Merge remote-tracking branch 'up/master' into master-riscv64

Signed-off-by: David Abdurachmanov <david.abdurachmanov@gmail.com>

0001-platform-x86-ideapad-laptop-Remove-no_hw_rfkill_list.patch

@@ -0,0 +1,400 @@
+From 4ef7fb944ba1e4ca9ccfbd7a43afda5a1cc884c1 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 29 Apr 2019 15:11:26 +0200
+Subject: [PATCH] platform/x86: ideapad-laptop: Remove no_hw_rfkill_list
+
+When the ideapad-laptop driver was first written it was written for laptops
+which had a hardware rfkill switch. So when the first ideapad laptops
+showed up without a hw rfkill switch and it turned out that in this case
+the ideapad firmware interface would always report the wifi being hardware-
+blocked, a DMI id list of models which lack a hw rfkill switch was started
+(by yours truly). Things were done this way to avoid regressing existing
+models with a hw rfkill switch. In hindsight this was a mistake.
+
+Lenovo releases a lot of ideapad models every year and even the latest
+models still use the "VPC2004" ACPI interface the ideapad-laptop driver
+binds to. Having a hw rfkill switch is quite rare on modern hardware, so
+all these new models need to be added to the no_hw_rfkill_list, leading
+to a never ending game of whack a mole.
+
+Worse the failure mode when not present on the list, is very bad. In this
+case the ideapad-laptop driver will report the wifi as being hw-blocked,
+at which points NetworkManager does not even try to use it and the user
+ends up with non working wifi.
+
+This leads to various Linux fora on the internet being filled with
+wifi not working on ideapad laptops stories, which does not make Linux
+look good.
+
+The failure mode when we flip the default to assuming that a hw rfkill
+switch is not present OTOH is quite benign. When we properly report the
+wifi as being hw-blocked on ideapads which do have the hw-switch; and it
+is in the wifi-off position, then at least when using NetworkManager +
+GNOME3 the user will get a "wifi disabled in hardware" message when trying
+to connect to the wifi from the UI. If OTOH we assume there is no hardware
+rfkill switch, then the user will get an empty list for the list of
+available networks. Although the empty list vs the "wifi disabled in
+hardware" message is a regression, it is a very minor regression and it
+can easily be fixed on a model by model basis by filling the new
+hw_rfkill_list this commit introduces.
+
+Therefor this commit removes the ever growing no_hw_rfkill_list, flipping
+the default to assuming there is no hw rfkill switch and adding a new
+hw_rfkill_list. Thereby fixing the wifi not working on all the current
+ideapad and yoga models which are not on the list yet and also fixing it
+for all future ideapad and yoga models using the "VPC2004" ACPI interface.
+
+Note once this patch has been accepted upstream. I plan to write a blog
+post asking for users of ideapads and yoga's with a hw rfkill switch to
+step forward, so that we can populate the new hw_rfkill_list with the few
+older yoga and ideapad models which actually have a hw rfkill switch.
+
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1703338
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+---
+ drivers/platform/x86/ideapad-laptop.c | 321 ++------------------------
+ 1 file changed, 15 insertions(+), 306 deletions(-)
+
+diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c
+index c53ae86b59c7..2d94536dea88 100644
+--- a/drivers/platform/x86/ideapad-laptop.c
++++ b/drivers/platform/x86/ideapad-laptop.c
+@@ -980,312 +980,21 @@ static void ideapad_wmi_notify(u32 value, void *context)
+ #endif
+ 
+ /*
+- * Some ideapads don't have a hardware rfkill switch, reading VPCCMD_R_RF
+- * always results in 0 on these models, causing ideapad_laptop to wrongly
+- * report all radios as hardware-blocked.
++ * Some ideapads have a hardware rfkill switch, but most do not have one.
++ * Reading VPCCMD_R_RF always results in 0 on models without a hardware rfkill,
++ * switch causing ideapad_laptop to wrongly report all radios as hw-blocked.
++ * There used to be a long list of DMI ids for models without a hw rfkill
++ * switch here, but that resulted in playing whack a mole.
++ * More importantly wrongly reporting the wifi radio as hw-blocked, results in
++ * non working wifi. Whereas not reporting it hw-blocked, when it actually is
++ * hw-blocked results in an empty SSID list, which is a much more benign
++ * failure mode.
++ * So the default now is the much safer option of assuming there is no
++ * hardware rfkill switch. This default also actually matches most hardware,
++ * since having a hw rfkill switch is quite rare on modern hardware, so this
++ * also leads to a much shorter list.
+  */
+-static const struct dmi_system_id no_hw_rfkill_list[] = {
+-	{
+-		.ident = "Lenovo RESCUER R720-15IKBN",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo R720-15IKBN"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo G40-30",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo G40-30"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo G50-30",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo G50-30"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo V310-14IKB",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo V310-14IKB"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo V310-14ISK",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo V310-14ISK"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo V310-15IKB",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo V310-15IKB"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo V310-15ISK",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo V310-15ISK"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo V510-15IKB",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo V510-15IKB"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad 300-15IBR",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 300-15IBR"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad 300-15IKB",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 300-15IKB"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad 300S-11IBR",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 300S-11BR"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad 310-15ABR",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 310-15ABR"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad 310-15IAP",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 310-15IAP"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad 310-15IKB",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 310-15IKB"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad 310-15ISK",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 310-15ISK"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad 330-15ICH",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 330-15ICH"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad 530S-14ARR",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 530S-14ARR"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad S130-14IGM",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad S130-14IGM"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad Y700-14ISK",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-14ISK"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad Y700-15ACZ",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-15ACZ"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad Y700-15ISK",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-15ISK"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad Y700 Touch-15ISK",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700 Touch-15ISK"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad Y700-17ISK",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-17ISK"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad MIIX 720-12IKB",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "MIIX 720-12IKB"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Legion Y520-15IKB",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Y520-15IKB"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Y520-15IKBM",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Y520-15IKBM"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Legion Y530-15ICH",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Legion Y530-15ICH"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Legion Y530-15ICH-1060",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Legion Y530-15ICH-1060"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Legion Y720-15IKB",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Y720-15IKB"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Legion Y720-15IKBN",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Y720-15IKBN"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Y720-15IKBM",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Y720-15IKBM"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Yoga 2 11 / 13 / Pro",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Yoga 2"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Yoga 2 11 / 13 / Pro",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_BOARD_NAME, "Yoga2"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Yoga 2 13",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Yoga 2 13"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Yoga 3 1170 / 1470",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Yoga 3"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Yoga 3 Pro 1370",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 3"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Yoga 700",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 700"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Yoga 900",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 900"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Yoga 900",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_BOARD_NAME, "VIUU4"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo YOGA 910-13IKB",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 910-13IKB"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo YOGA 920-13IKB",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 920-13IKB"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo YOGA C930-13IKB",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA C930-13IKB"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Zhaoyang E42-80",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "ZHAOYANG E42-80"),
+-		},
+-	},
++static const struct dmi_system_id hw_rfkill_list[] = {
+ 	{}
+ };
+ 
+@@ -1311,7 +1020,7 @@ static int ideapad_acpi_add(struct platform_device *pdev)
+ 	priv->cfg = cfg;
+ 	priv->adev = adev;
+ 	priv->platform_device = pdev;
+-	priv->has_hw_rfkill_switch = !dmi_check_system(no_hw_rfkill_list);
++	priv->has_hw_rfkill_switch = dmi_check_system(hw_rfkill_list);
+ 
+ 	ret = ideapad_sysfs_init(priv);
+ 	if (ret)
+-- 
+2.21.0
+

KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch

@@ -1,96 +0,0 @@
-From 7ec379c439ea60507804f96910d25196ab838ec4 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Fri, 5 May 2017 08:21:56 +0100
-Subject: [PATCH] KEYS: Allow unrestricted boot-time addition of keys to
- secondary keyring
-
-Allow keys to be added to the system secondary certificates keyring during
-kernel initialisation in an unrestricted fashion.  Such keys are implicitly
-trusted and don't have their trust chains checked on link.
-
-This allows keys in the UEFI database to be added in secure boot mode for
-the purposes of module signing.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Signed-off-by: Jeremy Cline <jcline@redhat.com>
----
- certs/internal.h       | 18 ++++++++++++++++++
- certs/system_keyring.c | 33 +++++++++++++++++++++++++++++++++
- 2 files changed, 51 insertions(+)
- create mode 100644 certs/internal.h
-
-diff --git a/certs/internal.h b/certs/internal.h
-new file mode 100644
-index 000000000000..5dcbefb0c23a
---- /dev/null
-+++ b/certs/internal.h
-@@ -0,0 +1,18 @@
-+/* Internal definitions
-+ *
-+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
-+ * Written by David Howells (dhowells@redhat.com)
-+ *
-+ * This program is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU General Public Licence
-+ * as published by the Free Software Foundation; either version
-+ * 2 of the Licence, or (at your option) any later version.
-+ */
-+
-+/*
-+ * system_keyring.c
-+ */
-+#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
-+extern void __init add_trusted_secondary_key(const char *source,
-+					     const void *data, size_t len);
-+#endif
-diff --git a/certs/system_keyring.c b/certs/system_keyring.c
-index c05c29ae4d5d..183e73cc81f7 100644
---- a/certs/system_keyring.c
-+++ b/certs/system_keyring.c
-@@ -19,6 +19,7 @@
- #include <keys/asymmetric-type.h>
- #include <keys/system_keyring.h>
- #include <crypto/pkcs7.h>
-+#include "internal.h"
- 
- static struct key *builtin_trusted_keys;
- #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
-@@ -287,3 +288,35 @@ void __init set_platform_trusted_keys(struct key *keyring)
- 	platform_trusted_keys = keyring;
- }
- #endif
-+
-+#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
-+/**
-+ * add_trusted_secondary_key - Add to secondary keyring with no validation
-+ * @source: Source of key
-+ * @data: The blob holding the key
-+ * @len: The length of the data blob
-+ *
-+ * Add a key to the secondary keyring without checking its trust chain.  This
-+ * is available only during kernel initialisation.
-+ */
-+void __init add_trusted_secondary_key(const char *source,
-+				      const void *data, size_t len)
-+{
-+	key_ref_t key;
-+
-+	key = key_create_or_update(make_key_ref(secondary_trusted_keys, 1),
-+				   "asymmetric",
-+				   NULL, data, len,
-+				   (KEY_POS_ALL & ~KEY_POS_SETATTR) |
-+				   KEY_USR_VIEW,
-+				   KEY_ALLOC_NOT_IN_QUOTA |
-+				   KEY_ALLOC_BYPASS_RESTRICTION);
-+
-+	if (IS_ERR(key))
-+		pr_err("Problem loading %s X.509 certificate (%ld)\n",
-+		       source, PTR_ERR(key));
-+	else
-+		pr_notice("Loaded %s cert '%s' linked to secondary sys keyring\n",
-+			  source, key_ref_to_ptr(key)->description);
-+}
-+#endif /* CONFIG_SECONDARY_TRUSTED_KEYRING */
--- 
-2.20.1
-

KEYS-Make-use-of-platform-keyring-for-module-signature.patch

@@ -0,0 +1,54 @@
+From 70cecc97a4fc1667472224558a50dd7b6c42c789 Mon Sep 17 00:00:00 2001
+From: Robert Holmes <robeholmes@gmail.com>
+Date: Tue, 23 Apr 2019 07:39:29 +0000
+Subject: [PATCH] KEYS: Make use of platform keyring for module signature
+ verify
+
+This patch completes commit 278311e417be ("kexec, KEYS: Make use of
+platform keyring for signature verify") which, while adding the
+platform keyring for bzImage verification, neglected to also add
+this keyring for module verification.
+
+As such, kernel modules signed with keys from the MokList variable
+were not successfully verified.
+
+Signed-off-by: Robert Holmes <robeholmes@gmail.com>
+---
+ kernel/module_signing.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/module_signing.c b/kernel/module_signing.c
+index 6b9a926fd86b..cf94220e9154 100644
+--- a/kernel/module_signing.c
++++ b/kernel/module_signing.c
+@@ -49,6 +49,7 @@ int mod_verify_sig(const void *mod, struct load_info *info)
+ {
+ 	struct module_signature ms;
+ 	size_t sig_len, modlen = info->len;
++	int ret;
+ 
+ 	pr_devel("==>%s(,%zu)\n", __func__, modlen);
+ 
+@@ -82,8 +83,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
+ 		return -EBADMSG;
+ 	}
+ 
+-	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+-				      VERIFY_USE_SECONDARY_KEYRING,
+-				      VERIFYING_MODULE_SIGNATURE,
+-				      NULL, NULL);
++	ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
++				     VERIFY_USE_SECONDARY_KEYRING,
++				     VERIFYING_MODULE_SIGNATURE,
++				     NULL, NULL);
++	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
++		ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
++					     VERIFY_USE_PLATFORM_KEYRING,
++					     VERIFYING_MODULE_SIGNATURE,
++					     NULL, NULL);
++	}
++	return ret;
+ }
+-- 
+2.21.0
+

configs/config_generation

@@ -18,7 +18,7 @@ i686-debug=generic:generic-x86:generic-x86-i686:debug:debug-x86
 
