app-emulation/qemu: sync with upstream

The Gentoo ebuild has modified the dependencies to require static
libraries for the system programs instead of just the user ones.

The only CoreOS changes to the ebuild are to add the vpc patch, and
to mark arm64 stable (even though it isn't used).

sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/Manifest

@@ -1 +1,2 @@
+DIST qemu-2.8.0-CVE-2016-9602-patches.tar.xz 16264 SHA256 18ac829c6003a3f997db4030a46b422028c58fead158f0c5ffe36ad65acb84e0 SHA512 a56694d1600e4fd1ffd6bbe031a0db226fc5c88306797cc4e42d1dc6127b83d1791cb4e026988b3aad82eab84382e41077ae71e532d1d3489e179730185c0964 WHIRLPOOL 22057b001c478b2b0d97ad70393c973aefc6277d89bb5a1ae03c3c39b5182ddfbe541964761f512ed5735dc442e1f40d0a955ad5b270758e21ce815be86b24bd
 DIST qemu-2.8.0.tar.bz2 28368517 SHA256 dafd5d7f649907b6b617b822692f4c82e60cf29bc0fc58bc2036219b591e5e62 SHA512 50f2988d822388ba9fd1bf5dbe68359033ed7432d7f0f9790299f32f63faa6dc72979256b5632ba572d47ee3e74ed40e3e8e331dc6303ec1599f1b4367cb78c2 WHIRLPOOL 0ce4e0539657eb832e4039819e7360c792b6aa41c718f0e0d762f4933217f0d370af94b1d6d9776853575b4a6811d8c85db069bf09d21bd15399ac8b50440ff5

sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch

@@ -0,0 +1,52 @@
+From 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Tue, 7 Feb 2017 02:23:33 -0800
+Subject: [PATCH] usb: ohci: limit the number of link eds
+
+The guest may builds an infinite loop with link eds. This patch
+limit the number of linked ed to avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Message-id: 5899a02e.45ca240a.6c373.93c1@mx.google.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/usb/hcd-ohci.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
+index 2cba3e3..21c93e0 100644
+--- a/hw/usb/hcd-ohci.c
++++ b/hw/usb/hcd-ohci.c
+@@ -42,6 +42,8 @@
+ 
+ #define OHCI_MAX_PORTS 15
+ 
++#define ED_LINK_LIMIT 4
++
+ static int64_t usb_frame_time;
+ static int64_t usb_bit_time;
+ 
+@@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
+     uint32_t next_ed;
+     uint32_t cur;
+     int active;
+-
++    uint32_t link_cnt = 0;
+     active = 0;
+ 
+     if (head == 0)
+@@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
+ 
+         next_ed = ed.next & OHCI_DPTR_MASK;
+ 
++        if (++link_cnt > ED_LINK_LIMIT) {
++            ohci_die(ohci);
++            return 0;
++        }
++
+         if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
+             uint32_t addr;
+             /* Cancel pending packets for ED that have been paused.  */
+-- 
+2.10.2
+

sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/metadata.xml

@@ -32,7 +32,6 @@
 		<flag name="sdl2">Use libsdl2 instead of libsdl</flag>
 		<flag name="spice">Enable Spice protocol support via <pkg>app-emulation/spice</pkg></flag>
 		<flag name="ssh">Enable SSH based block device support via <pkg>net-libs/libssh2</pkg></flag>
-		<flag name="static-softmmu">Build the Software MMU (system) targets as static binaries</flag>
 		<flag name="static-user">Build the User targets as static binaries</flag>
 		<flag name="static">Build the User and Software MMU (system) targets as well as tools as static binaries</flag>
 		<flag name="snappy">Enable support for snappy compression</flag>

sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/qemu-2.8.0-r9.ebuild

@@ -1,7 +1,7 @@
 # Copyright 1999-2017 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI="5"
+EAPI="6"
 
