONFIG_VIRTIO_BLK=y
-# CONFIG_SCSI_PROC_FS is not set
-CONFIG_BLK_DEV_SD=y
-# CONFIG_SCSI_LOWLEVEL is not set
-CONFIG_ATA=y
-CONFIG_SATA_AHCI=y
-CONFIG_SATA_AHCI_PLATFORM=y
-CONFIG_AHCI_XGENE=y
-CONFIG_PATA_PLATFORM=y
-CONFIG_PATA_OF_PLATFORM=y
-CONFIG_MD=y
-CONFIG_BLK_DEV_DM=y
-CONFIG_DM_DEBUG=y
-CONFIG_DM_THIN_PROVISIONING=y
-CONFIG_NETDEVICES=y
-CONFIG_MACVLAN=y
-CONFIG_MACVTAP=y
-CONFIG_TUN=y
-CONFIG_VETH=y
-CONFIG_VIRTIO_NET=y
-CONFIG_NET_XGENE=y
-CONFIG_SMC91X=y
-CONFIG_SMSC911X=y
-# CONFIG_WLAN is not set
-CONFIG_INPUT_EVDEV=y
-# CONFIG_SERIO_SERPORT is not set
-CONFIG_SERIO_AMBAKMI=y
-CONFIG_DEVPTS_MULTIPLE_INSTANCES=y
-CONFIG_LEGACY_PTY_COUNT=16
-CONFIG_SERIAL_8250=y
-CONFIG_SERIAL_8250_CONSOLE=y
-CONFIG_SERIAL_8250_MT6577=y
-CONFIG_SERIAL_AMBA_PL011=y
-CONFIG_SERIAL_AMBA_PL011_CONSOLE=y
-CONFIG_SERIAL_OF_PLATFORM=y
-CONFIG_VIRTIO_CONSOLE=y
-# CONFIG_HW_RANDOM is not set
-CONFIG_SPI=y
-CONFIG_SPI_PL022=y
-CONFIG_GPIO_PL061=y
-CONFIG_GPIO_XGENE=y
-# CONFIG_HWMON is not set
-CONFIG_REGULATOR=y
-CONFIG_REGULATOR_FIXED_VOLTAGE=y
-CONFIG_FB=y
-CONFIG_FB_ARMCLCD=y
-CONFIG_FRAMEBUFFER_CONSOLE=y
-CONFIG_LOGO=y
-# CONFIG_LOGO_LINUX_MONO is not set
-# CONFIG_LOGO_LINUX_VGA16 is not set
-CONFIG_USB=y
-CONFIG_USB_EHCI_HCD=y
-CONFIG_USB_EHCI_HCD_PLATFORM=y
-CONFIG_USB_OHCI_HCD=y
-CONFIG_USB_OHCI_HCD_PLATFORM=y
-CONFIG_USB_STORAGE=y
-CONFIG_USB_ULPI=y
-CONFIG_MMC=y
-CONFIG_MMC_ARMMMCI=y
-CONFIG_MMC_SDHCI=y
-CONFIG_MMC_SDHCI_PLTFM=y
-CONFIG_MMC_SPI=y
-CONFIG_RTC_CLASS=y
-CONFIG_RTC_DRV_EFI=y
-CONFIG_RTC_DRV_XGENE=y
-CONFIG_VIRTIO_BALLOON=y
-CONFIG_VIRTIO_MMIO=y
-# CONFIG_IOMMU_SUPPORT is not set
-CONFIG_PHY_XGENE=y
-CONFIG_EXT2_FS=y
-CONFIG_EXT3_FS=y
-# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
-# CONFIG_EXT3_FS_XATTR is not set
-CONFIG_EXT4_FS=y
-CONFIG_EXT4_FS_POSIX_ACL=y
-CONFIG_EXT4_FS_SECURITY=y
-CONFIG_BTRFS_FS=y
-CONFIG_BTRFS_FS_POSIX_ACL=y
-CONFIG_FANOTIFY=y
-CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
-CONFIG_QUOTA=y
-CONFIG_AUTOFS4_FS=y
-CONFIG_FUSE_FS=y
-CONFIG_CUSE=y
-CONFIG_OVERLAY_FS=y
-CONFIG_VFAT_FS=y
-CONFIG_TMPFS=y
-CONFIG_TMPFS_POSIX_ACL=y
-CONFIG_HUGETLBFS=y
-CONFIG_EFIVAR_FS=y
-# CONFIG_MISC_FILESYSTEMS is not set
-CONFIG_NFS_FS=y
-CONFIG_ROOT_NFS=y
-CONFIG_9P_FS=y
-CONFIG_NLS_CODEPAGE_437=y
-CONFIG_NLS_ISO8859_1=y
-CONFIG_VIRTUALIZATION=y
-CONFIG_DEBUG_INFO=y
-CONFIG_DEBUG_FS=y
-CONFIG_MAGIC_SYSRQ=y
-CONFIG_DEBUG_KERNEL=y
-CONFIG_LOCKUP_DETECTOR=y
-CONFIG_SCHEDSTATS=y
-# CONFIG_DEBUG_PREEMPT is not set
-# CONFIG_FTRACE is not set
-CONFIG_KEYS=y
-CONFIG_SECURITY=y
-CONFIG_CRYPTO_ANSI_CPRNG=y
-CONFIG_ARM64_CRYPTO=y
-CONFIG_CRYPTO_SHA1_ARM64_CE=y
-CONFIG_CRYPTO_SHA2_ARM64_CE=y
-CONFIG_CRYPTO_GHASH_ARM64_CE=y
-CONFIG_CRYPTO_AES_ARM64_CE_CCM=y
-CONFIG_CRYPTO_AES_ARM64_CE_BLK=y
-CONFIG_CRYPTO_AES_ARM64_NEON_BLK=y