 # ppc64le
 ppc64le=generic:generic-powerpc
-ppc64le-debug=generic:generic-powerpc:generic-powerpc:debug
+ppc64le-debug=generic:generic-powerpc:debug
 
 # s390x
 s390x=generic:generic-s390x

configs/fedora/generic/CONFIG_PCIE_BW

@@ -0,0 +1 @@
+# CONFIG_PCIE_BW is not set

configs/fedora/generic/CONFIG_SENSIRION_SGP30

@@ -0,0 +1 @@
+# CONFIG_SENSIRION_SGP30 is not set

configs/fedora/generic/arm/CONFIG_CRYPTO_DEV_SUN4I_SS

@@ -1 +1 @@
-CONFIG_CRYPTO_DEV_SUN4I_SS=m
+# CONFIG_CRYPTO_DEV_SUN4I_SS is not set

configs/fedora/generic/arm/CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG

@@ -1 +1 @@
-CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG=y
+# CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG is not set

configs/fedora/generic/arm/aarch64/CONFIG_KEYBOARD_SNVS_PWRKEY

@@ -0,0 +1 @@
+CONFIG_KEYBOARD_SNVS_PWRKEY=m

configs/fedora/generic/arm/armv7/CONFIG_FUNCTION_GRAPH_TRACER

@@ -0,0 +1 @@
+# CONFIG_FUNCTION_GRAPH_TRACER is not set

configs/fedora/generic/x86/CONFIG_KEXEC_SIG

@@ -0,0 +1 @@
+CONFIG_KEXEC_SIG=y

configs/fedora/generic/x86/CONFIG_KEXEC_SIG_FORCE

@@ -0,0 +1 @@
+# CONFIG_KEXEC_SIG_FORCE is not set

configs/fedora/generic/x86/CONFIG_KEXEC_VERIFY_SIG

@@ -1 +0,0 @@
-CONFIG_KEXEC_VERIFY_SIG=y

configs/fedora/generic/x86/CONFIG_LOCK_DOWN_KERNEL_FORCE

@@ -0,0 +1 @@
+# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set

configs/fedora/generic/x86/CONFIG_LOCK_DOWN_MANDATORY

@@ -1 +0,0 @@
-# CONFIG_LOCK_DOWN_MANDATORY is not set

efi-secureboot.patch

@@ -1,43 +1,3 @@
-From b96ff1fd9e94772fde7b58fd69969d1a1c87eb6d Mon Sep 17 00:00:00 2001
-From: Dave Young <dyoung@redhat.com>
-Date: Tue, 27 Feb 2018 10:04:51 +0000
-Subject: [PATCH 07/31] Copy secure_boot flag in boot params across kexec
- reboot
-
-Kexec reboot in case secure boot being enabled does not keep the secure
-boot mode in new kernel, so later one can load unsigned kernel via legacy
-kexec_load.  In this state, the system is missing the protections provided
-by secure boot.
-
-Adding a patch to fix this by retain the secure_boot flag in original
-kernel.
-
-secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
-stub.  Fixing this issue by copying secure_boot flag across kexec reboot.
-
-Signed-off-by: Dave Young <dyoung@redhat.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
-cc: kexec@lists.infradead.org
----
- arch/x86/kernel/kexec-bzimage64.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
-index fb095ba0c02f..7d0fac5bcbbe 100644
---- a/arch/x86/kernel/kexec-bzimage64.c
-+++ b/arch/x86/kernel/kexec-bzimage64.c
-@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
- 	if (efi_enabled(EFI_OLD_MEMMAP))
- 		return 0;
-
-+	params->secure_boot = boot_params.secure_boot;
- 	ei->efi_loader_signature = current_ei->efi_loader_signature;
- 	ei->efi_systab = current_ei->efi_systab;
- 	ei->efi_systab_hi = current_ei->efi_systab_hi;
--- 
-2.14.3
-
 From b5123d0553f4ed5e734f6457696cdd30228d1eee Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 27 Feb 2018 10:04:55 +0000
@@ -183,7 +143,8 @@ index 100ce4a4aff6..62361b647a75 100644
  
  extern int efi_status_to_err(efi_status_t status);
 @@ -1577,12 +1589,6 @@ efi_status_t efi_setup_gop(efi_system_table_t *sys_table_arg,
- bool efi_runtime_disabled(void);
+ #endif
+ 
  extern void efi_call_virt_check_flags(unsigned long flags, const char *call);
  extern unsigned long efi_call_virt_save_flags(void);
  
@@ -221,34 +182,36 @@ cc: linux-efi@vger.kernel.org
  4 files changed, 20 insertions(+), 3 deletions(-)
 