 PYTHON_COMPAT=( python2_7 )
 PYTHON_REQ_USE="ncurses,readline"
@@ -13,31 +13,36 @@ inherit eutils flag-o-matic linux-info toolchain-funcs multilib python-r1 \
 
 if [[ ${PV} = *9999* ]]; then
 	EGIT_REPO_URI="git://git.qemu.org/qemu.git"
-	inherit git-2
+	inherit git-r3
 	SRC_URI=""
 else
 	SRC_URI="http://wiki.qemu-project.org/download/${P}.tar.bz2"
-	KEYWORDS="amd64 ~arm64 ~ppc ~ppc64 x86 ~x86-fbsd"
+	KEYWORDS="amd64 arm64 ~ppc ~ppc64 x86 ~x86-fbsd"
 fi
 
+# bug #606088
+SRC_URI+="
+	https://dev.gentoo.org/~tamiko/distfiles/${P}-CVE-2016-9602-patches.tar.xz"
+
 DESCRIPTION="QEMU + Kernel-based Virtual Machine userland tools"
 HOMEPAGE="http://www.qemu.org http://www.linux-kvm.org"
 
 LICENSE="GPL-2 LGPL-2 BSD-2"
 SLOT="0"
-IUSE="accessibility +aio alsa bluetooth bzip2 +caps +curl debug +fdt glusterfs \
+IUSE="accessibility +aio alsa bluetooth bzip2 +caps +curl debug +fdt
-gnutls gtk gtk2 infiniband iscsi +jpeg \
+	glusterfs gnutls gtk gtk2 infiniband iscsi +jpeg kernel_linux
-kernel_linux kernel_FreeBSD lzo ncurses nfs nls numa opengl +pin-upstream-blobs
+	kernel_FreeBSD lzo ncurses nfs nls numa opengl +pin-upstream-blobs +png
-+png pulseaudio python \
+	pulseaudio python rbd sasl +seccomp sdl sdl2 selinux smartcard snappy
-rbd sasl +seccomp sdl sdl2 selinux smartcard snappy spice ssh static static-softmmu
+	spice ssh static static-user systemtap tci test +threads usb usbredir
-static-user systemtap tci test +threads usb usbredir vde +vhost-net \
+	vde +vhost-net virgl virtfs +vnc vte xattr xen xfs"
-virgl virtfs +vnc vte xattr xen xfs"
 
-COMMON_TARGETS="aarch64 alpha arm cris i386 m68k microblaze microblazeel mips
+COMMON_TARGETS="aarch64 alpha arm cris i386 m68k microblaze microblazeel
-mips64 mips64el mipsel or32 ppc ppc64 s390x sh4 sh4eb sparc sparc64
+	mips mips64 mips64el mipsel or32 ppc ppc64 s390x sh4 sh4eb sparc
-x86_64"
+	sparc64 x86_64"
-IUSE_SOFTMMU_TARGETS="${COMMON_TARGETS} lm32 moxie ppcemb tricore unicore32 xtensa xtensaeb"
+IUSE_SOFTMMU_TARGETS="${COMMON_TARGETS}
-IUSE_USER_TARGETS="${COMMON_TARGETS} armeb mipsn32 mipsn32el ppc64abi32 ppc64le sparc32plus tilegx"
+	lm32 moxie ppcemb tricore unicore32 xtensa xtensaeb"
+IUSE_USER_TARGETS="${COMMON_TARGETS}
+	armeb mipsn32 mipsn32el ppc64abi32 ppc64le sparc32plus tilegx"
 
 use_softmmu_targets=$(printf ' qemu_softmmu_targets_%s' ${IUSE_SOFTMMU_TARGETS})
 use_user_targets=$(printf ' qemu_user_targets_%s' ${IUSE_USER_TARGETS})
@@ -52,32 +57,38 @@ REQUIRED_USE="${PYTHON_REQUIRED_USE}
 	qemu_softmmu_targets_ppc? ( fdt )
 	qemu_softmmu_targets_ppc64? ( fdt )
 	sdl2? ( sdl )
-	static? ( static-softmmu static-user )
+	static? ( static-user !alsa !bluetooth !gtk !gtk2 !opengl !pulseaudio )
-	static-softmmu? ( !alsa !pulseaudio !bluetooth !opengl !gtk !gtk2 )
 	virtfs? ( xattr )
 	vte? ( gtk )"
 