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.0.9.ebuild

@@ -1,29 +0,0 @@
-# Copyright 2014 CoreOS, Inc.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-ETYPE="sources"
-inherit kernel-2
-detect_version
-
-DESCRIPTION="Full sources for the CoreOS Linux kernel"
-HOMEPAGE="http://www.kernel.org"
-SRC_URI="${KERNEL_URI}"
-
-KEYWORDS="amd64 arm64"
-IUSE=""
-
-PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
-UNIPATCH_LIST="${PATCH_DIR}/01-Add-secure_modules-call.patch \
-${PATCH_DIR}/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \
-${PATCH_DIR}/03-x86-Lock-down-IO-port-access-when-module-security-is.patch \
-${PATCH_DIR}/04-ACPI-Limit-access-to-custom_method.patch \
-${PATCH_DIR}/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \
-${PATCH_DIR}/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \
-${PATCH_DIR}/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \
-${PATCH_DIR}/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \
-${PATCH_DIR}/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \
-${PATCH_DIR}/10-Add-option-to-automatically-enforce-module-signature.patch \
-${PATCH_DIR}/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \
-${PATCH_DIR}/13-efi-Add-EFI_SECURE_BOOT-bit.patch \
-${PATCH_DIR}/14-hibernate-Disable-in-a-signed-modules-environment.patch"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/01-Add-secure_modules-call.patch

@@ -1,60 +0,0 @@
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Fri, 9 Aug 2013 17:58:15 -0400
-Subject: [PATCH] Add secure_modules() call
-
-Provide a single call to allow kernel code to determine whether the system
-has been configured to either disable module loading entirely or to load
-only modules signed with a trusted key.
-
-Bugzilla: N/A
-Upstream-status: Fedora mustard.  Replaced by securelevels, but that was nak'd
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
----
- include/linux/module.h |  7 +++++++
- kernel/module.c        | 10 ++++++++++
- 2 files changed, 17 insertions(+)
-
-diff --git a/include/linux/module.h b/include/linux/module.h
-index b03485bcb82a..b033dab5c8bf 100644
---- a/include/linux/module.h
-+++ b/include/linux/module.h
-@@ -506,6 +506,8 @@ int unregister_module_notifier(struct notifier_block *nb);
- 
- extern void print_modules(void);
- 
-+extern bool secure_modules(void);
-+
- #else /* !CONFIG_MODULES... */
- 
- /* Given an address, look for it in the exception tables. */
-@@ -616,6 +618,11 @@ static inline int unregister_module_notifier(struct notifier_block *nb)
- static inline void print_modules(void)
- {
- }
-+
-+static inline bool secure_modules(void)
-+{
-+	return false;
-+}
- #endif /* CONFIG_MODULES */
- 
- #ifdef CONFIG_SYSFS
-diff --git a/kernel/module.c b/kernel/module.c
-index 538794ce3cc7..f3489ef9e409 100644
---- a/kernel/module.c
-+++ b/kernel/module.c
-@@ -3911,3 +3911,13 @@ void module_layout(struct module *mod,
- }
- EXPORT_SYMBOL(module_layout);
- #endif
-+
-+bool secure_modules(void)
-+{
-+#ifdef CONFIG_MODULE_SIG
-+	return (sig_enforce || modules_disabled);
-+#else
-+	return modules_disabled;
-+#endif
-+}
-+EXPORT_SYMBOL(secure_modules);

