Linux v5.3-13236-g97f9a3c4eee5

This is a first pass at getting the secureboot patches working with the
upstream lockdown patches that got merged. The final patch from our
lockdown set is the sysrq patch which also needs work. For the present
it is not applied.

0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch

@@ -39,9 +39,9 @@ index 557a47829d0..e8f9c7d84e9 100644
 --- a/drivers/firmware/efi/efi.c
 +++ b/drivers/firmware/efi/efi.c
 @@ -31,6 +31,7 @@
- #include <linux/acpi.h>
  #include <linux/ucs2_string.h>
  #include <linux/memblock.h>
+ #include <linux/security.h>
 +#include <linux/bsearch.h>
  
  #include <asm/early_ioremap.h>

KEYS-Make-use-of-platform-keyring-for-module-signature.patch

@@ -13,42 +13,31 @@ As such, kernel modules signed with keys from the MokList variable
 were not successfully verified.
 
 Signed-off-by: Robert Holmes <robeholmes@gmail.com>
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
 ---
  kernel/module_signing.c | 16 ++++++++++++----
  1 file changed, 12 insertions(+), 4 deletions(-)
 
 diff --git a/kernel/module_signing.c b/kernel/module_signing.c
-index 6b9a926fd86b..cf94220e9154 100644
+index 9d9fc678c91d..84ad75a53c83 100644
 --- a/kernel/module_signing.c
 +++ b/kernel/module_signing.c
-@@ -49,6 +49,7 @@ int mod_verify_sig(const void *mod, struct load_info *info)
- {
- 	struct module_signature ms;
- 	size_t sig_len, modlen = info->len;
-+	int ret;
- 
- 	pr_devel("==>%s(,%zu)\n", __func__, modlen);
- 
-@@ -82,8 +83,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
- 		return -EBADMSG;
- 	}
+@@ -38,8 +38,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
+ 	modlen -= sig_len + sizeof(ms);
+ 	info->len = modlen;
  
 -	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
--				      VERIFY_USE_SECONDARY_KEYRING,
--				      VERIFYING_MODULE_SIGNATURE,
--				      NULL, NULL);
 +	ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
-+				     VERIFY_USE_SECONDARY_KEYRING,
-+				     VERIFYING_MODULE_SIGNATURE,
-+				     NULL, NULL);
+ 				      VERIFY_USE_SECONDARY_KEYRING,
+ 				      VERIFYING_MODULE_SIGNATURE,
+ 				      NULL, NULL);
 +	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
 +		ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
-+					     VERIFY_USE_PLATFORM_KEYRING,
-+					     VERIFYING_MODULE_SIGNATURE,
-+					     NULL, NULL);
++				VERIFY_USE_PLATFORM_KEYRING,
++				VERIFYING_MODULE_SIGNATURE,
++				NULL, NULL);
 +	}
 +	return ret;
  }
 -- 
 2.21.0
-