+# Dependencies required for qemu tools (qemu-nbd, qemu-img, qemu-io, ...)
+# and user/softmmu targets (qemu-*, qemu-system-*).
+#
 # Yep, you need both libcap and libcap-ng since virtfs only uses libcap.
 #
 # The attr lib isn't always linked in (although the USE flag is always
 # respected).  This is because qemu supports using the C library's API
 # when available rather than always using the extranl library.
 #
-# Older versions of gnutls are supported, but it's simpler to just require
+# To configure and compile qemu user targets or tools alone the following
-# the latest versions.  This is also why we require nettle.
+# dependencies are not strictly necessary:
-#
+#   alsa? ( >=media-libs/alsa-lib-1.0.13 )
-# TODO: Split out tools deps into another var.  e.g. bzip2 is only used by
+#   fdt? ( >=sys-apps/dtc-1.4.0[static-libs(+)] )
-# system binaries and tools, not user binaries.
+#   pulseaudio? ( media-sound/pulseaudio )
-COMMON_LIB_DEPEND=">=dev-libs/glib-2.0[static-libs(+)]
+#   seccomp? ( >=sys-libs/libseccomp-2.1.0[static-libs(+)] )
-	sys-libs/zlib[static-libs(+)]
+# but these are so few it is not worth the effort to separate this list.
-	bzip2? ( app-arch/bzip2[static-libs(+)] )
+TARGETS_DEPEND="
-	xattr? ( sys-apps/attr[static-libs(+)] )"
+	>=dev-libs/glib-2.0[static-libs(+)]
-SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND}
 	>=x11-libs/pixman-0.28.0[static-libs(+)]
-	accessibility? ( app-accessibility/brltty[static-libs(+)] )
+	sys-libs/zlib[static-libs(+)]
+	accessibility? (
+		app-accessibility/brltty[api]
+		app-accessibility/brltty[static-libs(+)]
+	)
 	aio? ( dev-libs/libaio[static-libs(+)] )
 	alsa? ( >=media-libs/alsa-lib-1.0.13 )
 	bluetooth? ( net-wireless/bluez )
+	bzip2? ( app-arch/bzip2[static-libs(+)] )
 	caps? ( sys-libs/libcap-ng[static-libs(+)] )
 	curl? ( >=net-misc/curl-7.15.4[static-libs(+)] )
 	fdt? ( >=sys-apps/dtc-1.4.0[static-libs(+)] )
@@ -114,6 +125,7 @@ SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND}
 	)
 	png? ( media-libs/libpng:0=[static-libs(+)] )
 	pulseaudio? ( media-sound/pulseaudio )
+	python? ( ${PYTHON_DEPS} )
 	rbd? ( sys-cluster/ceph[static-libs(+)] )
 	sasl? ( dev-libs/cyrus-sasl[static-libs(+)] )
 	sdl? (
@@ -134,13 +146,16 @@ SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND}
 		>=app-emulation/spice-0.12.0[static-libs(+)]
 	)
 	ssh? ( >=net-libs/libssh2-1.2.8[static-libs(+)] )
-	usb? ( >=virtual/libusb-1-r2[static-libs(+)] )
+	systemtap? ( dev-util/systemtap )
 	usbredir? ( >=sys-apps/usbredir-0.6[static-libs(+)] )
+	usb? ( >=virtual/libusb-1-r2[static-libs(+)] )
 	vde? ( net-misc/vde[static-libs(+)] )
 	virgl? ( media-libs/virglrenderer[static-libs(+)] )
 	virtfs? ( sys-libs/libcap )
+	xattr? ( sys-apps/attr[static-libs(+)] )
+	xen? ( app-emulation/xen-tools:= )
 	xfs? ( sys-fs/xfsprogs[static-libs(+)] )"
-USER_LIB_DEPEND="${COMMON_LIB_DEPEND}"
+
 X86_FIRMWARE_DEPEND="
 	>=sys-firmware/ipxe-1.0.0_p20130624
 	pin-upstream-blobs? (
@@ -153,14 +168,11 @@ X86_FIRMWARE_DEPEND="
 		sys-firmware/sgabios
 		sys-firmware/vgabios
