Linux v4.6-10203-g84787c572d40

- Enable CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE (rhbz 1339281)
- Fixup SB patchset to work with upstream changes

Add-EFI-signature-data-types.patch

@@ -1,7 +1,7 @@
-From 6fb2a60e6bfb5ce2d3a4964e7b47ac5c7ecd6f82 Mon Sep 17 00:00:00 2001
+From 5216de8394ff599e41c8540c0572368c18c51459 Mon Sep 17 00:00:00 2001
 From: Dave Howells <dhowells@redhat.com>
 Date: Tue, 23 Oct 2012 09:30:54 -0400
-Subject: [PATCH] Add EFI signature data types
+Subject: [PATCH 4/9] Add EFI signature data types
 
 Add the data types that are used for containing hashes, keys and certificates
 for cryptographic verification.
@@ -15,10 +15,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 20 insertions(+)
 
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index fb0734f..b80227a 100644
+index 8cb38cfcba74..8c274b4ea8e6 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -653,6 +653,12 @@ void efi_native_runtime_setup(void);
+@@ -647,6 +647,12 @@ void efi_native_runtime_setup(void);
  	EFI_GUID(0x4a67b082, 0x0a4c, 0x41cf, \
  		 0xb6, 0xc7, 0x44, 0x0b, 0x29, 0xbb, 0x8c, 0x4f)
  
@@ -31,7 +31,7 @@ index fb0734f..b80227a 100644
  typedef struct {
  	efi_guid_t guid;
  	u64 table;
-@@ -885,6 +891,20 @@ typedef struct {
+@@ -879,6 +885,20 @@ typedef struct {
  	efi_memory_desc_t entry[0];
  } efi_memory_attributes_table_t;
  

Add-an-EFI-signature-blob-parser-and-key-loader.patch

@@ -1,7 +1,7 @@
-From 8cd53548ce7b88b08cc6345c8fca7d28d1f3a7f2 Mon Sep 17 00:00:00 2001
+From e36a2d65e25fdf42b50aa5dc17583d7bfd09c4c4 Mon Sep 17 00:00:00 2001
 From: Dave Howells <dhowells@redhat.com>
 Date: Tue, 23 Oct 2012 09:36:28 -0400
-Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader.
+Subject: [PATCH 5/9] Add an EFI signature blob parser and key loader.
 
 X.509 certificates are loaded into the specified keyring as asymmetric type
 keys.
@@ -17,7 +17,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  create mode 100644 crypto/asymmetric_keys/efi_parser.c
 
 diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
-index e28e912..94024e8 100644
+index e28e912000a7..94024e8aedaa 100644
 --- a/crypto/asymmetric_keys/Kconfig
 +++ b/crypto/asymmetric_keys/Kconfig
 @@ -60,4 +60,12 @@ config SIGNED_PE_FILE_VERIFICATION
@@ -34,7 +34,7 @@ index e28e912..94024e8 100644
 +
  endif # ASYMMETRIC_KEY_TYPE
 diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
-index 6516855..c099fe1 100644
+index 6516855bec18..c099fe15ed6d 100644
 --- a/crypto/asymmetric_keys/Makefile
 +++ b/crypto/asymmetric_keys/Makefile
 @@ -10,6 +10,7 @@ asymmetric_keys-y := \
@@ -47,7 +47,7 @@ index 6516855..c099fe1 100644
  # X.509 Certificate handling
 diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c
 new file mode 100644
-index 0000000..636feb1
+index 000000000000..636feb18b733
 --- /dev/null
 +++ b/crypto/asymmetric_keys/efi_parser.c
 @@ -0,0 +1,108 @@
@@ -160,10 +160,10 @@ index 0000000..636feb1
 +	return 0;
 +}
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index b80227a..18443e3 100644
+index 8c274b4ea8e6..ff1877145aa4 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -1050,6 +1050,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
+@@ -1044,6 +1044,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
  char * __init efi_md_typeattr_format(char *buf, size_t size,
  				     const efi_memory_desc_t *md);
  

Add-option-to-automatically-enforce-module-signature.patch

@@ -1,7 +1,8 @@
-From 8802c7e62531b3867580068ee8b50415b966d22c Mon Sep 17 00:00:00 2001
+From 0000dc9edd5997cc49b8893a9d5407f89dfa1307 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 18:36:30 -0400
-Subject: [PATCH 10/20] Add option to automatically enforce module signatures when in Secure Boot mode
+Subject: [PATCH] Add option to automatically enforce module signatures when in
+ Secure Boot mode
 
 UEFI Secure Boot provides a mechanism for ensuring that the firmware will
 only load signed bootloaders and kernels. Certain use cases may also
@@ -11,16 +12,16 @@ that enforces this automatically when enabled.
 Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
 ---
  Documentation/x86/zero-page.txt       |  2 ++
- arch/x86/Kconfig                      | 10 ++++++
+ arch/x86/Kconfig                      | 11 ++++++
  arch/x86/boot/compressed/eboot.c      | 66 +++++++++++++++++++++++++++++++++++
  arch/x86/include/uapi/asm/bootparam.h |  3 +-
  arch/x86/kernel/setup.c               |  6 ++++
  include/linux/module.h                |  6 ++++
  kernel/module.c                       |  7 ++++
- 7 files changed, 99 insertions(+), 1 deletion(-)
+ 7 files changed, 100 insertions(+), 1 deletion(-)
 
 diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
-index 95a4d34..b8527c6 100644
+index 95a4d34af3fd..b8527c6b7646 100644
 --- a/Documentation/x86/zero-page.txt
 +++ b/Documentation/x86/zero-page.txt
 @@ -31,6 +31,8 @@ Offset	Proto	Name		Meaning
@@ -33,15 +34,16 @@ index 95a4d34..b8527c6 100644
  290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures
  2D0/A00	ALL	e820_map	E820 memory map table
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 2dc18605..a701d09 100644
+index 0a7b885964ba..29b8ba9ae713 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1785,6 +1785,16 @@ config EFI_MIXED
+@@ -1776,6 +1776,17 @@ config EFI_MIXED
  
  	   If unsure, say N.
  
