diff --git a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass
index a6d5542081..2703345e0c 100644
--- a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass
+++ b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass
@@ -8,7 +8,7 @@
 : ${COREOS_SOURCE_REVISION:=}
 
 COREOS_SOURCE_VERSION="${PV}${COREOS_SOURCE_REVISION}"
-COREOS_SOURCE_NAME="linux-${PV}-coreos${COREOS_SOURCE_REVISION}"
+COREOS_SOURCE_NAME="linux-${PV/_rc/-rc}-coreos${COREOS_SOURCE_REVISION}"
 
 [[ ${EAPI} != "5" ]] && die "Only EAPI=5 is supported"
 
@@ -40,11 +40,12 @@ KERNEL_DIR="${SYSROOT}/usr/src/${COREOS_SOURCE_NAME}"
 #  - amd64_defconfig-3.12.4
 #  - amd64_defconfig-3.12
 #  - amd64_defconfig
+# and similarly for _rcN releases.
 # The first matching config is used, die otherwise.
 find_config() {
 	local base_path="${FILESDIR}/${1}"
 	local try_suffix try_path
-	for try_suffix in "-${PVR}" "-${PV}" "-${PV%.*}" ""; do
+	for try_suffix in "-${PVR}" "-${PV}" "-${PV%[._]*}" ""; do
 		try_path="${base_path}${try_suffix}"
 		if [[ -f "${try_path}" ]]; then
 			echo "${try_path}"
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.8-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13_rc6.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.8-r1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13_rc6.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.8-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13_rc6.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.8-r1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13_rc6.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.12 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.13
similarity index 99%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.12
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.13
index c7353b4b84..9bdb2ca11d 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.12
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.13
@@ -146,6 +146,7 @@ CONFIG_IRQ_REMAP=y
 CONFIG_DELL_RBU=m
 CONFIG_DCDBAS=m
 CONFIG_DEBUG_STACKOVERFLOW=y
+CONFIG_HARDLOCKUP_DETECTOR=y
 CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y
 CONFIG_SCHED_TRACER=y
 CONFIG_FTRACE_SYSCALLS=y
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.12 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.13
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.12
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.13
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.12 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.13
similarity index 99%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.12
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.13
index 68d1329314..66d355162b 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.12
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.13
@@ -828,7 +828,6 @@ CONFIG_CIFS_XATTR=y
 CONFIG_CIFS_POSIX=y
 CONFIG_CIFS_ACL=y
 CONFIG_CIFS_DFS_UPCALL=y
-CONFIG_CIFS_SMB2=y
 CONFIG_CIFS_FSCACHE=y
 CONFIG_NET_9P=m
 # CONFIG_NET_9P_DEBUG is not set
@@ -848,7 +847,7 @@ CONFIG_DEBUG_INFO=y
 CONFIG_STRIP_ASM_SYMS=y
 CONFIG_MAGIC_SYSRQ=y
 CONFIG_DEBUG_SHIRQ=y
-CONFIG_LOCKUP_DETECTOR=y
+CONFIG_SOFTLOCKUP_DETECTOR=y
 CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
 CONFIG_PANIC_ON_OOPS=y
 CONFIG_PANIC_TIMEOUT=60
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest
index 943f32154d..dfe9d12a07 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest
@@ -1,2 +1,2 @@
 DIST linux-4.12.tar.xz 99186576 SHA256 a45c3becd4d08ce411c14628a949d08e2433d8cdeca92036c7013980e93858ab SHA512 8e81b41b253e63233e92948941f44c6482acb52aa3a3fd172f03a38a86f2c35b2ad4fd407acd1bc3964673eba344fe104d3a03e3ff4bf9cd1f22bd44263bd728 WHIRLPOOL 3b97da251c2ba4ace4a27b708f2b1dcf94cb1b59aaeded6acb74bd98f0d3e33f1df83670665e4186d99a55daa84c88d539d93e20f0ff18a6d46ef326c48dd375
-DIST patch-4.12.8.xz 161064 SHA256 32b860911a3bafd5cd5bc813a427c90fad6eafdf607fa64e1b763b16ab605636 SHA512 44e2417fe1379977b4891f74b227c2c6d6588f3726b598ad8c8a52ecaea32f56cf222b877230fc87c043583a6f230f3044fe3c9b293c67699e1743c0161004cf WHIRLPOOL e9c6493b4c9743b031bdd0c49ab06057a6c4ba25812955189508a48be08c2b4836e999c2b7662ae049ccc8de41c3d639fe51841e3d1eaa23fda1dce5872c01cf
+DIST patch-4.13-rc6.patch 71739562 SHA256 0124dc320611f86dfa2eabef86c494ce3eb2a8f2b241907f8ff0f059de82d41a SHA512 8ae76a5e1eb78ea8688d3736e59dd2b4279de629f2acd653b46c328d13419d34e4b2b55c01f001701e4539127cbfc264c4bb83134d3ae28a4100e1715429ba9a WHIRLPOOL 68d09102a5af7ddabc2aaf72ec64e34f2b4d63f368fe46383449fbce1eff78705a7c4b7474982647ecbf34f2ee8bca9fb90c44254dc45bb0217b7b259ce99597
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.8.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13_rc6.ebuild
similarity index 84%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.8.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13_rc6.ebuild
index 8e306611f2..8af9340235 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.8.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13_rc6.ebuild
@@ -3,18 +3,29 @@
 