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch

@@ -1,113 +0,0 @@
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Thu, 8 Mar 2012 10:10:38 -0500
-Subject: [PATCH] PCI: Lock down BAR access when module security is enabled
-
-Any hardware that can potentially generate DMA has to be locked down from
-userspace in order to avoid it being possible for an attacker to modify
-kernel code, allowing them to circumvent disabled module loading or module
-signing. Default to paranoid - in future we can potentially relax this for
-sufficiently IOMMU-isolated devices.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
----
- drivers/pci/pci-sysfs.c | 10 ++++++++++
- drivers/pci/proc.c      |  8 +++++++-
- drivers/pci/syscall.c   |  3 ++-
- 3 files changed, 19 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
-index 312f23a8429c..93e6ac103dd0 100644
---- a/drivers/pci/pci-sysfs.c
-+++ b/drivers/pci/pci-sysfs.c
-@@ -30,6 +30,7 @@
- #include <linux/vgaarb.h>
- #include <linux/pm_runtime.h>
- #include <linux/of.h>
-+#include <linux/module.h>
- #include "pci.h"
- 
- static int sysfs_initialized;	/* = 0 */
-@@ -710,6 +711,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
- 	loff_t init_off = off;
- 	u8 *data = (u8 *) buf;
- 
-+	if (secure_modules())
-+		return -EPERM;
-+
- 	if (off > dev->cfg_size)
- 		return 0;
- 	if (off + count > dev->cfg_size) {
-@@ -1004,6 +1008,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
- 	resource_size_t start, end;
- 	int i;
- 
-+	if (secure_modules())
-+		return -EPERM;
-+
- 	for (i = 0; i < PCI_ROM_RESOURCE; i++)
- 		if (res == &pdev->resource[i])
- 			break;
-@@ -1105,6 +1112,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
- 				     struct bin_attribute *attr, char *buf,
- 				     loff_t off, size_t count)
- {
-+	if (secure_modules())
-+		return -EPERM;
-+
- 	return pci_resource_io(filp, kobj, attr, buf, off, count, true);
- }
- 
-diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
-index 3f155e78513f..4265ea07e3b0 100644
---- a/drivers/pci/proc.c
-+++ b/drivers/pci/proc.c
-@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
- 	int size = dev->cfg_size;
- 	int cnt;
- 
-+	if (secure_modules())
-+		return -EPERM;
-+
- 	if (pos >= size)
- 		return 0;
- 	if (nbytes >= size)
-@@ -195,6 +198,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
- #endif /* HAVE_PCI_MMAP */
- 	int ret = 0;
- 
-+	if (secure_modules())
-+		return -EPERM;
-+
- 	switch (cmd) {
- 	case PCIIOC_CONTROLLER:
- 		ret = pci_domain_nr(dev->bus);
-@@ -233,7 +239,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
- 	struct pci_filp_private *fpriv = file->private_data;
- 	int i, ret;
- 
--	if (!capable(CAP_SYS_RAWIO))
-+	if (!capable(CAP_SYS_RAWIO) || secure_modules())
- 		return -EPERM;
- 
- 	/* Make sure the caller is mapping a real resource for this device */
-diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
-index b91c4da68365..98f5637304d1 100644
---- a/drivers/pci/syscall.c
-+++ b/drivers/pci/syscall.c
-@@ -10,6 +10,7 @@
- #include <linux/errno.h>
- #include <linux/pci.h>
- #include <linux/syscalls.h>
-+#include <linux/module.h>
- #include <asm/uaccess.h>
- #include "pci.h"
- 
-@@ -92,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
- 	u32 dword;
- 	int err = 0;
- 
--	if (!capable(CAP_SYS_ADMIN))
-+	if (!capable(CAP_SYS_ADMIN) || secure_modules())
- 		return -EPERM;
- 
- 	dev = pci_get_bus_and_slot(bus, dfn);

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/03-x86-Lock-down-IO-port-access-when-module-security-is.patch