 	)"
+
 CDEPEND="
-	!static-softmmu? ( $(printf "%s? ( ${SOFTMMU_LIB_DEPEND//\[static-libs(+)]} ) " ${use_softmmu_targets}) )
+	!static? ( ${TARGETS_DEPEND//\[static-libs(+)]} )
-	!static-user? ( $(printf "%s? ( ${USER_LIB_DEPEND//\[static-libs(+)]} ) " ${use_user_targets}) )
 	qemu_softmmu_targets_i386? ( ${X86_FIRMWARE_DEPEND} )
-	qemu_softmmu_targets_x86_64? ( ${X86_FIRMWARE_DEPEND} )
+	qemu_softmmu_targets_x86_64? ( ${X86_FIRMWARE_DEPEND} )"
-	python? ( ${PYTHON_DEPS} )
-	systemtap? ( dev-util/systemtap )
-	xen? ( app-emulation/xen-tools:= )"
 DEPEND="${CDEPEND}
 	dev-lang/perl
 	=dev-lang/python-2*
@@ -168,15 +180,45 @@ DEPEND="${CDEPEND}
 	virtual/pkgconfig
 	kernel_linux? ( >=sys-kernel/linux-headers-2.6.35 )
 	gtk? ( nls? ( sys-devel/gettext ) )
-	static-softmmu? ( $(printf "%s? ( ${SOFTMMU_LIB_DEPEND} ) " ${use_softmmu_targets}) )
+	static? ( ${TARGETS_DEPEND} )
-	static-user? ( $(printf "%s? ( ${USER_LIB_DEPEND} ) " ${use_user_targets}) )
+	static-user? ( ${TARGETS_DEPEND} )
 	test? (
 		dev-libs/glib[utils]
 		sys-devel/bc
 	)"
 RDEPEND="${CDEPEND}
-	selinux? ( sec-policy/selinux-qemu )
+	selinux? ( sec-policy/selinux-qemu )"
-"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-2.5.0-cflags.patch
+	"${FILESDIR}"/${PN}-2.5.0-sysmacros.patch
+	"${FILESDIR}"/${PN}-2.7.0-CVE-2016-8669-1.patch #597108
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2016-9908.patch   #601826
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2016-9912.patch   #602630
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2016-10028.patch  #603444
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2016-10155.patch  #606720
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-2615.patch   #608034
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-2630.patch   #609396
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5525-1.patch #606264
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5525-2.patch
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5552.patch   #606722
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5578.patch   #607000
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5579.patch   #607100
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5667.patch   #607766
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5856.patch   #608036
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5857.patch   #608038
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5898.patch   #608520
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5931.patch   #608728
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5973.patch   #609334
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5987.patch   #609398
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-6058.patch   #609638
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-2620.patch   #609206
+	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-6505.patch   #612220
+	"${S}-CVE-2016-9602-patches"
+
+	# fix for vpc creation in qemu-img
+	"${FILESDIR}"/0001-block-fix-vpc-max_table_entries-computation.patch
+)
 