 +config EFI_SECURE_BOOT_SIG_ENFORCE
-+        def_bool n
++	def_bool n
++	depends on EFI
 +	prompt "Force module signing when UEFI Secure Boot is enabled"
 +	---help---
 +	  UEFI Secure Boot provides a mechanism for ensuring that the
@@ -54,7 +56,7 @@ index 2dc18605..a701d09 100644
  	def_bool y
  	prompt "Enable seccomp to safely compute untrusted bytecode"
 diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 52fef60..6b8b9a7 100644
+index 52fef606bc54..6b8b9a775b46 100644
 --- a/arch/x86/boot/compressed/eboot.c
 +++ b/arch/x86/boot/compressed/eboot.c
 @@ -12,6 +12,7 @@
@@ -145,7 +147,7 @@ index 52fef60..6b8b9a7 100644
  
  	setup_efi_pci(boot_params);
 diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
-index 3292543..b61f853 100644
+index c18ce67495fa..2b3e5427097b 100644
 --- a/arch/x86/include/uapi/asm/bootparam.h
 +++ b/arch/x86/include/uapi/asm/bootparam.h
 @@ -134,7 +134,8 @@ struct boot_params {
@@ -159,10 +161,10 @@ index 3292543..b61f853 100644
  	 * The sentinel is set to a nonzero value (0xff) in header.S.
  	 *
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 2367ae0..1a78bf7 100644
+index c4e7b3991b60..bdb9881c7afd 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1146,6 +1146,12 @@ void __init setup_arch(char **cmdline_p)
+@@ -1152,6 +1152,12 @@ void __init setup_arch(char **cmdline_p)
  
  	io_delay_init();
  
@@ -176,7 +178,7 @@ index 2367ae0..1a78bf7 100644
  	 * Parse the ACPI tables for possible boot-time SMP configuration.
  	 */
 diff --git a/include/linux/module.h b/include/linux/module.h
-index ab13009..e072b84 100644
+index 082298a09df1..38d0597f7615 100644
 --- a/include/linux/module.h
 +++ b/include/linux/module.h
 @@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
@@ -193,10 +195,10 @@ index ab13009..e072b84 100644
  
  extern int modules_disabled; /* for sysctl */
 diff --git a/kernel/module.c b/kernel/module.c
-index 392ac8c..676c578 100644
+index 3c384968f553..ea484f3a35b2 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -4081,6 +4081,13 @@ void module_layout(struct module *mod,
+@@ -4200,6 +4200,13 @@ void module_layout(struct module *mod,
  EXPORT_SYMBOL(module_layout);
  #endif
  

Add-sysrq-option-to-disable-secure-boot-mode.patch

@@ -1,7 +1,7 @@
-From 16d2ba5d5bc46e67e6aa7a3d113fbcc18c217388 Mon Sep 17 00:00:00 2001
+From e27a9a98dcf3ff95568593026da065a72ad21b92 Mon Sep 17 00:00:00 2001
 From: Kyle McMartin <kyle@redhat.com>
 Date: Fri, 30 Aug 2013 09:28:51 -0400
-Subject: [PATCH 20/20] Add sysrq option to disable secure boot mode
+Subject: [PATCH 9/9] Add sysrq option to disable secure boot mode
 
 Bugzilla: N/A
 Upstream-status: Fedora mustard
@@ -16,7 +16,7 @@ Upstream-status: Fedora mustard
  7 files changed, 64 insertions(+), 9 deletions(-)
 
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index f93826b8522c..41679b1aca83 100644
+index a666b6c29c77..7732c769937b 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
 @@ -70,6 +70,11 @@
@@ -31,7 +31,7 @@ index f93826b8522c..41679b1aca83 100644
  #include <video/edid.h>
  
  #include <asm/mtrr.h>
-@@ -1261,6 +1266,37 @@ void __init i386_reserve_resources(void)
+@@ -1286,6 +1291,37 @@ void __init i386_reserve_resources(void)
  
  #endif /* CONFIG_X86_32 */
  
@@ -70,10 +70,10 @@ index f93826b8522c..41679b1aca83 100644
  	.notifier_call = dump_kernel_offset
  };
 diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
-index 345df9b03aed..dea6a6c4a39b 100644
+index abe1a927b332..f4126fcec10c 100644
 --- a/drivers/input/misc/uinput.c
 +++ b/drivers/input/misc/uinput.c
-@@ -364,6 +364,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
+@@ -379,6 +379,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
  	if (!udev->dev)
  		return -ENOMEM;
  
@@ -82,10 +82,10 @@ index 345df9b03aed..dea6a6c4a39b 100644
  	input_set_drvdata(udev->dev, udev);
  
 diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
-index 95b330a9ea98..dfa3e154a719 100644
+index e5139402e7f8..5ef2e04a03ad 100644
 --- a/drivers/tty/sysrq.c
 +++ b/drivers/tty/sysrq.c
-@@ -472,6 +472,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
+@@ -478,6 +478,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
  	/* x: May be registered on mips for TLB dump */
  	/* x: May be registered on ppc/powerpc for xmon */
  	/* x: May be registered on sparc64 for global PMU dump */
@@ -93,7 +93,7 @@ index 95b330a9ea98..dfa3e154a719 100644
  	NULL,				/* x */
  	/* y: May be registered on sparc64 for global register dump */
  	NULL,				/* y */
-@@ -515,7 +516,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
+@@ -521,7 +522,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
                  sysrq_key_table[i] = op_p;
  }
  