@@ -1,67 +0,0 @@
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Thu, 8 Mar 2012 10:35:59 -0500
-Subject: [PATCH] x86: Lock down IO port access when module security is enabled
-
-IO port access would permit users to gain access to PCI configuration
-registers, which in turn (on a lot of hardware) give access to MMIO register
-space. This would potentially permit root to trigger arbitrary DMA, so lock
-it down by default.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
----
- arch/x86/kernel/ioport.c | 5 +++--
- drivers/char/mem.c       | 4 ++++
- 2 files changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
-index 4ddaf66ea35f..00b440307419 100644
---- a/arch/x86/kernel/ioport.c
-+++ b/arch/x86/kernel/ioport.c
-@@ -15,6 +15,7 @@
- #include <linux/thread_info.h>
- #include <linux/syscalls.h>
- #include <linux/bitmap.h>
-+#include <linux/module.h>
- #include <asm/syscalls.h>
- 
- /*
-@@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
- 
- 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
- 		return -EINVAL;
--	if (turn_on && !capable(CAP_SYS_RAWIO))
-+	if (turn_on && (!capable(CAP_SYS_RAWIO) || secure_modules()))
- 		return -EPERM;
- 
- 	/*
-@@ -103,7 +104,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
- 		return -EINVAL;
- 	/* Trying to gain more privileges? */
- 	if (level > old) {
--		if (!capable(CAP_SYS_RAWIO))
-+		if (!capable(CAP_SYS_RAWIO) || secure_modules())
- 			return -EPERM;
- 	}
- 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
-diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 297110c12635..efe38c1bc234 100644
---- a/drivers/char/mem.c
-+++ b/drivers/char/mem.c
-@@ -27,6 +27,7 @@
- #include <linux/export.h>
- #include <linux/io.h>
- #include <linux/aio.h>
-+#include <linux/module.h>
- 
- #include <linux/uaccess.h>
- 
-@@ -577,6 +578,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
- 	unsigned long i = *ppos;
- 	const char __user *tmp = buf;
- 
-+	if (secure_modules())
-+		return -EPERM;
-+
- 	if (!access_ok(VERIFY_READ, buf, count))
- 		return -EFAULT;
- 	while (count-- > 0 && i < 65536) {

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/04-ACPI-Limit-access-to-custom_method.patch

@@ -1,27 +0,0 @@
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Fri, 9 Mar 2012 08:39:37 -0500
-Subject: [PATCH] ACPI: Limit access to custom_method
-
-custom_method effectively allows arbitrary access to system memory, making
-it possible for an attacker to circumvent restrictions on module loading.
-Disable it if any such restrictions have been enabled.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
----
- drivers/acpi/custom_method.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
-index c68e72414a67..4277938af700 100644
---- a/drivers/acpi/custom_method.c
-+++ b/drivers/acpi/custom_method.c
-@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
- 	struct acpi_table_header table;
- 	acpi_status status;
- 
-+	if (secure_modules())
-+		return -EPERM;
-+
- 	if (!(*ppos)) {
- 		/* parse the table header to get the table length */
- 		if (count <= sizeof(struct acpi_table_header))

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch

@@ -1,50 +0,0 @@
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Fri, 9 Mar 2012 08:46:50 -0500
-Subject: [PATCH] asus-wmi: Restrict debugfs interface when module loading is
- restricted
-
-We have no way of validating what all of the Asus WMI methods do on a
-given machine, and there's a risk that some will allow hardware state to
-be manipulated in such a way that arbitrary code can be executed in the
-kernel, circumventing module loading restrictions. Prevent that if any of
-these features are enabled.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
----
- drivers/platform/x86/asus-wmi.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
-index 7543a56e0f45..93b5a6998371 100644
---- a/drivers/platform/x86/asus-wmi.c
-+++ b/drivers/platform/x86/asus-wmi.c
-@@ -1589,6 +1589,9 @@ static int show_dsts(struct seq_file *m, void *data)
- 	int err;
- 	u32 retval = -1;
- 
-+	if (secure_modules())
-+		return -EPERM;
-+
- 	err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
- 
- 	if (err < 0)
-@@ -1605,6 +1608,9 @@ static int show_devs(struct seq_file *m, void *data)
- 	int err;
- 	u32 retval = -1;
- 
-+	if (secure_modules())
-+		return -EPERM;
-+
- 	err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
- 				    &retval);
- 
-@@ -1629,6 +1635,9 @@ static int show_call(struct seq_file *m, void *data)
- 	union acpi_object *obj;
- 	acpi_status status;
- 
-+	if (secure_modules())
-+		return -EPERM;
-+
- 	status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
- 				     1, asus->debug.method_id,
- 				     &input, &output);