 EAPI="5"
 ETYPE="sources"
+
+# -rc releases should be versioned L.M_rcN
+# Final releases should be versioned L.M.N, even for n == 0
+
+# Only needed for RCs
+K_BASE_VER="4.12"
+
 inherit kernel-2
 detect_version
 
 DESCRIPTION="Full sources for the CoreOS Linux kernel"
 HOMEPAGE="http://www.kernel.org"
-SRC_URI="${KERNEL_URI}"
+if [[ "${PV%%_rc*}" != "${PV}" ]]; then
+	SRC_URI="https://git.kernel.org/torvalds/p/v${KV%-coreos}/v${OKV} -> patch-${KV%-coreos}.patch ${KERNEL_BASE_URI}/linux-${OKV}.tar.xz"
+	PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_PATCH}"
+else
+	SRC_URI="${KERNEL_URI}"
+	PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
+fi
 
 KEYWORDS="amd64 arm64"
 IUSE=""
 
-PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
-
 # XXX: Note we must prefix the patch filenames with "z" to ensure they are
 # applied _after_ a potential patch-${KV}.patch file, present when building a
 # patchlevel revision.  We mustn't apply our patches first, it fails when the
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch
similarity index 87%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch
index 24c5a53117..fc6b58806b 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch
@@ -1,4 +1,4 @@
-From 4e2f9eda0169ec4c6eac1499aeca816ed13fb22d Mon Sep 17 00:00:00 2001
+From 481a43ba6c1a3987ab96b55cd5834ea1bfd32d61 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Mon, 21 Nov 2016 23:55:55 +0000
 Subject: [PATCH 01/24] efi: Add EFI_SECURE_BOOT bit
@@ -18,7 +18,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  2 files changed, 2 insertions(+)
 