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index a7c240f00d78..1277d1857c5c 100644
+index adeee6329f55..27a54ec878bd 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -64,6 +64,7 @@
+@@ -65,6 +65,7 @@
  #include <linux/dma-mapping.h>
  #include <linux/ctype.h>
  #include <linux/uaccess.h>
 +#include <linux/security.h>
-
+ 
  #include <linux/percpu.h>
  #include <linux/crash_dump.h>
-@@ -997,6 +998,8 @@ void __init setup_arch(char **cmdline_p)
+@@ -1005,6 +1006,10 @@ void __init setup_arch(char **cmdline_p)
  	if (efi_enabled(EFI_BOOT))
  		efi_init();
-
+ 
 +	efi_set_secure_boot(boot_params.secure_boot);
 +
- 	init_lockdown();
-
++	init_lockdown();
++
  	dmi_scan_machine();
-@@ -1150,8 +1154,6 @@ void __init setup_arch(char **cmdline_p)
+ 	dmi_memdev_walk();
+ 	dmi_set_dump_stack_arch_desc();
+@@ -1159,8 +1164,6 @@ void __init setup_arch(char **cmdline_p)
  	/* Allocate bigger log buffer */
  	setup_log_buf(1);
-
+ 
 -	efi_set_secure_boot(boot_params.secure_boot);
 -
  	reserve_initrd();
-
+ 
  	acpi_table_upgrade();
 diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
 index ce261e1765ff..7aff55b309a6 100644
@@ -264,13 +227,13 @@ index ce261e1765ff..7aff55b309a6 100644
  	return simple_setattr(dentry, ia);
  }
 diff --git a/security/Kconfig b/security/Kconfig
-index 461d5acc3616..13fdada1ffc2 100644
+index 9c343f262bdd..30788bc47863 100644
 --- a/security/Kconfig
 +++ b/security/Kconfig
-@@ -248,6 +248,20 @@ config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
- 	  Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
- 	  combination on a wired keyboard.  On x86, this is SysRq+x.
-
+@@ -244,6 +244,20 @@ config LOCK_DOWN_KERNEL_FORCE
+         help
+           Enable the kernel lock down functionality automatically at boot.
+ 
 +config LOCK_DOWN_IN_EFI_SECURE_BOOT
 +	bool "Lock down the kernel in EFI Secure Boot mode"
 +	default n
@@ -285,31 +248,31 @@ index 461d5acc3616..13fdada1ffc2 100644
 +	  Enabling this option turns on results in kernel lockdown being
 +	  triggered if EFI Secure Boot is set.
 +
-
  source "security/selinux/Kconfig"
  source "security/smack/Kconfig"
+ source "security/tomoyo/Kconfig"
 diff --git a/security/lock_down.c b/security/lock_down.c
-index 2c6b00f0c229..527f7e51dc8d 100644
+index ee00ca2677e7..bb4dc7838f3e 100644
 --- a/security/lock_down.c
 +++ b/security/lock_down.c
 @@ -12,6 +12,7 @@
+ 
+ #include <linux/security.h>
  #include <linux/export.h>
- #include <linux/sched.h>
- #include <linux/sysrq.h>
 +#include <linux/efi.h>
- #include <asm/setup.h>
-
- #ifndef CONFIG_LOCK_DOWN_MANDATORY
-@@ -55,6 +55,10 @@ void __init init_lockdown(void)
- #ifdef CONFIG_LOCK_DOWN_MANDATORY
- 	pr_notice("Kernel is locked down from config; see man kernel_lockdown.7\n");
+ 
+ static __ro_after_init bool kernel_locked_down;
+ 
+@@ -44,6 +45,10 @@ void __init init_lockdown(void)
+ #ifdef CONFIG_LOCK_DOWN_FORCE
+ 	lock_kernel_down("Kernel configuration");
  #endif
 +#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
 +	if (efi_enabled(EFI_SECURE_BOOT))
 +		lock_kernel_down("EFI secure boot");
 +#endif
  }
-
+ 
  /**
 -- 
 2.14.3

gitrev

@@ -1 +1 @@
-771acc7e4a6e5dba779cb1a7fd851a164bc81033
+ea9866793d1e925b4d320eaea409263b2a568f38

kernel-aarch64-debug.config

@@ -1128,8 +1128,8 @@ CONFIG_CRYPTO_DEV_ROCKCHIP=m
 CONFIG_CRYPTO_DEV_SAFEXCEL=m
 # CONFIG_CRYPTO_DEV_SAHARA is not set
 CONFIG_CRYPTO_DEV_SP_CCP=y
-CONFIG_CRYPTO_DEV_SUN4I_SS=m
-CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG=y
+# CONFIG_CRYPTO_DEV_SUN4I_SS is not set
+# CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG is not set
 CONFIG_CRYPTO_DEV_VIRTIO=m
 CONFIG_CRYPTO_DH=y
 CONFIG_CRYPTO_DRBG_CTR=y
@@ -2884,6 +2884,7 @@ CONFIG_KEYBOARD_PMIC8XXX=m
 CONFIG_KEYBOARD_QT1070=m
 # CONFIG_KEYBOARD_QT2160 is not set
 # CONFIG_KEYBOARD_SAMSUNG is not set
+CONFIG_KEYBOARD_SNVS_PWRKEY=m
 # CONFIG_KEYBOARD_STOWAWAY is not set
 # CONFIG_KEYBOARD_SUN4I_LRADC is not set
 # CONFIG_KEYBOARD_SUNKBD is not set
@@ -4286,6 +4287,7 @@ CONFIG_PCIEASPM_DEFAULT=y
 # CONFIG_PCIEASPM_POWERSAVE is not set
 # CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
 CONFIG_PCIEASPM=y
+# CONFIG_PCIE_BW is not set
 CONFIG_PCIE_CADENCE_HOST=y
 CONFIG_PCIE_DPC=y
 CONFIG_PCIE_DW_HOST=y
@@ -5209,6 +5211,7 @@ CONFIG_SECURITY_SELINUX=y
 # CONFIG_SECURITY_TOMOYO is not set
 CONFIG_SECURITY=y
 CONFIG_SECURITY_YAMA=y
+# CONFIG_SENSIRION_SGP30 is not set
 CONFIG_SENSORS_ACPI_POWER=m
 CONFIG_SENSORS_AD7314=m
 CONFIG_SENSORS_AD7414=m

kernel-aarch64.config

@@ -1128,8 +1128,8 @@ CONFIG_CRYPTO_DEV_ROCKCHIP=m
 CONFIG_CRYPTO_DEV_SAFEXCEL=m
 # CONFIG_CRYPTO_DEV_SAHARA is not set
 CONFIG_CRYPTO_DEV_SP_CCP=y
-CONFIG_CRYPTO_DEV_SUN4I_SS=m
-CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG=y
+# CONFIG_CRYPTO_DEV_SUN4I_SS is not set
+# CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG is not set
 CONFIG_CRYPTO_DEV_VIRTIO=m
 CONFIG_CRYPTO_DH=y
 CONFIG_CRYPTO_DRBG_CTR=y
@@ -2866,6 +2866,7 @@ CONFIG_KEYBOARD_PMIC8XXX=m
 CONFIG_KEYBOARD_QT1070=m
 # CONFIG_KEYBOARD_QT2160 is not set
 # CONFIG_KEYBOARD_SAMSUNG is not set
+CONFIG_KEYBOARD_SNVS_PWRKEY=m
 # CONFIG_KEYBOARD_STOWAWAY is not set
 # CONFIG_KEYBOARD_SUN4I_LRADC is not set
 # CONFIG_KEYBOARD_SUNKBD is not set
@@ -4266,6 +4267,7 @@ CONFIG_PCIEASPM_DEFAULT=y
 # CONFIG_PCIEASPM_POWERSAVE is not set
 # CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
 CONFIG_PCIEASPM=y
+# CONFIG_PCIE_BW is not set
 CONFIG_PCIE_CADENCE_HOST=y
 CONFIG_PCIE_DPC=y
 CONFIG_PCIE_DW_HOST=y
@@ -5188,6 +5190,7 @@ CONFIG_SECURITY_SELINUX=y
 # CONFIG_SECURITY_TOMOYO is not set
 CONFIG_SECURITY=y
 CONFIG_SECURITY_YAMA=y
+# CONFIG_SENSIRION_SGP30 is not set
 CONFIG_SENSORS_ACPI_POWER=m
 CONFIG_SENSORS_AD7314=m
 CONFIG_SENSORS_AD7414=m