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch

@@ -1,38 +0,0 @@
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Fri, 9 Mar 2012 09:28:15 -0500
-Subject: [PATCH] Restrict /dev/mem and /dev/kmem when module loading is
- restricted
-
-Allowing users to write to address space makes it possible for the kernel
-to be subverted, avoiding module loading restrictions. Prevent this when
-any restrictions have been imposed on loading modules.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
----
- drivers/char/mem.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index efe38c1bc234..16b8af1188e1 100644
---- a/drivers/char/mem.c
-+++ b/drivers/char/mem.c
-@@ -167,6 +167,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
- 	if (p != *ppos)
- 		return -EFBIG;
- 
-+	if (secure_modules())
-+		return -EPERM;
-+
- 	if (!valid_phys_addr_range(p, count))
- 		return -EFAULT;
- 
-@@ -513,6 +516,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
- 	char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
- 	int err = 0;
- 
-+	if (secure_modules())
-+		return -EPERM;
-+
- 	if (p < (unsigned long) high_memory) {
- 		unsigned long to_write = min_t(unsigned long, count,
- 					       (unsigned long)high_memory - p);

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch

@@ -1,35 +0,0 @@
-From: Josh Boyer <jwboyer@redhat.com>
-Date: Mon, 25 Jun 2012 19:57:30 -0400
-Subject: [PATCH] acpi: Ignore acpi_rsdp kernel parameter when module loading
- is restricted
-
-This option allows userspace to pass the RSDP address to the kernel, which
-makes it possible for a user to circumvent any restrictions imposed on
-loading modules. Disable it in that case.
-
-Signed-off-by: Josh Boyer <jwboyer@redhat.com>
----
- drivers/acpi/osl.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index 5aa1f6e281d2..58ae459937a4 100644
---- a/drivers/acpi/osl.c
-+++ b/drivers/acpi/osl.c
-@@ -44,6 +44,7 @@
- #include <linux/list.h>
- #include <linux/jiffies.h>
- #include <linux/semaphore.h>
-+#include <linux/module.h>
- 
- #include <asm/io.h>
- #include <asm/uaccess.h>
-@@ -252,7 +253,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
- acpi_physical_address __init acpi_os_get_root_pointer(void)
- {
- #ifdef CONFIG_KEXEC
--	if (acpi_rsdp)
-+	if (acpi_rsdp && !secure_modules())
- 		return acpi_rsdp;
- #endif
- 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch

@@ -1,40 +0,0 @@
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Fri, 9 Aug 2013 03:33:56 -0400
-Subject: [PATCH] kexec: Disable at runtime if the kernel enforces module
- loading restrictions
-
-kexec permits the loading and execution of arbitrary code in ring 0, which
-is something that module signing enforcement is meant to prevent. It makes
-sense to disable kexec in this situation.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
----
- kernel/kexec.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/kernel/kexec.c b/kernel/kexec.c
-index 38c25b1f2fd5..f2b5272156ce 100644
---- a/kernel/kexec.c
-+++ b/kernel/kexec.c
-@@ -36,6 +36,7 @@
- #include <linux/syscore_ops.h>
- #include <linux/compiler.h>
- #include <linux/hugetlb.h>
-+#include <linux/module.h>
- 
- #include <asm/page.h>
- #include <asm/uaccess.h>
-@@ -1247,6 +1248,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
- 		return -EPERM;
- 
- 	/*
-+	 * kexec can be used to circumvent module loading restrictions, so
-+	 * prevent loading in that case
-+	 */
-+	if (secure_modules())
-+		return -EPERM;
-+
-+	/*
- 	 * Verify we have a legal set of flags
- 	 * This leaves us room for future extensions.
- 	 */