arm64-qcom-i2c-geni-Disable-DMA-processing-on-the-Lenovo-Yoga-C630.patch

@@ -1,128 +0,0 @@
-From patchwork Thu Sep  5 19:24:12 2019
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-X-Patchwork-Submitter: Lee Jones <lee.jones@linaro.org>
-X-Patchwork-Id: 11133827
-Return-Path: <SRS0=OmJI=XA=vger.kernel.org=linux-arm-msm-owner@kernel.org>
-Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
- [172.30.200.123])
-	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DDFD514ED
-	for <patchwork-linux-arm-msm@patchwork.kernel.org>;
- Thu,  5 Sep 2019 19:24:19 +0000 (UTC)
-Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
-	by mail.kernel.org (Postfix) with ESMTP id D540020870
-	for <patchwork-linux-arm-msm@patchwork.kernel.org>;
- Thu,  5 Sep 2019 19:24:19 +0000 (UTC)
-Authentication-Results: mail.kernel.org;
-	dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org
- header.b="j/6kUy9p"
-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
-        id S1727540AbfIETYS (ORCPT
-        <rfc822;patchwork-linux-arm-msm@patchwork.kernel.org>);
-        Thu, 5 Sep 2019 15:24:18 -0400
-Received: from mail-wr1-f49.google.com ([209.85.221.49]:36821 "EHLO
-        mail-wr1-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
-        with ESMTP id S1726008AbfIETYS (ORCPT
-        <rfc822;linux-arm-msm@vger.kernel.org>);
-        Thu, 5 Sep 2019 15:24:18 -0400
-Received: by mail-wr1-f49.google.com with SMTP id y19so4081592wrd.3
-        for <linux-arm-msm@vger.kernel.org>;
- Thu, 05 Sep 2019 12:24:16 -0700 (PDT)
-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
-        d=linaro.org; s=google;
-        h=from:to:cc:subject:date:message-id;
-        bh=19vbMBbLeKgWt8VsEseKuJu+9+rmeS/Lh0ZhXOFWQYc=;
-        b=j/6kUy9psCaV+YLvz8j0kAZ3/WrmOU3xyh5rDOj0TwK0TnwjLtaLil9Q+C9KpFvvVG
-         h4R8p4cZFB0U4b/PAfc9Xt4p4xJNkAIpTzL4QRjM+nkXdDcYyiwUGkr9BRJnJmO0lyZB
-         zmylqwjRd1oOrTQ1tPvwqUV3OUR5u6WA+rDyhn+A516vskkns0bEICMG787HdDEwjigd
-         +3SR4L9u7swSDpNhqxtfPsn9UFP36sehUfgx32xUcjUhX3ls4RtX+6HCZU+rkeQuILt5
-         0qlmqliIuKXWkQe+ii/gtrK+ulFQ7lEl76YfDJyqXVo4Z357rIhVFAz+mooVn5qpscmU
-         E+xA==
-X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
-        d=1e100.net; s=20161025;
-        h=x-gm-message-state:from:to:cc:subject:date:message-id;
-        bh=19vbMBbLeKgWt8VsEseKuJu+9+rmeS/Lh0ZhXOFWQYc=;
-        b=QjFuCunKeBkoabY9fIsWTo3krapsS69k52eNtOIeLBaCd7M1lvCmItn41DcbJ5ykqT
-         RQ0rnlNq35x9QvKNumPai3fMZp9AWt3KpJpxbpEokltyLbkGUqRWaeYTrOtuV9P9nRmT
-         Yj72UBVzYj4d/G+FGq8EBesWjRyEFC51+RekvPlbRZ/h1fVW7/XAy5cO1ywnHrtNe8pQ
-         7gYQJ3Xh1Y09qkiO0i8iru5PSMTK3U+vPSLWVdFOeqMh+Beins6I9mbKf+UX+xa8ECK3
-         mEFjYxY57YVx+SpaKrmBwEmu9YXLgXqEif1OH1FHFiKZVQ4ABPp19D4+5JOXEV1tCwUS
-         B6Qw==
-X-Gm-Message-State: APjAAAUM7yEkrkGZ+mbleFtCMQGsXfLQSXt2Bd+K6leuP2oAs8Vj1j9k
-        4bsoJvF042q/z9+6bnLlGShjoA==
-X-Google-Smtp-Source: 
- APXvYqyThx0kWliMdrjc7dedZ/+AhabFi7TIc04exnxhWAEkAOh7foRP8Cz8ZjjhxGJCvUyUPA4lFg==
-X-Received: by 2002:adf:ea0c:: with SMTP id q12mr4172788wrm.172.1567711455933;
-        Thu, 05 Sep 2019 12:24:15 -0700 (PDT)
-Received: from localhost.localdomain ([95.147.198.36])
-        by smtp.gmail.com with ESMTPSA id
- q24sm7942378wmc.3.2019.09.05.12.24.14
-        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
-        Thu, 05 Sep 2019 12:24:14 -0700 (PDT)
-From: Lee Jones <lee.jones@linaro.org>
-To: alokc@codeaurora.org, agross@kernel.org, robh+dt@kernel.org,
-        mark.rutland@arm.com, bjorn.andersson@linaro.org, vkoul@kernel.org,
-        wsa@the-dreams.de
-Cc: linux-i2c@vger.kernel.org, linux-arm-msm@vger.kernel.org,
-        devicetree@vger.kernel.org, Lee Jones <lee.jones@linaro.org>
-Subject: [RESEND v3 1/1] i2c: qcom-geni: Disable DMA processing on the Lenovo
- Yoga C630
-Date: Thu,  5 Sep 2019 20:24:12 +0100
-Message-Id: <20190905192412.23116-1-lee.jones@linaro.org>
-X-Mailer: git-send-email 2.17.1
-Sender: linux-arm-msm-owner@vger.kernel.org
-Precedence: bulk
-List-ID: <linux-arm-msm.vger.kernel.org>
-X-Mailing-List: linux-arm-msm@vger.kernel.org
-
-We have a production-level laptop (Lenovo Yoga C630) which is exhibiting
-a rather horrific bug.  When I2C HID devices are being scanned for at
-boot-time the QCom Geni based I2C (Serial Engine) attempts to use DMA.
-When it does, the laptop reboots and the user never sees the OS.
-
-Attempts are being made to debug the reason for the spontaneous reboot.
-No luck so far, hence the requirement for this hot-fix.  This workaround
-will be removed once we have a viable fix.
-
-Signed-off-by: Lee Jones <lee.jones@linaro.org>
----
- drivers/i2c/busses/i2c-qcom-geni.c | 12 ++++++++----
- 1 file changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/i2c/busses/i2c-qcom-geni.c b/drivers/i2c/busses/i2c-qcom-geni.c
-index a89bfce5388e..17abf60c94ae 100644
---- a/drivers/i2c/busses/i2c-qcom-geni.c
-+++ b/drivers/i2c/busses/i2c-qcom-geni.c
-@@ -355,11 +355,13 @@ static int geni_i2c_rx_one_msg(struct geni_i2c_dev *gi2c, struct i2c_msg *msg,
- {
- 	dma_addr_t rx_dma;
- 	unsigned long time_left;
--	void *dma_buf;
-+	void *dma_buf = NULL;
- 	struct geni_se *se = &gi2c->se;
- 	size_t len = msg->len;
- 
--	dma_buf = i2c_get_dma_safe_msg_buf(msg, 32);
-+	if (!of_machine_is_compatible("lenovo,yoga-c630"))
-+		dma_buf = i2c_get_dma_safe_msg_buf(msg, 32);
-+
- 	if (dma_buf)
- 		geni_se_select_mode(se, GENI_SE_DMA);
- 	else
-@@ -394,11 +396,13 @@ static int geni_i2c_tx_one_msg(struct geni_i2c_dev *gi2c, struct i2c_msg *msg,
- {
- 	dma_addr_t tx_dma;
- 	unsigned long time_left;
--	void *dma_buf;
-+	void *dma_buf = NULL;
- 	struct geni_se *se = &gi2c->se;
- 	size_t len = msg->len;
- 
--	dma_buf = i2c_get_dma_safe_msg_buf(msg, 32);
-+	if (!of_machine_is_compatible("lenovo,yoga-c630"))
-+		dma_buf = i2c_get_dma_safe_msg_buf(msg, 32);
-+
- 	if (dma_buf)
- 		geni_se_select_mode(se, GENI_SE_DMA);
- 	else