@@ -102,7 +102,7 @@ index 95b330a9ea98..dfa3e154a719 100644
  {
  	struct sysrq_key_op *op_p;
  	int orig_log_level;
-@@ -535,11 +536,15 @@ void __handle_sysrq(int key, bool check_mask)
+@@ -541,11 +542,15 @@ void __handle_sysrq(int key, bool check_mask)
  
          op_p = __sysrq_get_key_op(key);
          if (op_p) {
@@ -119,7 +119,7 @@ index 95b330a9ea98..dfa3e154a719 100644
  			pr_cont("%s\n", op_p->action_msg);
  			console_loglevel = orig_log_level;
  			op_p->handler(key);
-@@ -571,7 +576,7 @@ void __handle_sysrq(int key, bool check_mask)
+@@ -577,7 +582,7 @@ void __handle_sysrq(int key, bool check_mask)
  void handle_sysrq(int key)
  {
  	if (sysrq_on())
@@ -128,7 +128,7 @@ index 95b330a9ea98..dfa3e154a719 100644
  }
  EXPORT_SYMBOL(handle_sysrq);
  
-@@ -652,7 +657,7 @@ static void sysrq_do_reset(unsigned long _state)
+@@ -658,7 +663,7 @@ static void sysrq_do_reset(unsigned long _state)
  static void sysrq_handle_reset_request(struct sysrq_state *state)
  {
  	if (state->reset_requested)
@@ -137,7 +137,7 @@ index 95b330a9ea98..dfa3e154a719 100644
  
  	if (sysrq_reset_downtime_ms)
  		mod_timer(&state->keyreset_timer,
-@@ -803,8 +808,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
+@@ -809,8 +814,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
  
  	default:
  		if (sysrq->active && value && value != 2) {
@@ -149,7 +149,7 @@ index 95b330a9ea98..dfa3e154a719 100644
  		}
  		break;
  	}
-@@ -1084,7 +1091,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
+@@ -1094,7 +1101,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
  
  		if (get_user(c, buf))
  			return -EFAULT;
@@ -159,7 +159,7 @@ index 95b330a9ea98..dfa3e154a719 100644
  
  	return count;
 diff --git a/include/linux/input.h b/include/linux/input.h
-index 82ce323b9986..9e534f228945 100644
+index 1e967694e9a5..2b56c6f9673c 100644
 --- a/include/linux/input.h
 +++ b/include/linux/input.h
 @@ -42,6 +42,7 @@ struct input_value {
@@ -216,7 +216,7 @@ index 387fa7d05c98..4b07e30b3279 100644
  int unregister_sysrq_key(int key, struct sysrq_key_op *op);
  struct sysrq_key_op *__sysrq_get_key_op(int key);
 diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
-index 4121345498e0..0ff3cef5df96 100644
+index 2a20c0dfdafc..3d17205dab77 100644
 --- a/kernel/debug/kdb/kdb_main.c
 +++ b/kernel/debug/kdb/kdb_main.c
 @@ -1968,7 +1968,7 @@ static int kdb_sr(int argc, const char **argv)
@@ -229,10 +229,10 @@ index 4121345498e0..0ff3cef5df96 100644
  
  	return 0;
 diff --git a/kernel/module.c b/kernel/module.c
-index 2b403ab0ef29..7818c110e95c 100644
+index ea484f3a35b2..84b00659b0ee 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -292,7 +292,7 @@ static void module_assert_mutex_or_preempt(void)
+@@ -269,7 +269,7 @@ static void module_assert_mutex_or_preempt(void)
  #endif
  }
  
@@ -242,5 +242,5 @@ index 2b403ab0ef29..7818c110e95c 100644
  module_param(sig_enforce, bool_enable_only, 0644);
  #endif /* !CONFIG_MODULE_SIG_FORCE */
 -- 
-2.4.3
+2.5.5
 

KEYS-Add-a-system-blacklist-keyring.patch

@@ -1,7 +1,7 @@
-From f630ce576114bfede02d8a0bafa97e4d6f978a74 Mon Sep 17 00:00:00 2001
+From 096da19de900a115ee3610b666ecb7e55926623d Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 26 Oct 2012 12:36:24 -0400
-Subject: [PATCH 17/20] KEYS: Add a system blacklist keyring
+Subject: [PATCH 6/9] KEYS: Add a system blacklist keyring
 
 This adds an additional keyring that is used to store certificates that
 are blacklisted.  This keyring is searched first when loading signed modules
@@ -10,52 +10,48 @@ useful in cases where third party certificates are used for module signing.
 
 Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
 ---
- certs/system_keyring.c        | 27 +++++++++++++++++++++++++++
+ certs/system_keyring.c        | 22 ++++++++++++++++++++++
  include/keys/system_keyring.h |  4 ++++
  init/Kconfig                  |  9 +++++++++
- 3 files changed, 40 insertions(+)
+ 3 files changed, 35 insertions(+)
 
 diff --git a/certs/system_keyring.c b/certs/system_keyring.c
-index 2570598b784d..53733822993f 100644
+index 50979d6dcecd..787eeead2f57 100644
 --- a/certs/system_keyring.c
 +++ b/certs/system_keyring.c
-@@ -20,6 +20,9 @@
- 
- struct key *system_trusted_keyring;
- EXPORT_SYMBOL_GPL(system_trusted_keyring);
+@@ -22,6 +22,9 @@ static struct key *builtin_trusted_keys;
+ #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
+ static struct key *secondary_trusted_keys;
+ #endif
 +#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
 +struct key *system_blacklist_keyring;
 +#endif
  