 STRIP_MASK="/usr/share/qemu/palcode-clipper"
 
@@ -186,8 +228,7 @@ QA_PREBUILT="
 	usr/share/qemu/openbios-sparc32
 	usr/share/qemu/palcode-clipper
 	usr/share/qemu/s390-ccw.img
-	usr/share/qemu/u-boot.e500
+	usr/share/qemu/u-boot.e500"
-"
 
 QA_WX_LOAD="usr/bin/qemu-i386
 	usr/bin/qemu-x86_64
@@ -212,27 +253,26 @@ QA_WX_LOAD="usr/bin/qemu-i386
 	usr/bin/qemu-s390x
 	usr/bin/qemu-unicore32"
 
-DOC_CONTENTS="If you don't have kvm compiled into the kernel, make sure
+DOC_CONTENTS="If you don't have kvm compiled into the kernel, make sure you have the
-you have the kernel module loaded before running kvm. The easiest way to
+kernel module loaded before running kvm. The easiest way to ensure that the
-ensure that the kernel module is loaded is to load it on boot.\n
+kernel module is loaded is to load it on boot.
-For AMD CPUs the module is called 'kvm-amd'.\n
+	For AMD CPUs the module is called 'kvm-amd'.
-For Intel CPUs the module is called 'kvm-intel'.\n
+	For Intel CPUs the module is called 'kvm-intel'.
-Please review /etc/conf.d/modules for how to load these.\n\n
+Please review /etc/conf.d/modules for how to load these.
-Make sure your user is in the 'kvm' group\n
-Just run 'gpasswd -a <USER> kvm', then have <USER> re-login.\n\n
-For brand new installs, the default permissions on /dev/kvm might not let you
-access it.  You can tell udev to reset ownership/perms:\n
-udevadm trigger -c add /dev/kvm"
 
-qemu_support_kvm() {
+Make sure your user is in the 'kvm' group. Just run
-	if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386 \
+	$ gpasswd -a <USER> kvm
-		use qemu_softmmu_targets_ppc || use qemu_softmmu_targets_ppc64 \
+then have <USER> re-login.
-		use qemu_softmmu_targets_s390x; then
-		return 0
-	fi
 
-	return 1
+For brand new installs, the default permissions on /dev/kvm might not let
-}
+you access it.  You can tell udev to reset ownership/perms:
+	$ udevadm trigger -c add /dev/kvm
+
+If you want to register binfmt handlers for qemu user targets:
+For openrc:
+	# rc-update add qemu-binfmt
+For systemd:
+	# ln -s /usr/share/qemu/binfmt.d/qemu.conf /etc/binfmt.d/qemu.conf"
 
 pkg_pretend() {
 	if use kernel_linux && kernel_is lt 2 6 25; then
@@ -333,32 +373,7 @@ src_prepare() {
 		-e 's/^(C|OP_C|HELPER_C)FLAGS=/\1FLAGS+=/' \
 		Makefile Makefile.target || die
 
-	epatch "${FILESDIR}"/${PN}-2.5.0-cflags.patch
+	default
-	epatch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch
-	epatch "${FILESDIR}"/${PN}-2.7.0-CVE-2016-8669-1.patch #597108
-	epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2016-9908.patch   #601826
-	epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2016-9912.patch   #602630
-	epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2016-10028.patch  #603444
-	epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2016-10155.patch  #606720
-	epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-2615.patch   #608034
-	epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-2630.patch   #609396
-	epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5525-1.patch #606264
-	epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5525-2.patch
-	epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5552.patch   #606722
-	epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5578.patch   #607000
-	epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5579.patch   #607100
-	epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5667.patch   #607766
-	epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5856.patch   #608036
-	epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5857.patch   #608038
-	epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5898.patch   #608520
-	epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5931.patch   #608728
-	epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5973.patch   #609334
-	epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5987.patch   #609398
-	epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-6058.patch   #609638
-	epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-2620.patch   #609206
-
-	# fix for vpc creation in qemu-img
-	epatch "${FILESDIR}"/0001-block-fix-vpc-max_table_entries-computation.patch
 
 	# Fix ld and objcopy being called directly
 	tc-export AR LD OBJCOPY
@@ -366,8 +381,6 @@ src_prepare() {
 	# Verbose builds
 	MAKEOPTS+=" V=1"
 
-	epatch_user
-
 	# Run after we've applied all patches.
 	handle_locales
 }
@@ -381,7 +394,6 @@ qemu_src_configure() {
 
 	local buildtype=$1
 	local builddir="${S}/${buildtype}-build"
-	local static_flag="static-${buildtype}"
 
 	mkdir "${builddir}"
 
@@ -410,9 +422,9 @@ qemu_src_configure() {
 		$(use_enable xattr attr)
 	)
 