kernel-armv7hl-debug.config

@@ -1126,8 +1126,8 @@ CONFIG_CRYPTO_DEV_ROCKCHIP=m
 CONFIG_CRYPTO_DEV_S5P=m
 CONFIG_CRYPTO_DEV_SAHARA=m
 # CONFIG_CRYPTO_DEV_SP_CCP is not set
-CONFIG_CRYPTO_DEV_SUN4I_SS=m
-CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG=y
+# CONFIG_CRYPTO_DEV_SUN4I_SS is not set
+# CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG is not set
 CONFIG_CRYPTO_DEV_VIRTIO=m
 CONFIG_CRYPTO_DH=y
 CONFIG_CRYPTO_DRBG_CTR=y
@@ -1905,7 +1905,7 @@ CONFIG_FTRACE_MCOUNT_RECORD=y
 CONFIG_FTRACE_SYSCALLS=y
 CONFIG_FTRACE=y
 # CONFIG_FTWDT010_WATCHDOG is not set
-CONFIG_FUNCTION_GRAPH_TRACER=y
+# CONFIG_FUNCTION_GRAPH_TRACER is not set
 CONFIG_FUNCTION_PROFILER=y
 CONFIG_FUNCTION_TRACER=y
 CONFIG_FUSE_FS=m
@@ -4418,6 +4418,7 @@ CONFIG_PCIEASPM_DEFAULT=y
 # CONFIG_PCIEASPM_POWERSAVE is not set
 # CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
 CONFIG_PCIEASPM=y
+# CONFIG_PCIE_BW is not set
 CONFIG_PCIE_CADENCE_HOST=y
 CONFIG_PCIE_DPC=y
 CONFIG_PCIE_DW_HOST=y
@@ -5368,6 +5369,7 @@ CONFIG_SECURITY_SELINUX=y
 # CONFIG_SECURITY_TOMOYO is not set
 CONFIG_SECURITY=y
 CONFIG_SECURITY_YAMA=y
+# CONFIG_SENSIRION_SGP30 is not set
 CONFIG_SENSORS_AD7314=m
 CONFIG_SENSORS_AD7414=m
 CONFIG_SENSORS_AD7418=m

kernel-armv7hl-lpae-debug.config

@@ -1089,8 +1089,8 @@ CONFIG_CRYPTO_DEV_ROCKCHIP=m
 CONFIG_CRYPTO_DEV_S5P=m
 # CONFIG_CRYPTO_DEV_SAHARA is not set
 # CONFIG_CRYPTO_DEV_SP_CCP is not set
-CONFIG_CRYPTO_DEV_SUN4I_SS=m
-CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG=y
+# CONFIG_CRYPTO_DEV_SUN4I_SS is not set
+# CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG is not set
 CONFIG_CRYPTO_DEV_VIRTIO=m
 CONFIG_CRYPTO_DH=y
 CONFIG_CRYPTO_DRBG_CTR=y
@@ -1835,7 +1835,7 @@ CONFIG_FTRACE_MCOUNT_RECORD=y
 CONFIG_FTRACE_SYSCALLS=y
 CONFIG_FTRACE=y
 # CONFIG_FTWDT010_WATCHDOG is not set
-CONFIG_FUNCTION_GRAPH_TRACER=y
+# CONFIG_FUNCTION_GRAPH_TRACER is not set
 CONFIG_FUNCTION_PROFILER=y
 CONFIG_FUNCTION_TRACER=y
 CONFIG_FUSE_FS=m
@@ -4248,6 +4248,7 @@ CONFIG_PCIEASPM_DEFAULT=y
 # CONFIG_PCIEASPM_POWERSAVE is not set
 # CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
 CONFIG_PCIEASPM=y
+# CONFIG_PCIE_BW is not set
 CONFIG_PCIE_CADENCE_HOST=y
 CONFIG_PCIE_DPC=y
 CONFIG_PCIE_DW_HOST=y
@@ -5115,6 +5116,7 @@ CONFIG_SECURITY_SELINUX=y
 # CONFIG_SECURITY_TOMOYO is not set
 CONFIG_SECURITY=y
 CONFIG_SECURITY_YAMA=y
+# CONFIG_SENSIRION_SGP30 is not set
 CONFIG_SENSORS_AD7314=m
 CONFIG_SENSORS_AD7414=m
 CONFIG_SENSORS_AD7418=m

kernel-armv7hl-lpae.config

@@ -1089,8 +1089,8 @@ CONFIG_CRYPTO_DEV_ROCKCHIP=m
 CONFIG_CRYPTO_DEV_S5P=m
 # CONFIG_CRYPTO_DEV_SAHARA is not set
 # CONFIG_CRYPTO_DEV_SP_CCP is not set
-CONFIG_CRYPTO_DEV_SUN4I_SS=m
-CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG=y
+# CONFIG_CRYPTO_DEV_SUN4I_SS is not set
+# CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG is not set
 CONFIG_CRYPTO_DEV_VIRTIO=m
 CONFIG_CRYPTO_DH=y
 CONFIG_CRYPTO_DRBG_CTR=y
@@ -1820,7 +1820,7 @@ CONFIG_FTRACE_MCOUNT_RECORD=y
 CONFIG_FTRACE_SYSCALLS=y
 CONFIG_FTRACE=y
 # CONFIG_FTWDT010_WATCHDOG is not set
-CONFIG_FUNCTION_GRAPH_TRACER=y
+# CONFIG_FUNCTION_GRAPH_TRACER is not set
 CONFIG_FUNCTION_PROFILER=y
 CONFIG_FUNCTION_TRACER=y
 CONFIG_FUSE_FS=m
@@ -4229,6 +4229,7 @@ CONFIG_PCIEASPM_DEFAULT=y
 # CONFIG_PCIEASPM_POWERSAVE is not set
 # CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
 CONFIG_PCIEASPM=y
+# CONFIG_PCIE_BW is not set
 CONFIG_PCIE_CADENCE_HOST=y
 CONFIG_PCIE_DPC=y
 CONFIG_PCIE_DW_HOST=y
@@ -5095,6 +5096,7 @@ CONFIG_SECURITY_SELINUX=y
 # CONFIG_SECURITY_TOMOYO is not set
 CONFIG_SECURITY=y
 CONFIG_SECURITY_YAMA=y
+# CONFIG_SENSIRION_SGP30 is not set
 CONFIG_SENSORS_AD7314=m
 CONFIG_SENSORS_AD7414=m
 CONFIG_SENSORS_AD7418=m