configs/fedora/generic/CONFIG_IMA_APPRAISE_MODSIG

@@ -0,0 +1 @@
+# CONFIG_IMA_APPRAISE_MODSIG is not set

configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY

@@ -0,0 +1 @@
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set

configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY

@@ -0,0 +1 @@
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set

configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE

@@ -0,0 +1 @@
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y

configs/fedora/generic/CONFIG_OPTIMIZE_INLINING

@@ -1 +1 @@
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y

configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM

@@ -0,0 +1 @@
+CONFIG_SECURITY_LOCKDOWN_LSM=y

configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM_EARLY

@@ -0,0 +1 @@
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y

configs/fedora/generic/CONFIG_VIRTIO_FS

@@ -0,0 +1 @@
+CONFIG_VIRTIO_FS=m

configs/fedora/generic/arm/CONFIG_IMX7ULP_WDT

@@ -0,0 +1 @@
+# CONFIG_IMX7ULP_WDT is not set

configs/fedora/generic/arm/aarch64/CONFIG_KEXEC_SIG

@@ -0,0 +1 @@
+CONFIG_KEXEC_SIG=y

configs/fedora/generic/s390x/CONFIG_KEXEC_SIG

@@ -0,0 +1 @@
+CONFIG_KEXEC_SIG=y

configs/fedora/generic/x86/x86_64/CONFIG_OPTIMIZE_INLINING

@@ -1 +0,0 @@
-CONFIG_OPTIMIZE_INLINING=y

efi-secureboot.patch

@@ -1,7 +1,109 @@
+From 478a0cff698409224330ea9e25eb332220b55dbb Mon Sep 17 00:00:00 2001
+From: Jeremy Cline <jcline@redhat.com>
+Date: Mon, 30 Sep 2019 21:22:47 +0000
+Subject: [PATCH 1/3] security: lockdown: expose a hook to lock the kernel down
+
+In order to automatically lock down kernels running on UEFI machines
+booted in Secure Boot mode, expose the lock_kernel_down() hook.
+
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+---
+ include/linux/lsm_hooks.h    | 8 ++++++++
+ include/linux/security.h     | 5 +++++
+ security/lockdown/lockdown.c | 1 +
+ security/security.c          | 6 ++++++
+ 4 files changed, 20 insertions(+)
+
+diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
+index a3763247547c..8d76d1f153ed 100644
+--- a/include/linux/lsm_hooks.h
++++ b/include/linux/lsm_hooks.h
+@@ -1454,6 +1454,12 @@
+  *     code execution in kernel space should be permitted.
+  *
+  *     @what: kernel feature being accessed
++ *
++ * @lock_kernel_down
++ *     Put the kernel into lock-down mode.
++ *
++ *     @where: Where the lock-down is originating from (e.g. command line option)
++ *     @level: The lock-down level (can only increase)
+  */
+ union security_list_options {
+ 	int (*binder_set_context_mgr)(struct task_struct *mgr);
+@@ -1818,6 +1824,7 @@ union security_list_options {
+ 	void (*bpf_prog_free_security)(struct bpf_prog_aux *aux);
+ #endif /* CONFIG_BPF_SYSCALL */
+ 	int (*locked_down)(enum lockdown_reason what);
++	int (*lock_kernel_down)(const char *where, enum lockdown_reason level);
+ };
+ 
+ struct security_hook_heads {
+@@ -2060,6 +2067,7 @@ struct security_hook_heads {
+ 	struct hlist_head bpf_prog_free_security;
+ #endif /* CONFIG_BPF_SYSCALL */
+ 	struct hlist_head locked_down;
++	struct hlist_head lock_kernel_down;
+ } __randomize_layout;
+ 
+ /*
+diff --git a/include/linux/security.h b/include/linux/security.h
+index a8d59d612d27..467b9ccdf993 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -442,6 +442,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
+ int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
+ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
+ int security_locked_down(enum lockdown_reason what);
++int security_lock_kernel_down(const char *where, enum lockdown_reason level);
+ #else /* CONFIG_SECURITY */
+ 
+ static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
+@@ -1269,6 +1270,10 @@ static inline int security_locked_down(enum lockdown_reason what)
+ {
+ 	return 0;
+ }
++static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level);
++{
++	return 0;
++}
+ #endif	/* CONFIG_SECURITY */
+ 
+ #ifdef CONFIG_SECURITY_NETWORK
+diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
+index 8a10b43daf74..72a623075749 100644
+--- a/security/lockdown/lockdown.c
++++ b/security/lockdown/lockdown.c
+@@ -97,6 +97,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
+ 
+ static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {
+ 	LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
++	LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down),
+ };
+ 
+ static int __init lockdown_lsm_init(void)
+diff --git a/security/security.c b/security/security.c
+index 1bc000f834e2..1506b95427cf 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -2404,3 +2404,9 @@ int security_locked_down(enum lockdown_reason what)
+ 	return call_int_hook(locked_down, 0, what);
+ }
+ EXPORT_SYMBOL(security_locked_down);
++
++int security_lock_kernel_down(const char *where, enum lockdown_reason level)
++{
++	return call_int_hook(lock_kernel_down, 0, where, level);
++}
++EXPORT_SYMBOL(security_lock_kernel_down);
+-- 
+2.21.0
+
+
 From b5123d0553f4ed5e734f6457696cdd30228d1eee Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 27 Feb 2018 10:04:55 +0000
-Subject: [PATCH 29/31] efi: Add an EFI_SECURE_BOOT flag to indicate secure
+Subject: [PATCH 2/3] efi: Add an EFI_SECURE_BOOT flag to indicate secure
  boot mode
 
 UEFI machines can be booted in Secure Boot mode.  Add an EFI_SECURE_BOOT
@@ -160,119 +262,73 @@ index 21d81021c1f4..758ec061d03b 100644
 2.21.0
 
 
-From d78bf678059f83e22bec8ada1a448e22b9b90203 Mon Sep 17 00:00:00 2001
+From 15368f76d4997912318d35c52bfeb9041d85098e Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
-Date: Tue, 27 Feb 2018 10:04:55 +0000
-Subject: [PATCH 30/31] efi: Lock down the kernel if booted in secure boot mode
+Date: Mon, 30 Sep 2019 21:28:16 +0000
+Subject: [PATCH 3/3] efi: Lock down the kernel if booted in secure boot mode
 
-UEFI Secure Boot provides a mechanism for ensuring that the firmware will
-only load signed bootloaders and kernels.  Certain use cases may also
-require that all kernel modules also be signed.  Add a configuration option
-that to lock down the kernel - which includes requiring validly signed
-modules - if the kernel is secure-booted.
+UEFI Secure Boot provides a mechanism for ensuring that the firmware
+will only load signed bootloaders and kernels.  Certain use cases may
+also require that all kernel modules also be signed.  Add a
+configuration option that to lock down the kernel - which includes
+requiring validly signed modules - if the kernel is secure-booted.
 
 Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-cc: linux-efi@vger.kernel.org
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
 ---
- arch/x86/kernel/setup.c |  6 ++++--
- fs/debugfs/inode.c      |  2 +-
- security/Kconfig        | 14 ++++++++++++++
- security/lock_down.c    |  5 +++++
- 4 files changed, 20 insertions(+), 3 deletions(-)
+ arch/x86/kernel/setup.c   |  8 ++++++++
+ security/lockdown/Kconfig | 13 +++++++++++++
+ 2 files changed, 21 insertions(+)
 
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index adeee6329f55..27a54ec878bd 100644
+index 77ea96b794bd..a119e1bc9623 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -65,6 +65,7 @@
- #include <linux/dma-mapping.h>
- #include <linux/ctype.h>
- #include <linux/uaccess.h>
+@@ -73,6 +73,7 @@
+ #include <linux/jiffies.h>
+ #include <linux/mem_encrypt.h>
+ #include <linux/sizes.h>
 +#include <linux/security.h>
  
- #include <linux/percpu.h>
- #include <linux/crash_dump.h>
-@@ -1005,6 +1006,10 @@ void __init setup_arch(char **cmdline_p)
+ #include <linux/usb/xhci-dbgp.h>
+ #include <video/edid.h>
+@@ -1027,6 +1028,13 @@ void __init setup_arch(char **cmdline_p)
  	if (efi_enabled(EFI_BOOT))
  		efi_init();
  
 +	efi_set_secure_boot(boot_params.secure_boot);
 +
-+	init_lockdown();
++#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
++	if (efi_enabled(EFI_SECURE_BOOT))
++		security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_CONFIDENTIALITY_MAX);
++#endif
 +
  	dmi_setup();
  