-	# Disable options not used by user targets as the default configure
+	# Disable options not used by user targets. This simplifies building
-	# options will autoprobe and try to link in a bunch of unused junk.
+	# static user targets (USE=static-user) considerably.
-	conf_softmmu() {
+	conf_notuser() {
 		if [[ ${buildtype} == "user" ]] ; then
 			echo "--disable-${2:-$1}"
 		else
@@ -420,48 +432,61 @@ qemu_src_configure() {
 		fi
 	}
 	conf_opts+=(
-		$(conf_softmmu accessibility brlapi)
+		$(conf_notuser accessibility brlapi)
-		$(conf_softmmu aio linux-aio)
+		$(conf_notuser aio linux-aio)
-		$(conf_softmmu bzip2)
+		$(conf_notuser bzip2)
-		$(conf_softmmu bluetooth bluez)
+		$(conf_notuser bluetooth bluez)
-		$(conf_softmmu caps cap-ng)
+		$(conf_notuser caps cap-ng)
-		$(conf_softmmu curl)
+		$(conf_notuser curl)
-		$(conf_softmmu fdt)
+		$(conf_notuser fdt)
-		$(conf_softmmu glusterfs)
+		$(conf_notuser glusterfs)
-		$(conf_softmmu gnutls)
+		$(conf_notuser gnutls)
-		$(conf_softmmu gnutls nettle)
+		$(conf_notuser gnutls nettle)
-		$(conf_softmmu gtk)
+		$(conf_notuser gtk)
-		$(conf_softmmu infiniband rdma)
+		$(conf_notuser infiniband rdma)
-		$(conf_softmmu iscsi libiscsi)
+		$(conf_notuser iscsi libiscsi)
-		$(conf_softmmu jpeg vnc-jpeg)
+		$(conf_notuser jpeg vnc-jpeg)
-		$(conf_softmmu kernel_linux kvm)
+		$(conf_notuser kernel_linux kvm)
-		$(conf_softmmu lzo)
+		$(conf_notuser lzo)
-		$(conf_softmmu ncurses curses)
+		$(conf_notuser ncurses curses)
-		$(conf_softmmu nfs libnfs)
+		$(conf_notuser nfs libnfs)
-		$(conf_softmmu numa)
+		$(conf_notuser numa)
-		$(conf_softmmu opengl)
+		$(conf_notuser opengl)
-		$(conf_softmmu png vnc-png)
+		$(conf_notuser png vnc-png)
-		$(conf_softmmu rbd)
+		$(conf_notuser rbd)
-		$(conf_softmmu sasl vnc-sasl)
+		$(conf_notuser sasl vnc-sasl)
-		$(conf_softmmu sdl)
+		$(conf_notuser sdl)
-		$(conf_softmmu seccomp)
+		$(conf_notuser seccomp)
-		$(conf_softmmu smartcard)
+		$(conf_notuser smartcard)
-		$(conf_softmmu snappy)
+		$(conf_notuser snappy)
-		$(conf_softmmu spice)
+		$(conf_notuser spice)
-		$(conf_softmmu ssh libssh2)
+		$(conf_notuser ssh libssh2)
-		$(conf_softmmu usb libusb)
+		$(conf_notuser usb libusb)
-		$(conf_softmmu usbredir usb-redir)
+		$(conf_notuser usbredir usb-redir)
-		$(conf_softmmu vde)
+		$(conf_notuser vde)
-		$(conf_softmmu vhost-net)
+		$(conf_notuser vhost-net)
-		$(conf_softmmu virgl virglrenderer)
+		$(conf_notuser virgl virglrenderer)
-		$(conf_softmmu virtfs)
+		$(conf_notuser virtfs)
-		$(conf_softmmu vnc)
+		$(conf_notuser vnc)
-		$(conf_softmmu vte)
+		$(conf_notuser vte)
-		$(conf_softmmu xen)
+		$(conf_notuser xen)
-		$(conf_softmmu xen xen-pci-passthrough)
+		$(conf_notuser xen xen-pci-passthrough)
-		$(conf_softmmu xfs xfsctl)
+		$(conf_notuser xfs xfsctl)
 	)
 