kernel-armv7hl.config

@@ -1126,8 +1126,8 @@ CONFIG_CRYPTO_DEV_ROCKCHIP=m
 CONFIG_CRYPTO_DEV_S5P=m
 CONFIG_CRYPTO_DEV_SAHARA=m
 # CONFIG_CRYPTO_DEV_SP_CCP is not set
-CONFIG_CRYPTO_DEV_SUN4I_SS=m
-CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG=y
+# CONFIG_CRYPTO_DEV_SUN4I_SS is not set
+# CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG is not set
 CONFIG_CRYPTO_DEV_VIRTIO=m
 CONFIG_CRYPTO_DH=y
 CONFIG_CRYPTO_DRBG_CTR=y
@@ -1890,7 +1890,7 @@ CONFIG_FTRACE_MCOUNT_RECORD=y
 CONFIG_FTRACE_SYSCALLS=y
 CONFIG_FTRACE=y
 # CONFIG_FTWDT010_WATCHDOG is not set
-CONFIG_FUNCTION_GRAPH_TRACER=y
+# CONFIG_FUNCTION_GRAPH_TRACER is not set
 CONFIG_FUNCTION_PROFILER=y
 CONFIG_FUNCTION_TRACER=y
 CONFIG_FUSE_FS=m
@@ -4399,6 +4399,7 @@ CONFIG_PCIEASPM_DEFAULT=y
 # CONFIG_PCIEASPM_POWERSAVE is not set
 # CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
 CONFIG_PCIEASPM=y
+# CONFIG_PCIE_BW is not set
 CONFIG_PCIE_CADENCE_HOST=y
 CONFIG_PCIE_DPC=y
 CONFIG_PCIE_DW_HOST=y
@@ -5348,6 +5349,7 @@ CONFIG_SECURITY_SELINUX=y
 # CONFIG_SECURITY_TOMOYO is not set
 CONFIG_SECURITY=y
 CONFIG_SECURITY_YAMA=y
+# CONFIG_SENSIRION_SGP30 is not set
 CONFIG_SENSORS_AD7314=m
 CONFIG_SENSORS_AD7414=m
 CONFIG_SENSORS_AD7418=m

kernel-i686-debug.config

@@ -2645,7 +2645,8 @@ CONFIG_KERNEL_GZIP=y
 # CONFIG_KERNEL_XZ is not set
 # CONFIG_KEXEC_FILE is not set
 # CONFIG_KEXEC_JUMP is not set
-CONFIG_KEXEC_VERIFY_SIG=y
+# CONFIG_KEXEC_SIG_FORCE is not set
+CONFIG_KEXEC_SIG=y
 CONFIG_KEXEC=y
 # CONFIG_KEYBOARD_ADC is not set
 # CONFIG_KEYBOARD_ADP5588 is not set
@@ -2828,8 +2829,8 @@ CONFIG_LOCALVERSION=""
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_LOCKD=m
 # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
 CONFIG_LOCK_DOWN_KERNEL=y
-# CONFIG_LOCK_DOWN_MANDATORY is not set
 CONFIG_LOCKD_V4=y
 CONFIG_LOCK_STAT=y
 CONFIG_LOCK_TORTURE_TEST=m
@@ -4021,6 +4022,7 @@ CONFIG_PCIEASPM_DEFAULT=y
 # CONFIG_PCIEASPM_POWERSAVE is not set
 # CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
 CONFIG_PCIEASPM=y
+# CONFIG_PCIE_BW is not set
 CONFIG_PCIE_CADENCE_HOST=y
 CONFIG_PCIE_DPC=y
 # CONFIG_PCIE_DW_PLAT_HOST is not set
@@ -4748,6 +4750,7 @@ CONFIG_SECURITY_SELINUX=y
 # CONFIG_SECURITY_TOMOYO is not set
 CONFIG_SECURITY=y
 CONFIG_SECURITY_YAMA=y
+# CONFIG_SENSIRION_SGP30 is not set
 CONFIG_SENSORS_ABITUGURU3=m
 CONFIG_SENSORS_ABITUGURU=m
 CONFIG_SENSORS_ACPI_POWER=m

kernel-i686.config

@@ -2626,7 +2626,8 @@ CONFIG_KERNEL_GZIP=y
 # CONFIG_KERNEL_XZ is not set
 # CONFIG_KEXEC_FILE is not set
 # CONFIG_KEXEC_JUMP is not set
-CONFIG_KEXEC_VERIFY_SIG=y
+# CONFIG_KEXEC_SIG_FORCE is not set
+CONFIG_KEXEC_SIG=y
 CONFIG_KEXEC=y
 # CONFIG_KEYBOARD_ADC is not set
 # CONFIG_KEYBOARD_ADP5588 is not set
@@ -2809,8 +2810,8 @@ CONFIG_LOCALVERSION=""
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_LOCKD=m
 # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
 CONFIG_LOCK_DOWN_KERNEL=y
-# CONFIG_LOCK_DOWN_MANDATORY is not set
 CONFIG_LOCKD_V4=y
 # CONFIG_LOCK_STAT is not set
 # CONFIG_LOCK_TORTURE_TEST is not set
@@ -4002,6 +4003,7 @@ CONFIG_PCIEASPM_DEFAULT=y
 # CONFIG_PCIEASPM_POWERSAVE is not set
 # CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
 CONFIG_PCIEASPM=y
+# CONFIG_PCIE_BW is not set
 CONFIG_PCIE_CADENCE_HOST=y
 CONFIG_PCIE_DPC=y
 # CONFIG_PCIE_DW_PLAT_HOST is not set
@@ -4728,6 +4730,7 @@ CONFIG_SECURITY_SELINUX=y
 # CONFIG_SECURITY_TOMOYO is not set
 CONFIG_SECURITY=y
 CONFIG_SECURITY_YAMA=y
+# CONFIG_SENSIRION_SGP30 is not set
 CONFIG_SENSORS_ABITUGURU3=m
 CONFIG_SENSORS_ABITUGURU=m
 CONFIG_SENSORS_ACPI_POWER=m

kernel-ppc64le-debug.config

@@ -3726,6 +3726,7 @@ CONFIG_PCIEASPM_DEFAULT=y
 # CONFIG_PCIEASPM_POWERSAVE is not set
 # CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
 CONFIG_PCIEASPM=y
+# CONFIG_PCIE_BW is not set
 CONFIG_PCIE_CADENCE_HOST=y
 CONFIG_PCIE_DPC=y
 # CONFIG_PCIE_DW_PLAT_HOST is not set
@@ -4449,6 +4450,7 @@ CONFIG_SECURITY_SELINUX=y
 # CONFIG_SECURITY_TOMOYO is not set
 CONFIG_SECURITY=y
 CONFIG_SECURITY_YAMA=y
+# CONFIG_SENSIRION_SGP30 is not set
 CONFIG_SENSORS_AD7314=m
 CONFIG_SENSORS_AD7414=m
 CONFIG_SENSORS_AD7418=m