  	/*
-@@ -1159,8 +1164,6 @@ void __init setup_arch(char **cmdline_p)
- 	/* Allocate bigger log buffer */
- 	setup_log_buf(1);
- 
--	efi_set_secure_boot(boot_params.secure_boot);
--
- 	reserve_initrd();
- 
- 	acpi_table_upgrade();
-diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
-index ce261e1765ff..7aff55b309a6 100644
---- a/fs/debugfs/inode.c
-+++ b/fs/debugfs/inode.c
-@@ -40,7 +40,7 @@ static bool debugfs_registered;
- static int debugfs_setattr(struct dentry *dentry, struct iattr *ia)
- {
- 	if ((ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) &&
--	    kernel_is_locked_down("debugfs"))
-+	    kernel_is_locked_down("changing perms in debugfs"))
- 		return -EPERM;
- 	return simple_setattr(dentry, ia);
- }
-diff --git a/security/Kconfig b/security/Kconfig
-index 9c343f262bdd..30788bc47863 100644
---- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -244,6 +244,20 @@ config LOCK_DOWN_KERNEL_FORCE
-           Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
-           combination on a wired keyboard.  On x86, this is SysRq+x.
+diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
+index e84ddf484010..d0501353a4b9 100644
+--- a/security/lockdown/Kconfig
++++ b/security/lockdown/Kconfig
+@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY
+ 	  subsystem is fully initialised. If enabled, lockdown will
+ 	  unconditionally be called before any other LSMs.
  
 +config LOCK_DOWN_IN_EFI_SECURE_BOOT
 +	bool "Lock down the kernel in EFI Secure Boot mode"
 +	default n
-+	select LOCK_DOWN_KERNEL
-+	depends on EFI
++	depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY
 +	help
 +	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
 +	  will only load signed bootloaders and kernels.  Secure boot mode may
 +	  be determined from EFI variables provided by the system firmware if
 +	  not indicated by the boot parameters.
 +
-+	  Enabling this option turns on results in kernel lockdown being
-+	  triggered if EFI Secure Boot is set.
++	  Enabling this option results in kernel lockdown being triggered if
++	  EFI Secure Boot is set.
 +
- source "security/selinux/Kconfig"
- source "security/smack/Kconfig"
- source "security/tomoyo/Kconfig"
-diff --git a/security/lock_down.c b/security/lock_down.c
-index ee00ca2677e7..bb4dc7838f3e 100644
---- a/security/lock_down.c
-+++ b/security/lock_down.c
-@@ -12,6 +12,7 @@
- 
- #include <linux/security.h>
- #include <linux/export.h>
-+#include <linux/efi.h>
- #include <linux/sysrq.h>
- #include <asm/setup.h>
- 
-@@ -44,6 +45,10 @@ void __init init_lockdown(void)
- #ifdef CONFIG_LOCK_DOWN_FORCE
- 	lock_kernel_down("Kernel configuration");
- #endif
-+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
-+	if (efi_enabled(EFI_SECURE_BOOT))
-+		lock_kernel_down("EFI secure boot");
-+#endif
- }
- 
- /**
+ choice
+ 	prompt "Kernel default lockdown mode"
+ 	default LOCK_DOWN_KERNEL_FORCE_NONE
 -- 
-2.14.3
+2.21.0

gitrev

@@ -1 +1 @@
-f41def397161053eb0d3ed6861ef65985efbf293
+97f9a3c4eee55b0178b518ae7114a6a53372913d

iwlwifi-fw-don-t-send-GEO_TX_POWER_LIMIT-command-to-FW-version-36.patch

@@ -1,87 +0,0 @@
-From patchwork Tue Sep 24 10:30:57 2019
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-X-Patchwork-Submitter: Luca Coelho <luca@coelho.fi>
-X-Patchwork-Id: 11158395
-X-Patchwork-Delegate: kvalo@adurom.com
-Return-Path: <SRS0=l3ON=XT=vger.kernel.org=linux-wireless-owner@kernel.org>
-Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
- [172.30.200.123])
-	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 62FF3112B
-	for <patchwork-linux-wireless@patchwork.kernel.org>;
- Tue, 24 Sep 2019 10:31:06 +0000 (UTC)
-Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
-	by mail.kernel.org (Postfix) with ESMTP id 4AA4E214D9
-	for <patchwork-linux-wireless@patchwork.kernel.org>;
- Tue, 24 Sep 2019 10:31:06 +0000 (UTC)
-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
-        id S2409468AbfIXKbF (ORCPT
-        <rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
-        Tue, 24 Sep 2019 06:31:05 -0400
-Received: from paleale.coelho.fi ([176.9.41.70]:44742 "EHLO
-        farmhouse.coelho.fi" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
-        with ESMTP id S2387644AbfIXKbF (ORCPT
-        <rfc822;linux-wireless@vger.kernel.org>);
-        Tue, 24 Sep 2019 06:31:05 -0400
-Received: from [91.156.6.193] (helo=redipa.ger.corp.intel.com)
-        by farmhouse.coelho.fi with esmtpsa
- (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
-        (Exim 4.92)
-        (envelope-from <luca@coelho.fi>)
-        id 1iCi63-0005Je-8E; Tue, 24 Sep 2019 13:31:03 +0300
-From: Luca Coelho <luca@coelho.fi>
-To: kvalo@codeaurora.org
-Cc: linux-wireless@vger.kernel.org
-Date: Tue, 24 Sep 2019 13:30:57 +0300
-Message-Id: <20190924103057.17147-1-luca@coelho.fi>
-X-Mailer: git-send-email 2.23.0
-MIME-Version: 1.0
-X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on farmhouse.coelho.fi
-X-Spam-Level: 
-X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00,
-        URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2
-Subject: [PATCH v5.4] iwlwifi: fw: don't send GEO_TX_POWER_LIMIT command to FW
- version 36
-Sender: linux-wireless-owner@vger.kernel.org
-Precedence: bulk
-List-ID: <linux-wireless.vger.kernel.org>
-X-Mailing-List: linux-wireless@vger.kernel.org
-
-From: Luca Coelho <luciano.coelho@intel.com>
-
-The intention was to have the GEO_TX_POWER_LIMIT command in FW version
-36 as well, but not all 8000 family got this feature enabled.  The
-8000 family is the only one using version 36, so skip this version
-entirely.  If we try to send this command to the firmwares that do not
-support it, we get a BAD_COMMAND response from the firmware.
-
-This fixes https://bugzilla.kernel.org/show_bug.cgi?id=204151.
-
-Cc: stable@vger.kernel.org # 4.19+
-Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
----
- drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
-index 014eca6596e2..32a5e4e5461f 100644
---- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
-+++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
-@@ -889,11 +889,13 @@ static bool iwl_mvm_sar_geo_support(struct iwl_mvm *mvm)
- 	 * firmware versions.  Unfortunately, we don't have a TLV API
- 	 * flag to rely on, so rely on the major version which is in
- 	 * the first byte of ucode_ver.  This was implemented
--	 * initially on version 38 and then backported to 36, 29 and
--	 * 17.
-+	 * initially on version 38 and then backported to29 and 17.
-+	 * The intention was to have it in 36 as well, but not all
-+	 * 8000 family got this feature enabled.  The 8000 family is
-+	 * the only one using version 36, so skip this version
-+	 * entirely.
- 	 */
- 	return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 38 ||
--	       IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 36 ||
- 	       IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 29 ||
- 	       IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 17;
- }