  extern __initconst const u8 system_certificate_list[];
  extern __initconst const unsigned long system_certificate_list_size;
-@@ -41,6 +44,20 @@ static __init int system_trusted_keyring_init(void)
- 		panic("Can't allocate system trusted keyring\n");
- 
- 	set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags);
-+
-+	#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+@@ -99,6 +102,16 @@ static __init int system_trusted_keyring_init(void)
+ 	if (key_link(secondary_trusted_keys, builtin_trusted_keys) < 0)
+ 		panic("Can't link trusted keyrings\n");
+ #endif
++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
 +	system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring",
-+				    KUIDT_INIT(0), KGIDT_INIT(0),
-+				    current_cred(),
-+				    (KEY_POS_ALL & ~KEY_POS_SETATTR) |
-+				    KEY_USR_VIEW | KEY_USR_READ,
-+				    KEY_ALLOC_NOT_IN_QUOTA, NULL);
++			KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
++			((KEY_POS_ALL & ~KEY_POS_SETATTR) |
++			 KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
++			KEY_ALLOC_NOT_IN_QUOTA,
++			NULL, NULL);
 +	if (IS_ERR(system_blacklist_keyring))
 +		panic("Can't allocate system blacklist keyring\n");
-+
-+	set_bit(KEY_FLAG_TRUSTED_ONLY, &system_blacklist_keyring->flags);
 +#endif
-+
+ 
  	return 0;
  }
- 
-@@ -138,6 +155,16 @@ int system_verify_data(const void *data, unsigned long len,
- 	if (ret < 0)
- 		goto error;
- 
+@@ -214,6 +227,15 @@ int verify_pkcs7_signature(const void *data, size_t len,
+ 		trusted_keys = builtin_trusted_keys;
+ #endif
+ 	}
 +#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
-+	ret = pkcs7_validate_trust(pkcs7, system_blacklist_keyring, &trusted);
++	ret = pkcs7_validate_trust(pkcs7, system_blacklist_keyring);
 +	if (!ret) {
 +		/* module is signed with a cert in the blacklist.  reject */
 +		pr_err("Module key is in the blacklist\n");
@@ -63,30 +59,29 @@ index 2570598b784d..53733822993f 100644
 +		goto error;
 +	}
 +#endif
-+
- 	ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted);
- 	if (ret < 0)
- 		goto error;
+ 	ret = pkcs7_validate_trust(pkcs7, trusted_keys);
+ 	if (ret < 0) {
+ 		if (ret == -ENOKEY)
 diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
-index b20cd885c1fd..51d8ddc60e0f 100644
+index fbd4647767e9..5bc291a3d261 100644
 --- a/include/keys/system_keyring.h
 +++ b/include/keys/system_keyring.h
-@@ -35,6 +35,10 @@ extern int system_verify_data(const void *data, unsigned long len,
- 			      enum key_being_used_for usage);
+@@ -33,6 +33,10 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
+ #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
  #endif
  
 +#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
 +extern struct key *system_blacklist_keyring;
 +#endif
 +
- #ifdef CONFIG_IMA_MOK_KEYRING
- extern struct key *ima_mok_keyring;
+ #ifdef CONFIG_IMA_BLACKLIST_KEYRING
  extern struct key *ima_blacklist_keyring;
+ 
 diff --git a/init/Kconfig b/init/Kconfig
-index 02da9f1fd9df..782d26f02885 100644
+index a9c4aefd5436..e5449d5aeff9 100644
 --- a/init/Kconfig
 +++ b/init/Kconfig
-@@ -1783,6 +1783,15 @@ config SYSTEM_DATA_VERIFICATION
+@@ -1829,6 +1829,15 @@ config SYSTEM_DATA_VERIFICATION
  	  module verification, kexec image verification and firmware blob
  	  verification.
  
@@ -103,5 +98,5 @@ index 02da9f1fd9df..782d26f02885 100644
  	bool "Profiling support"
  	help
 -- 
-2.4.3
+2.5.5
 

MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch

@@ -1,4 +1,4 @@
-From 2246a781c8dbb1207a0b0abbfae201f998c3954b Mon Sep 17 00:00:00 2001
+From ba2b209daf984514229626803472e0b055832345 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 26 Oct 2012 12:42:16 -0400
 Subject: [PATCH] MODSIGN: Import certificates from UEFI Secure Boot
@@ -18,18 +18,56 @@ signed with those from loading.
 
 Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
 ---
- include/linux/efi.h   |  6 ++++
- init/Kconfig          |  9 +++++
- kernel/Makefile       |  3 ++
- kernel/modsign_uefi.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++
- 4 files changed, 110 insertions(+)
+ certs/system_keyring.c        | 13 ++++++
+ include/keys/system_keyring.h |  1 +
+ include/linux/efi.h           |  6 +++
+ init/Kconfig                  |  9 ++++
+ kernel/Makefile               |  3 ++
+ kernel/modsign_uefi.c         | 99 +++++++++++++++++++++++++++++++++++++++++++
+ 6 files changed, 131 insertions(+)
  create mode 100644 kernel/modsign_uefi.c
 