kernel-ppc64le.config

@@ -3705,6 +3705,7 @@ CONFIG_PCIEASPM_DEFAULT=y
 # CONFIG_PCIEASPM_POWERSAVE is not set
 # CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
 CONFIG_PCIEASPM=y
+# CONFIG_PCIE_BW is not set
 CONFIG_PCIE_CADENCE_HOST=y
 CONFIG_PCIE_DPC=y
 # CONFIG_PCIE_DW_PLAT_HOST is not set
@@ -4427,6 +4428,7 @@ CONFIG_SECURITY_SELINUX=y
 # CONFIG_SECURITY_TOMOYO is not set
 CONFIG_SECURITY=y
 CONFIG_SECURITY_YAMA=y
+# CONFIG_SENSIRION_SGP30 is not set
 CONFIG_SENSORS_AD7314=m
 CONFIG_SENSORS_AD7414=m
 CONFIG_SENSORS_AD7418=m

kernel-s390x-debug.config

@@ -3691,6 +3691,7 @@ CONFIG_PCIEASPM_DEFAULT=y
 # CONFIG_PCIEASPM_POWERSAVE is not set
 # CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
 CONFIG_PCIEASPM=y
+# CONFIG_PCIE_BW is not set
 CONFIG_PCIE_CADENCE_HOST=y
 CONFIG_PCIE_DPC=y
 # CONFIG_PCIE_DW_PLAT_HOST is not set
@@ -4397,6 +4398,7 @@ CONFIG_SECURITY_SELINUX=y
 # CONFIG_SECURITY_TOMOYO is not set
 CONFIG_SECURITY=y
 CONFIG_SECURITY_YAMA=y
+# CONFIG_SENSIRION_SGP30 is not set
 CONFIG_SENSORS_AD7314=m
 CONFIG_SENSORS_AD7414=m
 CONFIG_SENSORS_AD7418=m

kernel-s390x.config

@@ -3670,6 +3670,7 @@ CONFIG_PCIEASPM_DEFAULT=y
 # CONFIG_PCIEASPM_POWERSAVE is not set
 # CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
 CONFIG_PCIEASPM=y
+# CONFIG_PCIE_BW is not set
 CONFIG_PCIE_CADENCE_HOST=y
 CONFIG_PCIE_DPC=y
 # CONFIG_PCIE_DW_PLAT_HOST is not set
@@ -4375,6 +4376,7 @@ CONFIG_SECURITY_SELINUX=y
 # CONFIG_SECURITY_TOMOYO is not set
 CONFIG_SECURITY=y
 CONFIG_SECURITY_YAMA=y
+# CONFIG_SENSIRION_SGP30 is not set
 CONFIG_SENSORS_AD7314=m
 CONFIG_SENSORS_AD7414=m
 CONFIG_SENSORS_AD7418=m

kernel-x86_64-debug.config

@@ -2702,7 +2702,8 @@ CONFIG_KERNEL_GZIP=y
 CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
 CONFIG_KEXEC_FILE=y
 CONFIG_KEXEC_JUMP=y
-CONFIG_KEXEC_VERIFY_SIG=y
+# CONFIG_KEXEC_SIG_FORCE is not set
+CONFIG_KEXEC_SIG=y
 CONFIG_KEXEC=y
 # CONFIG_KEYBOARD_ADC is not set
 # CONFIG_KEYBOARD_ADP5588 is not set
@@ -2885,8 +2886,8 @@ CONFIG_LOCALVERSION=""
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_LOCKD=m
 CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
 CONFIG_LOCK_DOWN_KERNEL=y
-# CONFIG_LOCK_DOWN_MANDATORY is not set
 CONFIG_LOCKD_V4=y
 CONFIG_LOCK_STAT=y
 CONFIG_LOCK_TORTURE_TEST=m
@@ -4068,6 +4069,7 @@ CONFIG_PCIEASPM_DEFAULT=y
 # CONFIG_PCIEASPM_POWERSAVE is not set
 # CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
 CONFIG_PCIEASPM=y
+# CONFIG_PCIE_BW is not set
 CONFIG_PCIE_CADENCE_HOST=y
 CONFIG_PCIE_DPC=y
 # CONFIG_PCIE_DW_PLAT_HOST is not set
@@ -4793,6 +4795,7 @@ CONFIG_SECURITY_SELINUX=y
 # CONFIG_SECURITY_TOMOYO is not set
 CONFIG_SECURITY=y
 CONFIG_SECURITY_YAMA=y
+# CONFIG_SENSIRION_SGP30 is not set
 CONFIG_SENSORS_ABITUGURU3=m
 CONFIG_SENSORS_ABITUGURU=m
 CONFIG_SENSORS_ACPI_POWER=m

kernel-x86_64.config

@@ -2683,7 +2683,8 @@ CONFIG_KERNEL_GZIP=y
 CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
 CONFIG_KEXEC_FILE=y
 CONFIG_KEXEC_JUMP=y
-CONFIG_KEXEC_VERIFY_SIG=y
+# CONFIG_KEXEC_SIG_FORCE is not set
+CONFIG_KEXEC_SIG=y
 CONFIG_KEXEC=y
 # CONFIG_KEYBOARD_ADC is not set
 # CONFIG_KEYBOARD_ADP5588 is not set
@@ -2866,8 +2867,8 @@ CONFIG_LOCALVERSION=""
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_LOCKD=m
 CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
 CONFIG_LOCK_DOWN_KERNEL=y
-# CONFIG_LOCK_DOWN_MANDATORY is not set
 CONFIG_LOCKD_V4=y
 # CONFIG_LOCK_STAT is not set
 # CONFIG_LOCK_TORTURE_TEST is not set
@@ -4049,6 +4050,7 @@ CONFIG_PCIEASPM_DEFAULT=y
 # CONFIG_PCIEASPM_POWERSAVE is not set
 # CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
 CONFIG_PCIEASPM=y
+# CONFIG_PCIE_BW is not set
 CONFIG_PCIE_CADENCE_HOST=y
 CONFIG_PCIE_DPC=y
 # CONFIG_PCIE_DW_PLAT_HOST is not set
@@ -4773,6 +4775,7 @@ CONFIG_SECURITY_SELINUX=y
 # CONFIG_SECURITY_TOMOYO is not set
 CONFIG_SECURITY=y
 CONFIG_SECURITY_YAMA=y
+# CONFIG_SENSIRION_SGP30 is not set
 CONFIG_SENSORS_ABITUGURU3=m
 CONFIG_SENSORS_ABITUGURU=m
 CONFIG_SENSORS_ACPI_POWER=m