+	if [[ ! ${buildtype} == "user" ]] ; then
+		# audio options
+		local audio_opts="oss"
+		use alsa && audio_opts="alsa,${audio_opts}"
+		use sdl && audio_opts="sdl,${audio_opts}"
+		use pulseaudio && audio_opts="pa,${audio_opts}"
+		conf_opts+=(
+			--audio-drv-list="${audio_opts}"
+		)
+		use gtk && conf_opts+=( --with-gtkabi=$(usex gtk2 2.0 3.0) )
+		use sdl && conf_opts+=( --with-sdlabi=$(usex sdl2 2.0 1.2) )
+	fi
+
 	case ${buildtype} in
 	user)
 		conf_opts+=(
@@ -470,31 +495,25 @@ qemu_src_configure() {
 			--disable-blobs
 			--disable-tools
 		)
+		local static_flag="static-user"
 		;;
 	softmmu)
-		# audio options
-		local audio_opts="oss"
-		use alsa && audio_opts="alsa,${audio_opts}"
-		use sdl && audio_opts="sdl,${audio_opts}"
-		use pulseaudio && audio_opts="pa,${audio_opts}"
-
 		conf_opts+=(
 			--disable-linux-user
 			--enable-system
+			--disable-tools
 			--with-system-pixman
-			--audio-drv-list="${audio_opts}"
 		)
-		use gtk && conf_opts+=( --with-gtkabi=$(usex gtk2 2.0 3.0) )
+		local static_flag="static"
-		use sdl && conf_opts+=( --with-sdlabi=$(usex sdl2 2.0 1.2) )
 		;;
 	tools)
 		conf_opts+=(
 			--disable-linux-user
 			--disable-system
 			--disable-blobs
-			$(use_enable bzip2)
+			--enable-tools
 		)
-		static_flag="static"
+		local static_flag="static"
 		;;
 	esac
 
@@ -550,7 +569,7 @@ src_configure() {
 
 	[[ -n ${softmmu_targets} ]] && qemu_src_configure "softmmu"
 	[[ -n ${user_targets}    ]] && qemu_src_configure "user"
-	[[ -z ${softmmu_targets}${user_targets} ]] && qemu_src_configure "tools"
+	qemu_src_configure "tools"
 }
 
 src_compile() {
@@ -564,10 +583,8 @@ src_compile() {
 		default
 	fi
 
-	if [[ -z ${softmmu_targets}${user_targets} ]]; then
+	cd "${S}/tools-build"
-		cd "${S}/tools-build"
+	default
-		default
-	fi
 }
 
 src_test() {
@@ -587,13 +604,69 @@ qemu_python_install() {
 	python_doscript "${S}/scripts/qmp/qemu-ga-client"
 }
 
+# Generate binfmt support files.
+#   - /etc/init.d/qemu-binfmt script which registers the user handlers (openrc)
+#   - /usr/share/qemu/binfmt.d/qemu.conf (for use with systemd-binfmt)
+generate_initd() {
+	local out="${T}/qemu-binfmt"
+	local out_systemd="${T}/qemu.conf"
+	local d="${T}/binfmt.d"
+
+	einfo "Generating qemu binfmt scripts and configuration files"
+
+	# Generate the debian fragments first.
+	mkdir -p "${d}"
+	"${S}"/scripts/qemu-binfmt-conf.sh \
+		--debian \
+		--exportdir "${d}" \
+		--qemu-path "${EPREFIX}/usr/bin" \
+		|| die
+	# Then turn the fragments into a shell script we can source.
+	sed -E -i \
+		-e 's:^([^ ]+) (.*)$:\1="\2":' \
+		"${d}"/* || die
+
+	# Generate the init.d script by assembling the fragments from above.
+	local f qcpu package interpreter magic mask
+	cat "${FILESDIR}"/qemu-binfmt.initd.head >"${out}" || die
+	for f in "${d}"/qemu-* ; do
+		source "${f}"
+
+		# Normalize the cpu logic like we do in the init.d for the native cpu.
+		qcpu=${package#qemu-}
+		case ${qcpu} in
+		arm*)   qcpu="arm";;
+		mips*)  qcpu="mips";;
+		ppc*)   qcpu="ppc";;
+		s390*)  qcpu="s390";;
+		sh*)    qcpu="sh";;
+		sparc*) qcpu="sparc";;
+		esac
+
+		cat <<EOF >>"${out}"
+	if [ "\${cpu}" != "${qcpu}" -a -x "${interpreter}" ] ; then
+		echo ':${package}:M::${magic}:${mask}:${interpreter}:'"\${QEMU_BINFMT_FLAGS}" >/proc/sys/fs/binfmt_misc/register
+	fi
+EOF
+
+		echo ":${package}:M::${magic}:${mask}:${interpreter}:OC" >>"${out_systemd}"
+
+	done
+	cat "${FILESDIR}"/qemu-binfmt.initd.tail >>"${out}" || die
+}
+
 src_install() {
 	if [[ -n ${user_targets} ]]; then
 		cd "${S}/user-build"
 		emake DESTDIR="${ED}" install
 