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 36646f19d40b..87ef54e64842 100644
+index 3486d0498800..319995f58345 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
 @@ -1190,6 +1190,7 @@ void __init setup_arch(char **cmdline_p)
@@ -30,10 +30,10 @@ index 36646f19d40b..87ef54e64842 100644
  			break;
  		default:
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index ec36f42a2add..381b3f6670d3 100644
+index 8269bcb8ccf7..7952dd3ffa73 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -1069,6 +1069,7 @@ extern int __init efi_setup_pcdp_console(char *);
+@@ -1081,6 +1081,7 @@ extern int __init efi_setup_pcdp_console(char *);
  #define EFI_DBG			8	/* Print additional debug info at runtime */
  #define EFI_NX_PE_DATA		9	/* Can runtime data regions be mapped non-executable? */
  #define EFI_MEM_ATTR		10	/* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch
similarity index 92%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch
index f709293d11..2f562330bf 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch
@@ -1,4 +1,4 @@
-From 2501f1d32a7739cc573f78dc1bfd84b8b698a9f7 Mon Sep 17 00:00:00 2001
+From 54c7d80dbd0228bf36fa0bc6b89347d98f033270 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Mon, 21 Nov 2016 23:36:17 +0000
 Subject: [PATCH 02/24] Add the ability to lock down access to the running
@@ -21,10 +21,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  create mode 100644 security/lock_down.c
 
 diff --git a/include/linux/kernel.h b/include/linux/kernel.h
-index 13bc08aba704..282a1684d6e8 100644
+index bd6d96cf80b1..65692c80aa1a 100644
 --- a/include/linux/kernel.h
 +++ b/include/linux/kernel.h
-@@ -276,6 +276,15 @@ extern int oops_may_print(void);
+@@ -277,6 +277,15 @@ extern int oops_may_print(void);
  void do_exit(long error_code) __noreturn;
  void complete_and_exit(struct completion *, long) __noreturn;
  
@@ -41,10 +41,10 @@ index 13bc08aba704..282a1684d6e8 100644
  int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
  int __must_check _kstrtol(const char *s, unsigned int base, long *res);
 diff --git a/include/linux/security.h b/include/linux/security.h
-index af675b576645..68bab18ddd57 100644
+index b6ea1dc9cc9d..834b355fa298 100644
 --- a/include/linux/security.h
 +++ b/include/linux/security.h
-@@ -1698,5 +1698,16 @@ static inline void free_secdata(void *secdata)
+@@ -1764,5 +1764,16 @@ static inline void free_secdata(void *secdata)
  { }
  #endif /* CONFIG_SECURITY */
  
@@ -62,10 +62,10 @@ index af675b576645..68bab18ddd57 100644
  #endif /* ! __LINUX_SECURITY_H */
  
 diff --git a/security/Kconfig b/security/Kconfig
-index 93027fdf47d1..4baac4aab277 100644
+index e8e449444e65..1a84ed33c09a 100644
 --- a/security/Kconfig
 +++ b/security/Kconfig
-@@ -189,6 +189,21 @@ config STATIC_USERMODEHELPER_PATH
+@@ -205,6 +205,21 @@ config STATIC_USERMODEHELPER_PATH
  	  If you wish for all usermode helper programs to be disabled,
  	  specify an empty string here (i.e. "").
  
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
similarity index 92%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
index c1fc97e29b..ea84926398 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
@@ -1,4 +1,4 @@
-From 658a0724dcd6f78a873dde6529d173a14912cfa4 Mon Sep 17 00:00:00 2001
+From cfed0982c1ec30cf155173ae53324cea75efb7ee Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Mon, 21 Nov 2016 23:55:55 +0000
 Subject: [PATCH 03/24] efi: Lock down the kernel if booted in secure boot mode
@@ -16,10 +16,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  2 files changed, 19 insertions(+), 1 deletion(-)
 
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 0efb4c9497bc..4d1c53bb8411 100644
+index 323cb065be5e..8e41d54d6498 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1827,6 +1827,18 @@ config EFI_MIXED
+@@ -1836,6 +1836,18 @@ config EFI_MIXED
  
  	   If unsure, say N.
  