+diff --git a/certs/system_keyring.c b/certs/system_keyring.c
+index 787eeead2f57..4d9123ed5c07 100644
+--- a/certs/system_keyring.c
++++ b/certs/system_keyring.c
+@@ -30,6 +30,19 @@ extern __initconst const u8 system_certificate_list[];
+ extern __initconst const unsigned long system_certificate_list_size;
+ 
+ /**
++ * get_system_keyring - Return a pointer to the system keyring
++ *
++ */
++struct key *get_system_keyring(void)
++{
++	struct key *system_keyring = NULL;
++
++	system_keyring = builtin_trusted_keys;
++	return system_keyring;
++}
++EXPORT_SYMBOL_GPL(get_system_keyring);
++
++/**
+  * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA
+  *
+  * Restrict the addition of keys into a keyring based on the key-to-be-added
+diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
+index 5bc291a3d261..56ff5715ab67 100644
+--- a/include/keys/system_keyring.h
++++ b/include/keys/system_keyring.h
+@@ -36,6 +36,7 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
+ #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+ extern struct key *system_blacklist_keyring;
+ #endif
++extern struct key *get_system_keyring(void);
+ 
+ #ifdef CONFIG_IMA_BLACKLIST_KEYRING
+ extern struct key *ima_blacklist_keyring;
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 85ef051ac6fb..a042b2ece788 100644
+index ff1877145aa4..2483de19c719 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -600,6 +600,12 @@ typedef struct {
+@@ -658,6 +658,12 @@ typedef struct {
  	u64 table;
  } efi_config_table_64_t;
  
@@ -43,10 +81,10 @@ index 85ef051ac6fb..a042b2ece788 100644
  	efi_guid_t guid;
  	u32 table;
 diff --git a/init/Kconfig b/init/Kconfig
-index 02da9f1fd9df..90c73a0564b1 100644
+index e5449d5aeff9..5408c96f6604 100644
 --- a/init/Kconfig
 +++ b/init/Kconfig
-@@ -1924,6 +1924,15 @@ config MODULE_SIG_ALL
+@@ -1979,6 +1979,15 @@ config MODULE_SIG_ALL
  comment "Do not forget to sign required modules with scripts/sign-file"
  	depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
  
@@ -63,10 +101,10 @@ index 02da9f1fd9df..90c73a0564b1 100644
  	prompt "Which hash algorithm should modules be signed with?"
  	depends on MODULE_SIG
 diff --git a/kernel/Makefile b/kernel/Makefile
-index d4988410b410..55e886239e7e 100644
+index e2ec54e2b952..8dab549985d8 100644
 --- a/kernel/Makefile
 +++ b/kernel/Makefile
-@@ -47,6 +47,7 @@ endif
+@@ -57,6 +57,7 @@ endif
  obj-$(CONFIG_UID16) += uid16.o
  obj-$(CONFIG_MODULES) += module.o
  obj-$(CONFIG_MODULE_SIG) += module_signing.o
@@ -74,7 +112,7 @@ index d4988410b410..55e886239e7e 100644
  obj-$(CONFIG_KALLSYMS) += kallsyms.o
  obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
  obj-$(CONFIG_KEXEC_CORE) += kexec_core.o
-@@ -103,6 +104,8 @@ obj-$(CONFIG_TORTURE_TEST) += torture.o
+@@ -113,6 +114,8 @@ obj-$(CONFIG_MEMBARRIER) += membarrier.o
  
  obj-$(CONFIG_HAS_IOMEM) += memremap.o
  
@@ -85,10 +123,10 @@ index d4988410b410..55e886239e7e 100644
  # config_data.h contains the same information as ikconfig.h but gzipped.
 diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
 new file mode 100644
-index 000000000000..94b0eb38a284
+index 000000000000..fe4a6f2bf10a
 --- /dev/null
 +++ b/kernel/modsign_uefi.c
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,99 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/cred.h>
@@ -139,11 +177,18 @@ index 000000000000..94b0eb38a284
 +	void *db = NULL, *dbx = NULL, *mok = NULL;
 +	unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
 +	int rc = 0;
++	struct key *keyring = NULL;
 +
 +	/* Check if SB is enabled and just return if not */
 +	if (!efi_enabled(EFI_SECURE_BOOT))
 +		return 0;
 +
++	keyring = get_system_keyring();
++	if (!keyring) {
++		pr_err("MODSIGN: Couldn't get system keyring\n");
++		return -EINVAL;
++	}
++
 +	/* Get db, MokListRT, and dbx.  They might not exist, so it isn't
 +	 * an error if we can't get them.
 +	 */
@@ -151,7 +196,7 @@ index 000000000000..94b0eb38a284
 +	if (!db) {
 +		pr_err("MODSIGN: Couldn't get UEFI db list\n");
 +	} else {
-+		rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
++		rc = parse_efi_signature_list(db, dbsize, keyring);
 +		if (rc)
 +			pr_err("Couldn't parse db signatures: %d\n", rc);
 +		kfree(db);
@@ -161,7 +206,7 @@ index 000000000000..94b0eb38a284
 +	if (!mok) {
 +		pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
 +	} else {
-+		rc = parse_efi_signature_list(mok, moksize, system_trusted_keyring);
++		rc = parse_efi_signature_list(mok, moksize, keyring);
 +		if (rc)
 +			pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
 +		kfree(mok);
@@ -182,5 +227,5 @@ index 000000000000..94b0eb38a284
 +}
 +late_initcall(load_uefi_certs);
 -- 
-2.4.3
+2.5.5
 

MODSIGN-Support-not-importing-certs-from-db.patch

@@ -1,7 +1,7 @@
-From d7c9efa4ab647d6ccb617f2504e79a398d56f7d4 Mon Sep 17 00:00:00 2001
+From 7ce860189df19a38176c1510f4e5615bf35495c1 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Thu, 3 Oct 2013 10:14:23 -0400
-Subject: [PATCH 19/20] MODSIGN: Support not importing certs from db
+Subject: [PATCH 2/2] MODSIGN: Support not importing certs from db
 