-		# Install binfmt handler init script for user targets
+		# Install binfmt handler init script for user targets.
-		newinitd "${FILESDIR}/qemu-binfmt.initd-r1" qemu-binfmt
+		generate_initd
+		doinitd "${T}/qemu-binfmt"
+
+		# Install binfmt/qemu.conf.
+		insinto "/usr/share/qemu/binfmt.d"
+		doins "${T}/qemu.conf"
 	fi
 
 	if [[ -n ${softmmu_targets} ]]; then
@@ -612,14 +685,12 @@ src_install() {
 		fi
 	fi
 
-	if [[ -z ${softmmu_targets}${user_targets} ]]; then
+	cd "${S}/tools-build"
-		cd "${S}/tools-build"
+	emake DESTDIR="${ED}" install
-		emake DESTDIR="${ED}" install
-	fi
 
 	# Disable mprotect on the qemu binaries as they use JITs to be fast #459348
 	pushd "${ED}"/usr/bin >/dev/null
-	pax-mark m "${softmmu_bins[@]}" "${user_bins[@]}"
+	pax-mark mr "${softmmu_bins[@]}" "${user_bins[@]}" # bug 575594
 	popd >/dev/null
 
 	# Install config file example for qemu-bridge-helper
@@ -673,13 +744,14 @@ src_install() {
 		fi
 	fi
 
-	qemu_support_kvm && readme.gentoo_create_doc
+	DISABLE_AUTOFORMATTING=true
+	readme.gentoo_create_doc
 }
 
 pkg_postinst() {
-	if qemu_support_kvm; then
+	DISABLE_AUTOFORMATTING=true
-		readme.gentoo_print_elog
+	FORCE_PRINT_ELOG=1 # remove for next version bump
-	fi
+	readme.gentoo_print_elog
 
 	if [[ -n ${softmmu_targets} ]] && use kernel_linux; then
 		udev_reload

sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/curl

@@ -0,0 +1,6 @@
+# Since curl now builds static libraries, there are linking failures due to the
+# lack of -fPIC when building under src/ .  The project is actually configured
+# to use -fPIC when the compiler is wrapped by libtool, but that only happens
+# under lib/ and not src/ .
+CFLAGS="${CFLAGS} -fPIC"
+CXXFLAGS="${CXXFLAGS} -fPIC"

sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/sdk/package.accept_keywords

@@ -1,3 +0,0 @@
-# SDK keywords
-
-=app-emulation/qemu-2.6.0 ~amd64

sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/sdk/package.use

@@ -1,4 +0,0 @@
-dev-libs/glib static-libs
-sys-apps/attr static-libs
-sys-libs/zlib static-libs
-app-emulation/qemu static-user

sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.use

@@ -12,4 +12,18 @@ dev-libs/libxml2 python
 
 # for qemu
 app-arch/bzip2 static-libs
-
+app-emulation/qemu static-user
+dev-libs/glib static-libs
+dev-libs/libaio static-libs
+dev-libs/openssl static-libs
+media-libs/libjpeg-turbo static-libs
+media-libs/libpng static-libs
+net-misc/curl static-libs
+sys-apps/attr static-libs
+sys-apps/dtc static-libs
+sys-libs/libcap-ng static-libs
+sys-libs/libseccomp static-libs
+sys-libs/ncurses static-libs
+sys-libs/zlib static-libs
+virtual/jpeg static-libs
+x11-libs/pixman static-libs