@@ -39,7 +39,7 @@ index 0efb4c9497bc..4d1c53bb8411 100644
  	def_bool y
  	prompt "Enable seccomp to safely compute untrusted bytecode"
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 87ef54e64842..4c4d758d4be1 100644
+index 319995f58345..d0128aef43ce 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
 @@ -69,6 +69,7 @@
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch
similarity index 81%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch
index 756a47ebb5..99d8f75fed 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch
@@ -1,4 +1,4 @@
-From c24c03a43f605a9a2eebd6c3127233e1e6a11f47 Mon Sep 17 00:00:00 2001
+From a9896875729d63cf1b5467350e377c88045eb5d7 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Wed, 23 Nov 2016 13:22:22 +0000
 Subject: [PATCH 04/24] Enforce module signatures if the kernel is locked down
@@ -12,10 +12,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/kernel/module.c b/kernel/module.c
-index 4a3665f8f837..3f1de34c6d10 100644
+index 40f983cbea81..e5b878b26906 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -2777,7 +2777,7 @@ static int module_sig_check(struct load_info *info, int flags)
+@@ -2781,7 +2781,7 @@ static int module_sig_check(struct load_info *info, int flags)
  	}
  
  	/* Not having a signature is only an error if we're strict. */
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch
similarity index 95%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch
index 6032fa040a..3e629c6a1c 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch
@@ -1,4 +1,4 @@
-From bf0386cef0f2d98d50633f58f74d35be5d443857 Mon Sep 17 00:00:00 2001
+From d7e88bdd95b2dae73d4b637f0c9f8f0db66b08c9 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
 Subject: [PATCH 05/24] Restrict /dev/mem and /dev/kmem when the kernel is
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch
similarity index 86%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch
index 82cfd3d7d9..35748b8a71 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch
@@ -1,4 +1,4 @@
-From 9da0efbc7e61210ad676ed61192c6ca90c09d4a1 Mon Sep 17 00:00:00 2001
+From c28baf4af445d7469f8cda3b927cf8f3af6cd356 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:15 +0000
 Subject: [PATCH 06/24] kexec: Disable at runtime if the kernel is locked down
@@ -17,10 +17,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 7 insertions(+)
 
 diff --git a/kernel/kexec.c b/kernel/kexec.c
-index 980936a90ee6..46de8e6b42f4 100644
+index e62ec4dc6620..37f75d0b75de 100644
 --- a/kernel/kexec.c
 +++ b/kernel/kexec.c
-@@ -194,6 +194,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
+@@ -202,6 +202,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
  		return -EPERM;
  
  	/*
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch
similarity index 92%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch
index 2b8fd3e318..806fa8f8b2 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch
@@ -1,4 +1,4 @@
-From fc8d8b030d2ca4bf45ff0773ecd22fb889ef7bd3 Mon Sep 17 00:00:00 2001
+From 575526722acc8ff5d5cbe476b65fa8fa376c3e62 Mon Sep 17 00:00:00 2001
 From: Dave Young <dyoung@redhat.com>
 Date: Tue, 22 Nov 2016 08:46:15 +0000
 Subject: [PATCH 07/24] Copy secure_boot flag in boot params across kexec
@@ -22,7 +22,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 1 insertion(+)
 
 diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
-index 9d7fd5e6689a..7e6f00ae8322 100644
+index fb095ba0c02f..7d0fac5bcbbe 100644
 --- a/arch/x86/kernel/kexec-bzimage64.c
 +++ b/arch/x86/kernel/kexec-bzimage64.c
 @@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch
similarity index 87%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch
index c25722d166..c3fc8eb8e1 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch
@@ -1,4 +1,4 @@
-From 4278fb032961f619a8d9605efc98fe88b43f68c8 Mon Sep 17 00:00:00 2001
+From ff42bf8fbde161f5f56410bee078313016fe9d84 Mon Sep 17 00:00:00 2001
 From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
 Date: Wed, 23 Nov 2016 13:49:19 +0000
 Subject: [PATCH 08/24] kexec_file: Disable at runtime if securelevel has been
@@ -18,10 +18,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 6 insertions(+)
 
 diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
-index b118735fea9d..f6937eecd1eb 100644
+index 9f48f4412297..7da87007c202 100644
 --- a/kernel/kexec_file.c
 +++ b/kernel/kexec_file.c
-@@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
+@@ -255,6 +255,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
  	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
  		return -EPERM;
  