kernel-aarch64-debug.config

@@ -2456,6 +2456,7 @@ CONFIG_IIO_TRIGGER=y
 CONFIG_IKHEADERS=m
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
 CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2477,6 +2478,7 @@ CONFIG_IMA=y
 # CONFIG_IMG_ASCII_LCD is not set
 CONFIG_IMX2_WDT=m
 CONFIG_IMX7D_ADC=m
+# CONFIG_IMX7ULP_WDT is not set
 # CONFIG_IMX_DMA is not set
 # CONFIG_IMX_DSP is not set
 CONFIG_IMX_GPCV2_PM_DOMAINS=y
@@ -2928,6 +2930,7 @@ CONFIG_KERNEL_MODE_NEON=y
 # CONFIG_KERNEL_UNCOMPRESSED is not set
 # CONFIG_KERNEL_XZ is not set
 # CONFIG_KEXEC_FILE is not set
+CONFIG_KEXEC_SIG=y
 CONFIG_KEXEC=y
 CONFIG_KEYBOARD_ADC=m
 # CONFIG_KEYBOARD_ADP5588 is not set
@@ -3122,6 +3125,9 @@ CONFIG_LOCALVERSION=""
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_LOCKD=m
 # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 # CONFIG_LOCK_DOWN_KERNEL is not set
 CONFIG_LOCKD_V4=y
 CONFIG_LOCK_EVENT_COUNTS=y
@@ -4310,7 +4316,7 @@ CONFIG_OPENVSWITCH_VXLAN=m
 CONFIG_OPT3001=m
 CONFIG_OPTEE=m
 CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=1
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
 CONFIG_OPTPROBES=y
 CONFIG_ORANGEFS_FS=m
 CONFIG_ORINOCO_USB=m
@@ -5374,6 +5380,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_INFINIBAND=y
 # CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
@@ -7154,6 +7162,7 @@ CONFIG_VIRTIO_BALLOON=m
 CONFIG_VIRTIO_BLK=m
 # CONFIG_VIRTIO_BLK_SCSI is not set
 CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
 CONFIG_VIRTIO_INPUT=m
 # CONFIG_VIRTIO_IOMMU is not set
 CONFIG_VIRTIO_MENU=y

kernel-aarch64.config

@@ -2440,6 +2440,7 @@ CONFIG_IIO_TRIGGER=y
 CONFIG_IKHEADERS=m
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
 CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2461,6 +2462,7 @@ CONFIG_IMA=y
 # CONFIG_IMG_ASCII_LCD is not set
 CONFIG_IMX2_WDT=m
 CONFIG_IMX7D_ADC=m
+# CONFIG_IMX7ULP_WDT is not set
 # CONFIG_IMX_DMA is not set
 # CONFIG_IMX_DSP is not set
 CONFIG_IMX_GPCV2_PM_DOMAINS=y
@@ -2910,6 +2912,7 @@ CONFIG_KERNEL_MODE_NEON=y
 # CONFIG_KERNEL_UNCOMPRESSED is not set
 # CONFIG_KERNEL_XZ is not set
 # CONFIG_KEXEC_FILE is not set
+CONFIG_KEXEC_SIG=y
 CONFIG_KEXEC=y
 CONFIG_KEYBOARD_ADC=m
 # CONFIG_KEYBOARD_ADP5588 is not set
@@ -3104,6 +3107,9 @@ CONFIG_LOCALVERSION=""
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_LOCKD=m
 # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 # CONFIG_LOCK_DOWN_KERNEL is not set
 CONFIG_LOCKD_V4=y
 # CONFIG_LOCK_EVENT_COUNTS is not set
@@ -4290,7 +4296,7 @@ CONFIG_OPENVSWITCH_VXLAN=m
 CONFIG_OPT3001=m
 CONFIG_OPTEE=m
 CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=1
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
 CONFIG_OPTPROBES=y
 CONFIG_ORANGEFS_FS=m
 CONFIG_ORINOCO_USB=m
@@ -5353,6 +5359,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_INFINIBAND=y
 # CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
@@ -7132,6 +7140,7 @@ CONFIG_VIRTIO_BALLOON=m
 CONFIG_VIRTIO_BLK=m
 # CONFIG_VIRTIO_BLK_SCSI is not set
 CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
 CONFIG_VIRTIO_INPUT=m
 # CONFIG_VIRTIO_IOMMU is not set
 CONFIG_VIRTIO_MENU=y

kernel-armv7hl-debug.config

@@ -2482,6 +2482,7 @@ CONFIG_IIO_TRIGGER=y
 CONFIG_IKHEADERS=m
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
 CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2503,6 +2504,7 @@ CONFIG_IMA=y
 # CONFIG_IMG_ASCII_LCD is not set
 CONFIG_IMX2_WDT=m
 CONFIG_IMX7D_ADC=m
+# CONFIG_IMX7ULP_WDT is not set
 # CONFIG_IMX_DMA is not set
 # CONFIG_IMX_DSP is not set
 CONFIG_IMX_GPCV2_PM_DOMAINS=y
@@ -3162,6 +3164,9 @@ CONFIG_LOCALVERSION=""
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_LOCKD=m
 # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 # CONFIG_LOCK_DOWN_KERNEL is not set
 CONFIG_LOCKD_V4=y
 CONFIG_LOCK_EVENT_COUNTS=y
@@ -4419,7 +4424,7 @@ CONFIG_OPENVSWITCH_VXLAN=m
 CONFIG_OPT3001=m
 CONFIG_OPTEE=m
 CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=1
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
 CONFIG_OPTPROBES=y
 CONFIG_ORANGEFS_FS=m
 CONFIG_ORINOCO_USB=m
@@ -5512,6 +5517,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 CONFIG_SECURITYFS=y
 # CONFIG_SECURITY_INFINIBAND is not set
 # CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
@@ -7466,6 +7473,7 @@ CONFIG_VIRTIO_BALLOON=m
 CONFIG_VIRTIO_BLK=m
 # CONFIG_VIRTIO_BLK_SCSI is not set
 CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
 CONFIG_VIRTIO_INPUT=m
 # CONFIG_VIRTIO_IOMMU is not set
 CONFIG_VIRTIO_MENU=y