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch

@@ -1,39 +0,0 @@
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Fri, 8 Feb 2013 11:12:13 -0800
-Subject: [PATCH] x86: Restrict MSR access when module loading is restricted
-
-Writing to MSRs should not be allowed if module loading is restricted,
-since it could lead to execution of arbitrary code in kernel mode. Based
-on a patch by Kees Cook.
-
-Cc: Kees Cook <keescook@chromium.org>
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
----
- arch/x86/kernel/msr.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
-index 113e70784854..26c2f83fc470 100644
---- a/arch/x86/kernel/msr.c
-+++ b/arch/x86/kernel/msr.c
-@@ -105,6 +105,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
- 	int err = 0;
- 	ssize_t bytes = 0;
- 
-+	if (secure_modules())
-+		return -EPERM;
-+
- 	if (count % 8)
- 		return -EINVAL;	/* Invalid chunk size */
- 
-@@ -152,6 +155,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
- 			err = -EBADF;
- 			break;
- 		}
-+		if (secure_modules()) {
-+			err = -EPERM;
-+			break;
-+		}
- 		if (copy_from_user(&regs, uregs, sizeof regs)) {
- 			err = -EFAULT;
- 			break;

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/10-Add-option-to-automatically-enforce-module-signature.patch

@@ -1,182 +0,0 @@
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Fri, 9 Aug 2013 18:36:30 -0400
-Subject: [PATCH] Add option to automatically enforce module signatures when in
- Secure Boot mode
-
-UEFI Secure Boot provides a mechanism for ensuring that the firmware will
-only load signed bootloaders and kernels. Certain use cases may also
-require that all kernel modules also be signed. Add a configuration option
-that enforces this automatically when enabled.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
----
- Documentation/x86/zero-page.txt       |  2 ++
- arch/x86/Kconfig                      | 10 ++++++++++
- arch/x86/boot/compressed/eboot.c      | 36 +++++++++++++++++++++++++++++++++++
- arch/x86/include/uapi/asm/bootparam.h |  3 ++-
- arch/x86/kernel/setup.c               |  6 ++++++
- include/linux/module.h                |  6 ++++++
- kernel/module.c                       |  7 +++++++
- 7 files changed, 69 insertions(+), 1 deletion(-)
-
-diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
-index 82fbdbc1e0b0..a811210ad486 100644
---- a/Documentation/x86/zero-page.txt
-+++ b/Documentation/x86/zero-page.txt
-@@ -30,6 +30,8 @@ Offset	Proto	Name		Meaning
- 1E9/001	ALL	eddbuf_entries	Number of entries in eddbuf (below)
- 1EA/001	ALL	edd_mbr_sig_buf_entries	Number of entries in edd_mbr_sig_buffer
- 				(below)
-+1EB/001	ALL     kbd_status      Numlock is enabled
-+1EC/001	ALL     secure_boot	Secure boot is enabled in the firmware
- 1EF/001	ALL	sentinel	Used to detect broken bootloaders
- 290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures
- 2D0/A00	ALL	e820_map	E820 memory map table
-diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index b7d31ca55187..ab403a636357 100644
---- a/arch/x86/Kconfig
-+++ b/arch/x86/Kconfig
-@@ -1695,6 +1695,16 @@ config EFI_MIXED
- 
- 	   If unsure, say N.
- 
-+config EFI_SECURE_BOOT_SIG_ENFORCE
-+        def_bool n
-+	prompt "Force module signing when UEFI Secure Boot is enabled"
-+	---help---
-+	  UEFI Secure Boot provides a mechanism for ensuring that the
-+	  firmware will only load signed bootloaders and kernels. Certain
-+	  use cases may also require that all kernel modules also be signed.
-+	  Say Y here to automatically enable module signature enforcement
-+	  when a system boots with UEFI Secure Boot enabled.
-+
- config SECCOMP
- 	def_bool y
- 	prompt "Enable seccomp to safely compute untrusted bytecode"
-diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index ef17683484e9..105e7360d747 100644
---- a/arch/x86/boot/compressed/eboot.c
-+++ b/arch/x86/boot/compressed/eboot.c
-@@ -12,6 +12,7 @@
- #include <asm/efi.h>
- #include <asm/setup.h>
- #include <asm/desc.h>
-+#include <asm/bootparam_utils.h>
- 
- #include "../string.h"
- #include "eboot.h"
-@@ -827,6 +828,37 @@ out:
- 	return status;
- }
- 
-+static int get_secure_boot(void)
-+{
-+	u8 sb, setup;
-+	unsigned long datasize = sizeof(sb);
-+	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
-+	efi_status_t status;
-+
-+	status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
-+				L"SecureBoot", &var_guid, NULL, &datasize, &sb);
-+
-+	if (status != EFI_SUCCESS)
-+		return 0;
-+
-+	if (sb == 0)
-+		return 0;
-+
-+
-+	status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
-+				L"SetupMode", &var_guid, NULL, &datasize,
-+				&setup);
-+
-+	if (status != EFI_SUCCESS)
-+		return 0;
-+
-+	if (setup == 1)
-+		return 0;
-+
-+	return 1;
-+}
-+
-+
- /*
-  * See if we have Graphics Output Protocol
-  */
-@@ -1406,6 +1438,10 @@ struct boot_params *efi_main(struct efi_config *c,
- 	else
- 		setup_boot_services32(efi_early);
- 
-+	sanitize_boot_params(boot_params);
-+
-+	boot_params->secure_boot = get_secure_boot();
-+
- 	setup_graphics(boot_params);
- 
- 	setup_efi_pci(boot_params);
-diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
-index 225b0988043a..90dbfb73e11f 100644
---- a/arch/x86/include/uapi/asm/bootparam.h
-+++ b/arch/x86/include/uapi/asm/bootparam.h
-@@ -133,7 +133,8 @@ struct boot_params {
- 	__u8  eddbuf_entries;				/* 0x1e9 */
- 	__u8  edd_mbr_sig_buf_entries;			/* 0x1ea */
- 	__u8  kbd_status;				/* 0x1eb */
--	__u8  _pad5[3];					/* 0x1ec */
-+	__u8  secure_boot;				/* 0x1ec */
-+	__u8  _pad5[2];					/* 0x1ed */
- 	/*
- 	 * The sentinel is set to a nonzero value (0xff) in header.S.
- 	 *
-diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 0a2421cca01f..a3d8174dedf9 100644
---- a/arch/x86/kernel/setup.c
-+++ b/arch/x86/kernel/setup.c
-@@ -1151,6 +1151,12 @@ void __init setup_arch(char **cmdline_p)
- 
- 	io_delay_init();
- 
-+#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
-+	if (boot_params.secure_boot) {
-+		enforce_signed_modules();
-+	}
-+#endif
-+
- 	/*
- 	 * Parse the ACPI tables for possible boot-time SMP configuration.
- 	 */
-diff --git a/include/linux/module.h b/include/linux/module.h
-index b033dab5c8bf..f526b6e02f59 100644
---- a/include/linux/module.h
-+++ b/include/linux/module.h
-@@ -188,6 +188,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
- 
- struct notifier_block;
- 
-+#ifdef CONFIG_MODULE_SIG
-+extern void enforce_signed_modules(void);
-+#else
-+static inline void enforce_signed_modules(void) {};
-+#endif
-+
- #ifdef CONFIG_MODULES
- 
- extern int modules_disabled; /* for sysctl */
-diff --git a/kernel/module.c b/kernel/module.c
-index f3489ef9e409..3bb7c01b3c9f 100644
---- a/kernel/module.c
-+++ b/kernel/module.c
-@@ -3912,6 +3912,13 @@ void module_layout(struct module *mod,
- EXPORT_SYMBOL(module_layout);
- #endif
- 
-+#ifdef CONFIG_MODULE_SIG
-+void enforce_signed_modules(void)
-+{
-+	sig_enforce = true;
-+}
-+#endif
-+
- bool secure_modules(void)
- {
- #ifdef CONFIG_MODULE_SIG