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch
similarity index 90%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch
index 0642ade61d..b3d9d2ebc3 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch
@@ -1,4 +1,4 @@
-From eb3bd4fc83774bb5f0a8b95c273fac07a912dcc5 Mon Sep 17 00:00:00 2001
+From 5bc506ab5a4bcba529f2f4461478f57990029255 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 22 Nov 2016 08:46:15 +0000
 Subject: [PATCH 09/24] hibernate: Disable when the kernel is locked down
@@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
-index a8b978c35a6a..50cca5dcb62f 100644
+index e1914c7b85b1..7859ba79e181 100644
 --- a/kernel/power/hibernate.c
 +++ b/kernel/power/hibernate.c
 @@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch
similarity index 93%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch
index 2e2db9d256..f299fd245b 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch
@@ -1,4 +1,4 @@
-From 5e24aa7d6d87d9579604d9fb9b0a423748e6e879 Mon Sep 17 00:00:00 2001
+From 3c85a22ee69a084fd61b7ab16c49e25cfb351bfb Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@srcf.ucam.org>
 Date: Wed, 23 Nov 2016 13:28:17 +0000
 Subject: [PATCH 10/24] uswsusp: Disable when the kernel is locked down
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch
similarity index 91%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch
index 7ba9a304a4..2d34dbfb88 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch
@@ -1,4 +1,4 @@
-From f2972226aac2cfcdaa79a2814ec2d6dc76898dcd Mon Sep 17 00:00:00 2001
+From c065d3f63e6d2a328cc072471309da1bece1c159 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:15 +0000
 Subject: [PATCH 11/24] PCI: Lock down BAR access when the kernel is locked
@@ -19,10 +19,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  3 files changed, 17 insertions(+), 2 deletions(-)
 
 diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
-index 31e99613a12e..559556047d66 100644
+index 2f3780b50723..534d6df4aec2 100644
 --- a/drivers/pci/pci-sysfs.c
 +++ b/drivers/pci/pci-sysfs.c
-@@ -754,6 +754,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
+@@ -881,6 +881,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
  	loff_t init_off = off;
  	u8 *data = (u8 *) buf;
  
@@ -32,7 +32,7 @@ index 31e99613a12e..559556047d66 100644
  	if (off > dev->cfg_size)
  		return 0;
  	if (off + count > dev->cfg_size) {
-@@ -1048,6 +1051,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
+@@ -1175,6 +1178,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
  	enum pci_mmap_state mmap_type;
  	struct resource *res = &pdev->resource[bar];
  
@@ -42,7 +42,7 @@ index 31e99613a12e..559556047d66 100644
  	if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
  		return -EINVAL;
  
-@@ -1131,6 +1137,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
+@@ -1258,6 +1264,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
  				     struct bin_attribute *attr, char *buf,
  				     loff_t off, size_t count)
  {
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch
similarity index 96%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch
index 5d4c106452..778c6e9d4d 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch
@@ -1,4 +1,4 @@
-From 484812949960307a41ac09edbc0cdf3760067008 Mon Sep 17 00:00:00 2001
+From 792ad5524762a4652914eed1e27fa80dbc88fe63 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
 Subject: [PATCH 12/24] x86: Lock down IO port access when the kernel is locked
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch
similarity index 95%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch
index ee69bcb296..7c3d4c91fd 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch
@@ -1,4 +1,4 @@
-From c476d98c6d2e7f6bd5614e65d6beccedc9f2de0a Mon Sep 17 00:00:00 2001
+From 0111a95655634467b2756f4a98751fca214bc7bc Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:17 +0000
 Subject: [PATCH 13/24] x86: Restrict MSR access when the kernel is locked down
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch
similarity index 94%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch
index 670f4a2cc4..24a8e8ead0 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch
@@ -1,4 +1,4 @@
-From 14820764b607846accbf8976d150a9d4694c6926 Mon Sep 17 00:00:00 2001
+From adf4bb1b4d055642c4634f40826f76b5d9fa80ab Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
 Subject: [PATCH 14/24] asus-wmi: Restrict debugfs interface when the kernel is
@@ -17,7 +17,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 9 insertions(+)
 
 diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
-index 6c7d86074b38..57b82cbc9a6b 100644
+index 709e3a67391a..2d8db47698b2 100644
 --- a/drivers/platform/x86/asus-wmi.c
 +++ b/drivers/platform/x86/asus-wmi.c
 @@ -1905,6 +1905,9 @@ static int show_dsts(struct seq_file *m, void *data)
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch
similarity index 94%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch
index 5e0849c40f..5bc80ee75e 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch
@@ -1,4 +1,4 @@
-From 42ed5afba86d6f44ac77e7eda7ffdb18969db24d Mon Sep 17 00:00:00 2001
+From a60c37afdbf4c2f651225dba77ce30eba398e9fb Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
 Subject: [PATCH 15/24] ACPI: Limit access to custom_method when the kernel is
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch
similarity index 93%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch
index 0d9584c274..45c1c039c6 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch
@@ -1,4 +1,4 @@
-From e735d109ecc0a688d015e7e1b47e2bd7565a3706 Mon Sep 17 00:00:00 2001
+From 287d04c343cc148beeaf5dfd319baf4f45202fa5 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
 Subject: [PATCH 16/24] acpi: Ignore acpi_rsdp kernel param when the kernel has
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
similarity index 95%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
index aeac839322..e6ccd6edb5 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
@@ -1,4 +1,4 @@
-From d02deefe966da9ce7b24a634461a55a48a26f5c4 Mon Sep 17 00:00:00 2001
+From b40bd3a020d61d854c73eefd7181c7e9bab8edff Mon Sep 17 00:00:00 2001
 From: Linn Crosetto <linn@hpe.com>
 Date: Wed, 23 Nov 2016 13:32:27 +0000
 Subject: [PATCH 17/24] acpi: Disable ACPI table override if the kernel is
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch
similarity index 96%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch
index 849729bfa1..96fcefc327 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch
@@ -1,4 +1,4 @@
-From d57dc54e42838cc52b3d622cfdf8fc9146d223fb Mon Sep 17 00:00:00 2001
+From c76adce8d0727a6af33bd546da1198660bc716fa Mon Sep 17 00:00:00 2001
 From: Linn Crosetto <linn@hpe.com>
 Date: Wed, 23 Nov 2016 13:39:41 +0000
 Subject: [PATCH 18/24] acpi: Disable APEI error injection if the kernel is
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch
similarity index 94%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch
index 795ef530d2..6f3414e1dc 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch
@@ -1,4 +1,4 @@
-From f9f91a7b1673ed43f430dc5b5acc5add311fffb2 Mon Sep 17 00:00:00 2001
+From 44a1cbfc4903c6d1ae1965b9a203fbde710163f7 Mon Sep 17 00:00:00 2001
 From: "Lee, Chun-Yi" <jlee@suse.com>
 Date: Wed, 23 Nov 2016 13:52:16 +0000
 Subject: [PATCH 19/24] bpf: Restrict kernel image access functions when the
@@ -17,7 +17,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 11 insertions(+)
 
 diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
-index 460a031c77e5..58eb33d5d6ae 100644
+index dc498b605d5d..fb240222b89b 100644
 --- a/kernel/trace/bpf_trace.c
 +++ b/kernel/trace/bpf_trace.c
 @@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr)
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0020-scsi-Lock-down-the-eata-driver.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0020-scsi-Lock-down-the-eata-driver.patch
similarity index 96%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0020-scsi-Lock-down-the-eata-driver.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0020-scsi-Lock-down-the-eata-driver.patch
index 7c7f5f86de..3a6c8d872e 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0020-scsi-Lock-down-the-eata-driver.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0020-scsi-Lock-down-the-eata-driver.patch
@@ -1,4 +1,4 @@
-From 5cb364215e15f7b2261a4a080bc47034c0420602 Mon Sep 17 00:00:00 2001
+From 9a254d6fb0731b425165c5e84e6c80a6a6978c76 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 22 Nov 2016 10:10:34 +0000
 Subject: [PATCH 20/24] scsi: Lock down the eata driver
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch
similarity index 93%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch
index 91e0f45908..2b0c17af53 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch
@@ -1,4 +1,4 @@
-From a71e61219464413efec0989992de9156807cfae8 Mon Sep 17 00:00:00 2001
+From e54719b6e3d345c7c1dc12c1816962332fd321f4 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Fri, 25 Nov 2016 14:37:45 +0000
 Subject: [PATCH 21/24] Prohibit PCMCIA CIS storage when the kernel is locked
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0022-Lock-down-TIOCSSERIAL.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0022-Lock-down-TIOCSSERIAL.patch
similarity index 92%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0022-Lock-down-TIOCSSERIAL.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0022-Lock-down-TIOCSSERIAL.patch
index ec1de4b225..587bd88dcc 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0022-Lock-down-TIOCSSERIAL.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0022-Lock-down-TIOCSSERIAL.patch
@@ -1,4 +1,4 @@
-From 8630a903079e06b279c544242a0bef5c446a5cce Mon Sep 17 00:00:00 2001
+From b2072dd22bcb12ff9146c02cf152b997d4015cec Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Wed, 7 Dec 2016 10:28:39 +0000
 Subject: [PATCH 22/24] Lock down TIOCSSERIAL
@@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 6 insertions(+)
 
 diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
-index 13bfd5dcffce..45fb7689bc1c 100644
+index f534a40aebde..e32c0179f423 100644
 --- a/drivers/tty/serial/serial_core.c
 +++ b/drivers/tty/serial/serial_core.c
 @@ -821,6 +821,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
similarity index 78%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
index 0553f72506..f4473cb750 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
@@ -1,4 +1,4 @@
-From fc70365d40918461359916508605676073ce26d6 Mon Sep 17 00:00:00 2001
+From acfbb7ecfdfef21a3dd7af9ec73bc8eddfb030f5 Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
 Subject: [PATCH 23/24] kbuild: derive relative path for KBUILD_SRC from CURDIR
@@ -12,12 +12,12 @@ by some undesirable path component.
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index 6da481d08441..9087044d964c 100644
+index 235826f95741..f77bb99032e8 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -149,7 +149,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
- 	@:
+@@ -142,7 +142,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
  
+ # Invoke a second make in the output directory, passing relevant variables
  sub-make:
 -	$(Q)$(MAKE) -C $(KBUILD_OUTPUT) KBUILD_SRC=$(CURDIR) \
 +	$(Q)$(MAKE) -C $(KBUILD_OUTPUT) \
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0024-Add-arm64-coreos-verity-hash.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0024-Add-arm64-coreos-verity-hash.patch
similarity index 92%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0024-Add-arm64-coreos-verity-hash.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0024-Add-arm64-coreos-verity-hash.patch
index 46ab3bfd11..ffe21932bc 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0024-Add-arm64-coreos-verity-hash.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0024-Add-arm64-coreos-verity-hash.patch
@@ -1,4 +1,4 @@
-From d824d0b5ff849b21152a3c26bb22f9efa248eee9 Mon Sep 17 00:00:00 2001
+From 97f0d2110bc94979ebd09c73fb5b23d49c851363 Mon Sep 17 00:00:00 2001
 From: Geoff Levand <geoff@infradead.org>
 Date: Fri, 11 Nov 2016 17:28:52 -0800
 Subject: [PATCH 24/24] Add arm64 coreos verity hash