kernel-armv7hl-lpae-debug.config

@@ -2399,6 +2399,7 @@ CONFIG_IIO_TRIGGER=y
 CONFIG_IKHEADERS=m
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
 CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2420,6 +2421,7 @@ CONFIG_IMA=y
 # CONFIG_IMG_ASCII_LCD is not set
 CONFIG_IMX2_WDT=m
 CONFIG_IMX7D_ADC=m
+# CONFIG_IMX7ULP_WDT is not set
 # CONFIG_IMX_DMA is not set
 # CONFIG_IMX_DSP is not set
 CONFIG_IMX_GPCV2_PM_DOMAINS=y
@@ -3061,6 +3063,9 @@ CONFIG_LOCALVERSION=""
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_LOCKD=m
 # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 # CONFIG_LOCK_DOWN_KERNEL is not set
 CONFIG_LOCKD_V4=y
 CONFIG_LOCK_EVENT_COUNTS=y
@@ -4255,7 +4260,7 @@ CONFIG_OPENVSWITCH_VXLAN=m
 CONFIG_OPT3001=m
 CONFIG_OPTEE=m
 CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=1
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
 CONFIG_OPTPROBES=y
 CONFIG_ORANGEFS_FS=m
 CONFIG_ORINOCO_USB=m
@@ -5265,6 +5270,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 CONFIG_SECURITYFS=y
 # CONFIG_SECURITY_INFINIBAND is not set
 # CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
@@ -7092,6 +7099,7 @@ CONFIG_VIRTIO_BALLOON=m
 CONFIG_VIRTIO_BLK=m
 # CONFIG_VIRTIO_BLK_SCSI is not set
 CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
 CONFIG_VIRTIO_INPUT=m
 # CONFIG_VIRTIO_IOMMU is not set
 CONFIG_VIRTIO_MENU=y

kernel-armv7hl-lpae.config

@@ -2384,6 +2384,7 @@ CONFIG_IIO_TRIGGER=y
 CONFIG_IKHEADERS=m
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
 CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2405,6 +2406,7 @@ CONFIG_IMA=y
 # CONFIG_IMG_ASCII_LCD is not set
 CONFIG_IMX2_WDT=m
 CONFIG_IMX7D_ADC=m
+# CONFIG_IMX7ULP_WDT is not set
 # CONFIG_IMX_DMA is not set
 # CONFIG_IMX_DSP is not set
 CONFIG_IMX_GPCV2_PM_DOMAINS=y
@@ -3044,6 +3046,9 @@ CONFIG_LOCALVERSION=""
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_LOCKD=m
 # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 # CONFIG_LOCK_DOWN_KERNEL is not set
 CONFIG_LOCKD_V4=y
 # CONFIG_LOCK_EVENT_COUNTS is not set
@@ -4236,7 +4241,7 @@ CONFIG_OPENVSWITCH_VXLAN=m
 CONFIG_OPT3001=m
 CONFIG_OPTEE=m
 CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=1
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
 CONFIG_OPTPROBES=y
 CONFIG_ORANGEFS_FS=m
 CONFIG_ORINOCO_USB=m
@@ -5245,6 +5250,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 CONFIG_SECURITYFS=y
 # CONFIG_SECURITY_INFINIBAND is not set
 # CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
@@ -7071,6 +7078,7 @@ CONFIG_VIRTIO_BALLOON=m
 CONFIG_VIRTIO_BLK=m
 # CONFIG_VIRTIO_BLK_SCSI is not set
 CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
 CONFIG_VIRTIO_INPUT=m
 # CONFIG_VIRTIO_IOMMU is not set
 CONFIG_VIRTIO_MENU=y

kernel-armv7hl.config

@@ -2467,6 +2467,7 @@ CONFIG_IIO_TRIGGER=y
 CONFIG_IKHEADERS=m
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
 CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2488,6 +2489,7 @@ CONFIG_IMA=y
 # CONFIG_IMG_ASCII_LCD is not set
 CONFIG_IMX2_WDT=m
 CONFIG_IMX7D_ADC=m
+# CONFIG_IMX7ULP_WDT is not set
 # CONFIG_IMX_DMA is not set
 # CONFIG_IMX_DSP is not set
 CONFIG_IMX_GPCV2_PM_DOMAINS=y
@@ -3145,6 +3147,9 @@ CONFIG_LOCALVERSION=""
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_LOCKD=m
 # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 # CONFIG_LOCK_DOWN_KERNEL is not set
 CONFIG_LOCKD_V4=y
 # CONFIG_LOCK_EVENT_COUNTS is not set
@@ -4400,7 +4405,7 @@ CONFIG_OPENVSWITCH_VXLAN=m
 CONFIG_OPT3001=m
 CONFIG_OPTEE=m
 CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=1
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
 CONFIG_OPTPROBES=y
 CONFIG_ORANGEFS_FS=m
 CONFIG_ORINOCO_USB=m
@@ -5492,6 +5497,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 CONFIG_SECURITYFS=y
 # CONFIG_SECURITY_INFINIBAND is not set
 # CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
@@ -7445,6 +7452,7 @@ CONFIG_VIRTIO_BALLOON=m
 CONFIG_VIRTIO_BLK=m
 # CONFIG_VIRTIO_BLK_SCSI is not set
 CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
 CONFIG_VIRTIO_INPUT=m
 # CONFIG_VIRTIO_IOMMU is not set
 CONFIG_VIRTIO_MENU=y