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/11-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch

@@ -1,54 +0,0 @@
-From: Josh Boyer <jwboyer@fedoraproject.org>
-Date: Tue, 5 Feb 2013 19:25:05 -0500
-Subject: [PATCH] efi: Disable secure boot if shim is in insecure mode
-
-A user can manually tell the shim boot loader to disable validation of
-images it loads.  When a user does this, it creates a UEFI variable called
-MokSBState that does not have the runtime attribute set.  Given that the
-user explicitly disabled validation, we can honor that and not enable
-secure boot mode if that variable is set.
-
-Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
----
- arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++-
- 1 file changed, 19 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 105e7360d747..83fc4e9888ee 100644
---- a/arch/x86/boot/compressed/eboot.c
-+++ b/arch/x86/boot/compressed/eboot.c
-@@ -830,8 +830,9 @@ out:
- 
- static int get_secure_boot(void)
- {
--	u8 sb, setup;
-+	u8 sb, setup, moksbstate;
- 	unsigned long datasize = sizeof(sb);
-+	u32 attr;
- 	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
- 	efi_status_t status;
- 
-@@ -855,6 +856,23 @@ static int get_secure_boot(void)
- 	if (setup == 1)
- 		return 0;
- 
-+	/* See if a user has put shim into insecure_mode.  If so, and the variable
-+	 * doesn't have the runtime attribute set, we might as well honor that.
-+	 */
-+	var_guid = EFI_SHIM_LOCK_GUID;
-+	status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
-+				L"MokSBState", &var_guid, &attr, &datasize,
-+				&moksbstate);
-+
-+	/* If it fails, we don't care why.  Default to secure */
-+	if (status != EFI_SUCCESS)
-+		return 1;
-+
-+	if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
-+		if (moksbstate == 1)
-+			return 0;
-+	}
-+
- 	return 1;
- }
- 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch

@@ -1,26 +0,0 @@
-From: Josh Boyer <jwboyer@fedoraproject.org>
-Date: Tue, 27 Aug 2013 13:28:43 -0400
-Subject: [PATCH] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
-
-The functionality of the config option is dependent upon the platform being
-UEFI based.  Reflect this in the config deps.
-
-Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
----
- arch/x86/Kconfig | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index ab403a636357..5dac78119fa7 100644
---- a/arch/x86/Kconfig
-+++ b/arch/x86/Kconfig
-@@ -1696,7 +1696,8 @@ config EFI_MIXED
- 	   If unsure, say N.
- 
- config EFI_SECURE_BOOT_SIG_ENFORCE
--        def_bool n
-+	def_bool n
-+	depends on EFI
- 	prompt "Force module signing when UEFI Secure Boot is enabled"
- 	---help---
- 	  UEFI Secure Boot provides a mechanism for ensuring that the

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/13-efi-Add-EFI_SECURE_BOOT-bit.patch

@@ -1,39 +0,0 @@
-From: Josh Boyer <jwboyer@fedoraproject.org>
-Date: Tue, 27 Aug 2013 13:33:03 -0400
-Subject: [PATCH] efi: Add EFI_SECURE_BOOT bit
-
-UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
-for use with efi_enabled.
-
-Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
----
- arch/x86/kernel/setup.c | 2 ++
- include/linux/efi.h     | 1 +
- 2 files changed, 3 insertions(+)
-
-diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index a3d8174dedf9..26c5d54124c1 100644
---- a/arch/x86/kernel/setup.c
-+++ b/arch/x86/kernel/setup.c
-@@ -1153,7 +1153,9 @@ void __init setup_arch(char **cmdline_p)
- 
- #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
- 	if (boot_params.secure_boot) {
-+		set_bit(EFI_SECURE_BOOT, &efi.flags);
- 		enforce_signed_modules();
-+		pr_info("Secure boot enabled\n");
- 	}
- #endif
- 
-diff --git a/include/linux/efi.h b/include/linux/efi.h
-index cf7e431cbc73..c74cbd892032 100644
---- a/include/linux/efi.h
-+++ b/include/linux/efi.h
-@@ -942,6 +942,7 @@ extern int __init efi_setup_pcdp_console(char *);
- #define EFI_64BIT		5	/* Is the firmware 64-bit? */
- #define EFI_PARAVIRT		6	/* Access is via a paravirt interface */
- #define EFI_ARCH_1		7	/* First arch-specific bit */
-+#define EFI_SECURE_BOOT		8	/* Are we in Secure Boot mode? */
- 
- #ifdef CONFIG_EFI
- /*

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.0/14-hibernate-Disable-in-a-signed-modules-environment.patch

@@ -1,35 +0,0 @@
-From: Josh Boyer <jwboyer@fedoraproject.org>
-Date: Fri, 20 Jun 2014 08:53:24 -0400
-Subject: [PATCH] hibernate: Disable in a signed modules environment
-
-There is currently no way to verify the resume image when returning
-from hibernate.  This might compromise the signed modules trust model,
-so until we can work with signed hibernate images we disable it in
-a secure modules environment.
-
-Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
----
- kernel/power/hibernate.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
-index 2329daae5255..48a8e82c7e2e 100644
---- a/kernel/power/hibernate.c
-+++ b/kernel/power/hibernate.c
-@@ -29,6 +29,7 @@
- #include <linux/ctype.h>
- #include <linux/genhd.h>
- #include <linux/ktime.h>
-+#include <linux/module.h>
- #include <trace/events/power.h>
- 
- #include "power.h"
-@@ -66,7 +67,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
- 
- bool hibernation_available(void)
- {
--	return (nohibernate == 0);
-+	return ((nohibernate == 0) && !secure_modules());
- }
- 
- /**