 If a user tells shim to not use the certs/hashes in the UEFI db variable
 for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
@@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  1 file changed, 31 insertions(+), 9 deletions(-)
 
 diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
-index 94b0eb38a284..ae28b974d49a 100644
+index 03f601a0052c..321c79a3b282 100644
 --- a/kernel/modsign_uefi.c
 +++ b/kernel/modsign_uefi.c
 @@ -8,6 +8,23 @@
@@ -41,16 +41,18 @@ index 94b0eb38a284..ae28b974d49a 100644
  static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
  {
  	efi_status_t status;
-@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void)
+@@ -47,7 +64,7 @@ static int __init load_uefi_certs(void)
  	efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
  	void *db = NULL, *dbx = NULL, *mok = NULL;
  	unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
 -	int rc = 0;
 +	int ignore_db, rc = 0;
+ 	struct key *keyring = NULL;
  
  	/* Check if SB is enabled and just return if not */
- 	if (!efi_enabled(EFI_SECURE_BOOT))
- 		return 0;
+@@ -60,17 +77,22 @@ static int __init load_uefi_certs(void)
+ 		return -EINVAL;
+ 	}
  
 +	/* See if the user has setup Ignore DB mode */
 +	ignore_db = check_ignore_db();
@@ -62,7 +64,7 @@ index 94b0eb38a284..ae28b974d49a 100644
 -	if (!db) {
 -		pr_err("MODSIGN: Couldn't get UEFI db list\n");
 -	} else {
--		rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
+-		rc = parse_efi_signature_list(db, dbsize, keyring);
 -		if (rc)
 -			pr_err("Couldn't parse db signatures: %d\n", rc);
 -		kfree(db);
@@ -71,7 +73,7 @@ index 94b0eb38a284..ae28b974d49a 100644
 +		if (!db) {
 +			pr_err("MODSIGN: Couldn't get UEFI db list\n");
 +		} else {
-+			rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
++			rc = parse_efi_signature_list(db, dbsize, keyring);
 +			if (rc)
 +				pr_err("Couldn't parse db signatures: %d\n", rc);
 +			kfree(db);
@@ -80,5 +82,5 @@ index 94b0eb38a284..ae28b974d49a 100644
  
  	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
 -- 
-2.4.3
+2.5.5
 

config-arm-generic

@@ -116,6 +116,7 @@ CONFIG_ROCKCHIP_SARADC=m
 CONFIG_ROCKCHIP_IOMMU=y
 CONFIG_ROCKCHIP_THERMAL=m
 CONFIG_DRM_ROCKCHIP=m
+CONFIG_ROCKCHIP_ANALOGIX_DP=m
 CONFIG_ROCKCHIP_DW_HDMI=m
 CONFIG_ROCKCHIP_DW_MIPI_DSI=y
 CONFIG_ROCKCHIP_INNO_HDMI=m

config-arm64

@@ -159,6 +159,8 @@ CONFIG_PHY_HI6220_USB=m
 CONFIG_COMMON_RESET_HI6220=m
 CONFIG_HI6220_MBOX=m
 # CONFIG_RESET_HISI is not set
+CONFIG_DRM_HISI_KIRIN=m
+CONFIG_HISI_KIRIN_DW_DSI=m
 
 # Tegra
 CONFIG_ARCH_TEGRA_132_SOC=y

config-armv7

@@ -318,6 +318,8 @@ CONFIG_PHY_QCOM_IPQ806X_SATA=m
 CONFIG_DWMAC_IPQ806X=m
 CONFIG_CRYPTO_DEV_QCE=m
 CONFIG_DRM_MSM=m
+# CONFIG_DRM_MSM_REGISTER_LOGGING is not set 
+CONFIG_DRM_MSM_HDMI_HDCP=y
 CONFIG_USB_EHCI_MSM=m
 CONFIG_MFD_PM8XXX=m
 CONFIG_KEYBOARD_PMIC8XXX=m
@@ -325,7 +327,6 @@ CONFIG_INPUT_PM8XXX_VIBRATOR=m
 CONFIG_INPUT_PMIC8XXX_PWRKEY=m
 CONFIG_INPUT_PM8941_PWRKEY=m
 CONFIG_RTC_DRV_PM8XXX=m
-# CONFIG_DRM_MSM_REGISTER_LOGGING is not set 
 CONFIG_QCOM_WDT=m
 CONFIG_MFD_SPMI_PMIC=m
 CONFIG_SPMI=m

config-armv7-generic

@@ -206,6 +206,7 @@ CONFIG_MACH_SUN8I=y
 CONFIG_SUNXI_SRAM=y
 CONFIG_DMA_SUN4I=m
 CONFIG_DMA_SUN6I=m
+CONFIG_DRM_SUN4I=m
 CONFIG_SUNXI_WATCHDOG=m
 CONFIG_NET_VENDOR_ALLWINNER=y
 CONFIG_RTC_DRV_SUNXI=m

config-generic

@@ -598,6 +598,7 @@ CONFIG_ATA_BMDMA=y
 CONFIG_ATA_VERBOSE_ERROR=y
 CONFIG_ATA_SFF=y
 CONFIG_ATA_PIIX=y
+# CONFIG_SATA_DWC is not set
 # CONFIG_SATA_HIGHBANK is not set
 CONFIG_ATA_ACPI=y
 CONFIG_BLK_DEV_SX8=m
@@ -3346,6 +3347,8 @@ CONFIG_VGA_ARB_MAX_GPUS=16
 