kernel-i686-debug.config

@@ -2198,6 +2198,7 @@ CONFIG_IIO_TRIGGER=y
 CONFIG_IKHEADERS=m
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
 CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2878,7 +2879,10 @@ CONFIG_LOCALVERSION=""
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_LOCKD=m
 # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
 # CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 CONFIG_LOCK_DOWN_KERNEL=y
 CONFIG_LOCKD_V4=y
 CONFIG_LOCK_EVENT_COUNTS=y
@@ -3996,7 +4000,7 @@ CONFIG_OPENVSWITCH=m
 CONFIG_OPENVSWITCH_VXLAN=m
 # CONFIG_OPROFILE is not set
 CONFIG_OPT3001=m
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
 CONFIG_OPTPROBES=y
 CONFIG_ORANGEFS_FS=m
 CONFIG_ORINOCO_USB=m
@@ -4866,6 +4870,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_INFINIBAND=y
 # CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
@@ -6494,6 +6500,7 @@ CONFIG_VIRTIO_BALLOON=m
 CONFIG_VIRTIO_BLK=m
 # CONFIG_VIRTIO_BLK_SCSI is not set
 CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
 CONFIG_VIRTIO_INPUT=m
 # CONFIG_VIRTIO_IOMMU is not set
 CONFIG_VIRTIO_MENU=y

kernel-i686.config

@@ -2181,6 +2181,7 @@ CONFIG_IIO_TRIGGER=y
 CONFIG_IKHEADERS=m
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
 CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2859,7 +2860,10 @@ CONFIG_LOCALVERSION=""
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_LOCKD=m
 # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
 # CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 CONFIG_LOCK_DOWN_KERNEL=y
 CONFIG_LOCKD_V4=y
 # CONFIG_LOCK_EVENT_COUNTS is not set
@@ -3977,7 +3981,7 @@ CONFIG_OPENVSWITCH=m
 CONFIG_OPENVSWITCH_VXLAN=m
 # CONFIG_OPROFILE is not set
 CONFIG_OPT3001=m
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
 CONFIG_OPTPROBES=y
 CONFIG_ORANGEFS_FS=m
 CONFIG_ORINOCO_USB=m
@@ -4846,6 +4850,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_INFINIBAND=y
 # CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
@@ -6473,6 +6479,7 @@ CONFIG_VIRTIO_BALLOON=m
 CONFIG_VIRTIO_BLK=m
 # CONFIG_VIRTIO_BLK_SCSI is not set
 CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
 CONFIG_VIRTIO_INPUT=m
 # CONFIG_VIRTIO_IOMMU is not set
 CONFIG_VIRTIO_MENU=y

kernel-ppc64le-debug.config

@@ -1999,6 +1999,7 @@ CONFIG_IIO_TRIGGER=y
 CONFIG_IKHEADERS=m
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
 CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2624,6 +2625,9 @@ CONFIG_LOCALVERSION=""
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_LOCKD=m
 # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 # CONFIG_LOCK_DOWN_KERNEL is not set
 CONFIG_LOCKD_V4=y
 CONFIG_LOCK_EVENT_COUNTS=y
@@ -3708,7 +3712,7 @@ CONFIG_OPENVSWITCH=m
 CONFIG_OPENVSWITCH_VXLAN=m
 # CONFIG_OPROFILE is not set
 CONFIG_OPT3001=m
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
 CONFIG_OPTPROBES=y
 CONFIG_ORANGEFS_FS=m
 CONFIG_ORINOCO_USB=m
@@ -4555,6 +4559,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_INFINIBAND=y
 # CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
@@ -6087,6 +6093,7 @@ CONFIG_VIRTIO_BALLOON=m
 CONFIG_VIRTIO_BLK=m
 # CONFIG_VIRTIO_BLK_SCSI is not set
 CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
 CONFIG_VIRTIO_INPUT=m
 # CONFIG_VIRTIO_IOMMU is not set
 CONFIG_VIRTIO_MENU=y

kernel-ppc64le.config

@@ -1982,6 +1982,7 @@ CONFIG_IIO_TRIGGER=y
 CONFIG_IKHEADERS=m
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
 CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2605,6 +2606,9 @@ CONFIG_LOCALVERSION=""
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_LOCKD=m
 # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 # CONFIG_LOCK_DOWN_KERNEL is not set
 CONFIG_LOCKD_V4=y
 # CONFIG_LOCK_EVENT_COUNTS is not set
@@ -3687,7 +3691,7 @@ CONFIG_OPENVSWITCH=m
 CONFIG_OPENVSWITCH_VXLAN=m
 # CONFIG_OPROFILE is not set
 CONFIG_OPT3001=m
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
 CONFIG_OPTPROBES=y
 CONFIG_ORANGEFS_FS=m
 CONFIG_ORINOCO_USB=m
@@ -4533,6 +4537,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_INFINIBAND=y
 # CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
@@ -6064,6 +6070,7 @@ CONFIG_VIRTIO_BALLOON=m
 CONFIG_VIRTIO_BLK=m
 # CONFIG_VIRTIO_BLK_SCSI is not set
 CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
 CONFIG_VIRTIO_INPUT=m
 # CONFIG_VIRTIO_IOMMU is not set
 CONFIG_VIRTIO_MENU=y

kernel-s390x-debug.config

@@ -1979,6 +1979,7 @@ CONFIG_IIO_TRIGGER=y
 CONFIG_IKHEADERS=m
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
 CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2416,6 +2417,7 @@ CONFIG_KERNEL_GZIP=y
 # CONFIG_KERNEL_UNCOMPRESSED is not set
 # CONFIG_KERNEL_XZ is not set
 CONFIG_KEXEC_FILE=y
+CONFIG_KEXEC_SIG=y
 # CONFIG_KEXEC_VERIFY_SIG is not set
 CONFIG_KEXEC=y
 # CONFIG_KEYBOARD_ADC is not set
@@ -2600,6 +2602,9 @@ CONFIG_LOCALVERSION=""
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_LOCKD=m
 # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 # CONFIG_LOCK_DOWN_KERNEL is not set
 CONFIG_LOCKD_V4=y
 CONFIG_LOCK_EVENT_COUNTS=y
@@ -3675,7 +3680,7 @@ CONFIG_OPENVSWITCH=m
 CONFIG_OPENVSWITCH_VXLAN=m
 # CONFIG_OPROFILE is not set
 CONFIG_OPT3001=m
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
 CONFIG_OPTPROBES=y
 CONFIG_ORANGEFS_FS=m
 CONFIG_ORINOCO_USB=m
@@ -4501,6 +4506,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_INFINIBAND=y
 # CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
@@ -6026,6 +6033,7 @@ CONFIG_VIRTIO_BALLOON=m
 CONFIG_VIRTIO_BLK=m
 # CONFIG_VIRTIO_BLK_SCSI is not set
 CONFIG_VIRTIO_CONSOLE=y
+CONFIG_VIRTIO_FS=m
 CONFIG_VIRTIO_INPUT=m
 # CONFIG_VIRTIO_IOMMU is not set
 CONFIG_VIRTIO_MENU=y