 
 CONFIG_DRM=m
+CONFIG_DRM_ANALOGIX_ANX78XX=m
+# CONFIG_DRM_ARCPGU is not set
 CONFIG_DRM_DP_AUX_CHARDEV=y
 CONFIG_DRM_FBDEV_EMULATION=y
 CONFIG_DRM_LOAD_EDID_FIRMWARE=y
@@ -3359,6 +3362,7 @@ CONFIG_DRM_AMDGPU=m
 CONFIG_DRM_AMD_ACP=y
 # CONFIG_DRM_AMDGPU_CIK is not set
 CONFIG_DRM_AMDGPU_USERPTR=y
+# CONFIG_DRM_AMDGPU_GART_DEBUGFS is not set
 CONFIG_DRM_AMD_POWERPLAY=y
 # CONFIG_DRM_I810 is not set
 # CONFIG_DRM_MGA is not set

config-powerpc64-generic

@@ -56,7 +56,7 @@ CONFIG_PPC_64K_PAGES=y
 CONFIG_PPC_SUBPAGE_PROT=y
 CONFIG_SCHED_SMT=y
 CONFIG_MEMORY_HOTPLUG=y
-# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
+CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y
 CONFIG_MEMORY_HOTREMOVE=y
 CONFIG_PPC64_SUPPORTS_MEMORY_FAILURE=y
 

config-s390x

@@ -183,7 +183,7 @@ CONFIG_VIRTIO_CONSOLE=y
 
 CONFIG_MEMORY_HOTPLUG=y
 CONFIG_MEMORY_HOTREMOVE=y
-# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
+CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y
 CONFIG_CHSC_SCH=m
 
 # drivers/isdn/hardware/mISDN/hfcmulti.c:5255:2: error: #error "not running on big endian machines now"

config-x86-generic

@@ -361,7 +361,6 @@ CONFIG_DMI_SYSFS=y
 CONFIG_ISCSI_IBFT_FIND=y
 CONFIG_ISCSI_IBFT=m
 
-CONFIG_DMADEVICES=y
 CONFIG_INTEL_IOATDMA=m
 CONFIG_INTEL_IDMA64=m
 

config-x86_64-generic

@@ -117,7 +117,7 @@ CONFIG_SPARSEMEM_EXTREME=y
 CONFIG_SPARSEMEM_VMEMMAP=y
 # CONFIG_MOVABLE_NODE is not set
 CONFIG_MEMORY_HOTPLUG=y
-# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
+CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y
 # CONFIG_ARCH_MEMORY_PROBE is not set
 CONFIG_MEMORY_HOTREMOVE=y
 # CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set 
@@ -223,8 +223,12 @@ CONFIG_CMA_AREAS=7
 CONFIG_ZONE_DMA=y
 CONFIG_ZONE_DEVICE=y
 CONFIG_NVDIMM_PFN=y
+CONFIG_NVDIMM_DAX=y
 CONFIG_ND_PFN=m
 
+CONFIG_DEV_DAX=m
+CONFIG_DEV_DAX_PMEM=m
+
 # Staging
 CONFIG_STAGING_RDMA=y
 CONFIG_INFINIBAND_HFI1=m

drm-i915-hush-check-crtc-state.patch

@@ -1,4 +1,4 @@
-From 02f47b49ab1cdbe62ceb71b658e2c469799ae368 Mon Sep 17 00:00:00 2001
+From 5550f20b5f9becb485fb3a67bf0193025d40bc6f Mon Sep 17 00:00:00 2001
 From: Adam Jackson <ajax@redhat.com>
 Date: Wed, 13 Nov 2013 10:17:24 -0500
 Subject: [PATCH] drm/i915: hush check crtc state
@@ -15,18 +15,18 @@ Upstream-status: http://lists.freedesktop.org/archives/intel-gfx/2013-November/0
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index ca9278be49f7..308ac0539a87 100644
+index 46f9be3ad5a2..ad2e62e4cdba 100644
 --- a/drivers/gpu/drm/i915/intel_display.c
 +++ b/drivers/gpu/drm/i915/intel_display.c
-@@ -12688,7 +12688,7 @@ check_crtc_state(struct drm_device *dev, struct drm_atomic_state *old_state)
- 		sw_config = to_intel_crtc_state(crtc->state);
- 		if (!intel_pipe_config_compare(dev, sw_config,
- 					       pipe_config, false)) {
--			I915_STATE_WARN(1, "pipe state doesn't match!\n");
-+			DRM_DEBUG_KMS("pipe state doesn't match!\n");
- 			intel_dump_pipe_config(intel_crtc, pipe_config,
- 					       "[hw state]");
- 			intel_dump_pipe_config(intel_crtc, sw_config,
+@@ -12970,7 +12970,7 @@ verify_crtc_state(struct drm_crtc *crtc,
+ 	sw_config = to_intel_crtc_state(crtc->state);
+ 	if (!intel_pipe_config_compare(dev, sw_config,
+ 				       pipe_config, false)) {
+-		I915_STATE_WARN(1, "pipe state doesn't match!\n");
++		DRM_DEBUG_KMS("pipe state doesn't match!\n");
+ 		intel_dump_pipe_config(intel_crtc, pipe_config,
+ 				       "[hw state]");
+ 		intel_dump_pipe_config(intel_crtc, sw_config,
 -- 
-2.4.3
+2.5.5
 

efi-Add-EFI_SECURE_BOOT-bit.patch

@@ -1,7 +1,7 @@
-From c01ff700ea4192ae04b306fef725d62189550236 Mon Sep 17 00:00:00 2001
+From 04e65e01058ed6357b932e64b19e4bf762f04970 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:33:03 -0400
-Subject: [PATCH 13/20] efi: Add EFI_SECURE_BOOT bit
+Subject: [PATCH 2/9] efi: Add EFI_SECURE_BOOT bit
 
 UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
 for use with efi_enabled.
@@ -13,10 +13,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  2 files changed, 3 insertions(+)
 
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index f3b804f..a401ff8 100644
+index bdb9881c7afd..a666b6c29c77 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1145,7 +1145,9 @@ void __init setup_arch(char **cmdline_p)
+@@ -1154,7 +1154,9 @@ void __init setup_arch(char **cmdline_p)
  
  #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
  	if (boot_params.secure_boot) {
@@ -27,10 +27,10 @@ index f3b804f..a401ff8 100644
  #endif
  
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 569b5a8..4dc970e 100644
+index c2db3ca22217..8cb38cfcba74 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -980,6 +980,7 @@ extern int __init efi_setup_pcdp_console(char *);
+@@ -1062,6 +1062,7 @@ extern int __init efi_setup_pcdp_console(char *);
  #define EFI_ARCH_1		7	/* First arch-specific bit */
  #define EFI_DBG			8	/* Print additional debug info at runtime */
  #define EFI_NX_PE_DATA		9	/* Can runtime data regions be mapped non-executable? */
@@ -39,5 +39,5 @@ index 569b5a8..4dc970e 100644
  #ifdef CONFIG_EFI
  /*
 -- 
-2.5.0
+2.5.5
 

efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch

@@ -1,7 +1,7 @@
-From 9ef94251448aa463c5937ee8e8e27d6fd9529509 Mon Sep 17 00:00:00 2001
+From 0a5c52b9eb4918fb2bee43bacc3521b574334cff Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 5 Feb 2013 19:25:05 -0500
-Subject: [PATCH 11/20] efi: Disable secure boot if shim is in insecure mode
+Subject: [PATCH 1/9] efi: Disable secure boot if shim is in insecure mode
 
 A user can manually tell the shim boot loader to disable validation of
 images it loads.  When a user does this, it creates a UEFI variable called
@@ -15,10 +15,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  1 file changed, 19 insertions(+), 1 deletion(-)
 
 diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index b4de3faa3f29..5cc2ef570390 100644
+index 6b8b9a775b46..b3a5364d31c6 100644
 --- a/arch/x86/boot/compressed/eboot.c
 +++ b/arch/x86/boot/compressed/eboot.c
-@@ -830,8 +830,9 @@ out:
+@@ -574,8 +574,9 @@ free_handle:
  
  static int get_secure_boot(void)
  {
@@ -29,7 +29,7 @@ index b4de3faa3f29..5cc2ef570390 100644
  	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
  	efi_status_t status;
  
-@@ -855,6 +856,23 @@ static int get_secure_boot(void)
+@@ -599,6 +600,23 @@ static int get_secure_boot(void)
  	if (setup == 1)
  		return 0;
  
@@ -54,5 +54,5 @@ index b4de3faa3f29..5cc2ef570390 100644
  }
  
 -- 
-2.4.3
+2.5.5
 

gitrev

@@ -1 +1 @@
-7639dad93a5564579987abded4ec05e3db13659d
+84787c572d402644dca4874aba73324d9f8e3948

hibernate-Disable-in-a-signed-modules-environment.patch

@@ -1,7 +1,7 @@
-From 51abecb00c48941cc3db19701cc73e65082924bb Mon Sep 17 00:00:00 2001
+From e07815cf02eadb245fa60359133b122f9ffe9045 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 20 Jun 2014 08:53:24 -0400
-Subject: [PATCH 14/20] hibernate: Disable in a signed modules environment
+Subject: [PATCH 3/9] hibernate: Disable in a signed modules environment
 
 There is currently no way to verify the resume image when returning
 from hibernate.  This might compromise the signed modules trust model,
@@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
-index 690f78f210f2..037303a1cba9 100644
+index fca9254280ee..ffd8644078b2 100644
 --- a/kernel/power/hibernate.c
 +++ b/kernel/power/hibernate.c
 @@ -29,6 +29,7 @@
@@ -35,5 +35,5 @@ index 690f78f210f2..037303a1cba9 100644
  
  /**
 -- 
-2.4.3
+2.5.5
 

kernel.spec

@@ -69,7 +69,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 0
 # The git snapshot level
-%define gitrev 6
+%define gitrev 7
 # Set rpm version accordingly
 %define rpmversion 4.%{upstream_sublevel}.0
 %endif
@@ -553,8 +553,6 @@ Patch482: Add-option-to-automatically-enforce-module-signature.patch
 
 Patch483: efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
 
-Patch484: efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
-
 Patch485: efi-Add-EFI_SECURE_BOOT-bit.patch
 
 Patch486: hibernate-Disable-in-a-signed-modules-environment.patch
@@ -566,7 +564,7 @@ Patch488: Add-an-EFI-signature-blob-parser-and-key-loader.patch
 # This doesn't apply. It seems like it could be replaced by
 # https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5ac7eace2d00eab5ae0e9fdee63e38aee6001f7c
 # which has an explicit line about blacklisting
-# Patch489: KEYS-Add-a-system-blacklist-keyring.patch
+Patch489: KEYS-Add-a-system-blacklist-keyring.patch
 
 Patch490: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
 
@@ -2135,6 +2133,11 @@ fi
 #
 # 
 %changelog
+* Tue May 24 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.7.0-0.rc0.git7.1
+- Linux v4.6-10203-g84787c572d40
+- Enable CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE (rhbz 1339281)
+- Fixup SB patchset to work with upstream changes
+
 * Mon May 23 2016 Laura Abbott <labbott@redhat.com> - 4.7.0-0.rc0.git6.1
 - Linux v4.6-8907-g7639dad
 - trace, f2fs, btrfs, rtc, mailbox, akpm, staging, driver core, char, usb,

sources

@@ -1,3 +1,3 @@
 d2927020e24a76da4ab482a8bc3e9ef3  linux-4.6.tar.xz
 fd23b14b9d474c3dfacb6e8ee82d3a51  perf-man-4.6.tar.gz
-4c4f2eb647eef6e04a1dbb843e4fd72d  patch-4.6-git6.xz
+3dd9be4fbde8316efd366f735a30d1f1  patch-4.6-git7.xz