kernel-s390x.config

@@ -1962,6 +1962,7 @@ CONFIG_IIO_TRIGGER=y
 CONFIG_IKHEADERS=m
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
 CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2397,6 +2398,7 @@ CONFIG_KERNEL_GZIP=y
 # CONFIG_KERNEL_UNCOMPRESSED is not set
 # CONFIG_KERNEL_XZ is not set
 CONFIG_KEXEC_FILE=y
+CONFIG_KEXEC_SIG=y
 # CONFIG_KEXEC_VERIFY_SIG is not set
 CONFIG_KEXEC=y
 # CONFIG_KEYBOARD_ADC is not set
@@ -2581,6 +2583,9 @@ CONFIG_LOCALVERSION=""
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_LOCKD=m
 # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 # CONFIG_LOCK_DOWN_KERNEL is not set
 CONFIG_LOCKD_V4=y
 # CONFIG_LOCK_EVENT_COUNTS is not set
@@ -3654,7 +3659,7 @@ CONFIG_OPENVSWITCH=m
 CONFIG_OPENVSWITCH_VXLAN=m
 # CONFIG_OPROFILE is not set
 CONFIG_OPT3001=m
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
 CONFIG_OPTPROBES=y
 CONFIG_ORANGEFS_FS=m
 CONFIG_ORINOCO_USB=m
@@ -4479,6 +4484,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_INFINIBAND=y
 # CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
@@ -6003,6 +6010,7 @@ CONFIG_VIRTIO_BALLOON=m
 CONFIG_VIRTIO_BLK=m
 # CONFIG_VIRTIO_BLK_SCSI is not set
 CONFIG_VIRTIO_CONSOLE=y
+CONFIG_VIRTIO_FS=m
 CONFIG_VIRTIO_INPUT=m
 # CONFIG_VIRTIO_IOMMU is not set
 CONFIG_VIRTIO_MENU=y

kernel-x86_64-debug.config

@@ -2237,6 +2237,7 @@ CONFIG_IIO_TRIGGER=y
 CONFIG_IKHEADERS=m
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
 CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2929,7 +2930,10 @@ CONFIG_LOCALVERSION=""
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_LOCKD=m
 CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
 # CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 CONFIG_LOCK_DOWN_KERNEL=y
 CONFIG_LOCKD_V4=y
 CONFIG_LOCK_EVENT_COUNTS=y
@@ -4907,6 +4911,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_INFINIBAND=y
 # CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
@@ -6546,6 +6552,7 @@ CONFIG_VIRTIO_BALLOON=m
 CONFIG_VIRTIO_BLK=m
 # CONFIG_VIRTIO_BLK_SCSI is not set
 CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
 CONFIG_VIRTIO_INPUT=m
 # CONFIG_VIRTIO_IOMMU is not set
 CONFIG_VIRTIO_MENU=y

kernel-x86_64.config

@@ -2220,6 +2220,7 @@ CONFIG_IIO_TRIGGER=y
 CONFIG_IKHEADERS=m
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
 CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2910,7 +2911,10 @@ CONFIG_LOCALVERSION=""
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_LOCKD=m
 CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
 # CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 CONFIG_LOCK_DOWN_KERNEL=y
 CONFIG_LOCKD_V4=y
 # CONFIG_LOCK_EVENT_COUNTS is not set
@@ -4887,6 +4891,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_INFINIBAND=y
 # CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
@@ -6525,6 +6531,7 @@ CONFIG_VIRTIO_BALLOON=m
 CONFIG_VIRTIO_BLK=m
 # CONFIG_VIRTIO_BLK_SCSI is not set
 CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
 CONFIG_VIRTIO_INPUT=m
 # CONFIG_VIRTIO_IOMMU is not set
 CONFIG_VIRTIO_MENU=y

kernel.spec

@@ -71,7 +71,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %global rcrev 0
 # The git snapshot level
-%define gitrev 8
+%define gitrev 9
 # Set rpm version accordingly
 %define rpmversion 5.%{upstream_sublevel}.0
 %endif
@@ -499,7 +499,7 @@ Patch122: Input-synaptics-pin-3-touches-when-the-firmware-repo.patch
 
 # 200 - x86 / secureboot
 
-Patch201: efi-lockdown.patch
+# Patch201: efi-lockdown.patch
 
 # bz 1497559 - Make kernel MODSIGN code not error on missing variables
 Patch207: 0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch
@@ -534,10 +534,6 @@ Patch320: arm64-tegra-jetson-tx1-fixes.patch
 # https://www.spinics.net/lists/linux-tegra/msg43110.html
 Patch321: arm64-tegra-Jetson-TX2-Allow-bootloader-to-configure.patch
 
-# QCom laptop bits
-# https://patchwork.kernel.org/patch/11133827/
-Patch330: arm64-qcom-i2c-geni-Disable-DMA-processing-on-the-Lenovo-Yoga-C630.patch
-
 # 400 - IBM (ppc/s390x) patches
 
 # 500 - Temp fixes/CVEs etc
@@ -551,9 +547,6 @@ Patch502: 0001-Drop-that-for-now.patch
 # Submitted upstream at https://lkml.org/lkml/2019/4/23/89
 Patch503: KEYS-Make-use-of-platform-keyring-for-module-signature.patch
 
-# https://patchwork.kernel.org/patch/11158395/
-Patch504: iwlwifi-fw-don-t-send-GEO_TX_POWER_LIMIT-command-to-FW-version-36.patch
-
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1755,6 +1748,9 @@ fi
 #
 #
 %changelog
+* Mon Sep 30 2019 Jeremy Cline <jcline@redhat.com> - 5.4.0-0.rc0.git9.1
+- Linux v5.3-13236-g97f9a3c4eee5
+
 * Thu Sep 26 2019 Jeremy Cline <jcline@redhat.com> - 5.4.0-0.rc0.git8.1
 - Linux v5.3-12397-gf41def397161
 

sources

@@ -1,2 +1,2 @@
 SHA512 (linux-5.3.tar.xz) = 6b5edef47c319a3fa7f6c20a3e0903a5acd89ec75e32dc5f99adcb60c9fe118ea312722d9c3d27e2e3900afa2455afb86e83a8b6bb131009bc79ddbe6fb0595d
-SHA512 (patch-5.3-git8.xz) = 6d20a445bce9b821cb9c83c2440fce5b3e3e70ddc5f31d535524687fcefeab1edad7c72dfaa53b6bbf9beeb7811ae04d1301094d69463771b95f86dffed8b2ce
+SHA512 (patch-5.3-git9.xz) = 47761a6fb683ba11c648df4fe542f13b90f1bc3bdeba236ea0be4df12c7ce7373f5841e194641023370bf52d94ad8660dc85bf51d44942c7c2508b996e365c88