kernel.spec

@@ -67,9 +67,9 @@ Summary: The Linux kernel
 # The next upstream release sublevel (base_sublevel+1)
 %define upstream_sublevel %(echo $((%{base_sublevel} + 1)))
 # The rc snapshot level
-%global rcrev 4
+%global rcrev 7
 # The git snapshot level
-%define gitrev 2
+%define gitrev 4
 # Set rpm version accordingly
 %define rpmversion 5.%{upstream_sublevel}.0
 %endif
@@ -86,7 +86,7 @@ Summary: The Linux kernel
 #
 # standard kernel
 %define with_up        %{?_without_up:        0} %{?!_without_up:        1}
-# kernel PAE (only valid for i686 (PAE) and ARM (lpae))
+# kernel PAE (only valid for ARM (lpae))
 %define with_pae       %{?_without_pae:       0} %{?!_without_pae:       1}
 # kernel-debug
 %define with_debug     %{?_without_debug:     0} %{?!_without_debug:     1}
@@ -195,9 +195,7 @@ Summary: The Linux kernel
 # and debuginfo generation. Currently we rely on the old alldebug setting.
 %global _build_id_links alldebug
 
-# kernel PAE is only built on ARMv7 in rawhide.
-# Fedora 27 and earlier still support PAE, so change this on rebases.
-# %ifnarch i686 armv7hl
+# kernel PAE is only built on ARMv7
 %ifnarch armv7hl
 %define with_pae 0
 %endif
@@ -245,7 +243,7 @@ Summary: The Linux kernel
 %endif
 
 # sparse blows up on ppc
-%ifnarch %{power64}
+%ifnarch ppc64le
 %define with_sparse 0
 %endif
 
@@ -254,7 +252,6 @@ Summary: The Linux kernel
 %ifarch %{all_x86}
 %define asmarch x86
 %define hdrarch i386
-%define pae PAE
 %define all_arch_configs kernel-%{version}-i?86*.config
 %define kernel_image arch/x86/boot/bzImage
 %endif
@@ -265,7 +262,7 @@ Summary: The Linux kernel
 %define kernel_image arch/x86/boot/bzImage
 %endif
 
-%ifarch %{power64}
+%ifarch ppc64le
 %define asmarch powerpc
 %define hdrarch powerpc
 %define make_target vmlinux
@@ -288,7 +285,6 @@ Summary: The Linux kernel
 %define skip_nonpae_vdso 1
 %define asmarch arm
 %define hdrarch arm
-%define pae lpae
 %define make_target bzImage
 %define kernel_image arch/arm/boot/zImage
 # http://lists.infradead.org/pipermail/linux-arm-kernel/2012-March/091404.html
@@ -345,13 +341,8 @@ Summary: The Linux kernel
 %define _enable_debug_packages 0
 %endif
 
-%define with_pae_debug 0
-%if %{with_pae}
-%define with_pae_debug %{with_debug}
-%endif
-
 # Architectures we build tools/cpupower on
-%define cpupowerarchs %{ix86} x86_64 %{power64} %{arm} aarch64
+%define cpupowerarchs %{ix86} x86_64 ppc64le %{arm} aarch64
 
 %if %{use_vdso}
 
@@ -415,7 +406,6 @@ BuildConflicts: rpm < 4.13.0.1-19
 %undefine _unique_debug_srcs
 %undefine _debugsource_packages
 %undefine _debuginfo_subpackages
-%undefine _include_gdb_index
 %global _find_debuginfo_opts -r
 %global _missing_build_ids_terminate_build 1
 %global _no_recompute_build_ids 1
@@ -544,8 +534,6 @@ Patch122: Input-synaptics-pin-3-touches-when-the-firmware-repo.patch
 
 Patch201: efi-lockdown.patch
 
-Patch202: KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch
-
 # bz 1497559 - Make kernel MODSIGN code not error on missing variables
 Patch207: 0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch
 Patch208: 0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch
@@ -597,6 +585,16 @@ Patch501: input-rmi4-remove-the-need-for-artifical-IRQ.patch
 Patch506: 0001-s390-jump_label-Correct-asm-contraint.patch
 Patch507: 0001-Drop-that-for-now.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=1701096
+# Submitted upstream at https://lkml.org/lkml/2019/4/23/89
+Patch508: KEYS-Make-use-of-platform-keyring-for-module-signature.patch
+
+# CVE-2019-3900 rhbz 1698757 1702940
+Patch524: net-vhost_net-fix-possible-infinite-loop.patch
+
+# Fix wifi on various ideapad models not working (rhbz#1703338)
+Patch526: 0001-platform-x86-ideapad-laptop-Remove-no_hw_rfkill_list.patch
+
 Patch550: riscv-arm-fix.patch
 
 # END OF PATCH DEFINITIONS
@@ -766,7 +764,7 @@ The meta-package for the %{1} kernel\
 Summary: %{variant_summary}\
 Provides: kernel-%{?1:%{1}-}core-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\
 Provides: installonlypkg(kernel)\
-%ifarch %{power64}\
+%ifarch ppc64le\
 Obsoletes: kernel-bootwrapper\
 %endif\
 %{expand:%%kernel_reqprovconf}\
@@ -782,37 +780,13 @@ Obsoletes: kernel-bootwrapper\
 # Now, each variant package.
 
 %if %{with_pae}
-%ifnarch armv7hl
-%define variant_summary The Linux kernel compiled for PAE capable machines
-%kernel_variant_package %{pae}
-%description %{pae}-core
-This package includes a version of the Linux kernel with support for up to
-64GB of high memory. It requires a CPU with Physical Address Extensions (PAE).
-The non-PAE kernel can only address up to 4GB of memory.
-Install the kernel-PAE package if your machine has more than 4GB of memory.
-%else
 %define variant_summary The Linux kernel compiled for Cortex-A15
-%kernel_variant_package %{pae}
-%description %{pae}-core
+%kernel_variant_package lpae
+%description lpae-core
 This package includes a version of the Linux kernel with support for
 Cortex-A15 devices with LPAE and HW virtualisation support
 %endif
 
-
-%define variant_summary The Linux kernel compiled with extra debugging enabled for PAE capable machines
-%kernel_variant_package %{pae}debug
-Obsoletes: kernel-PAE-debug
-%description %{pae}debug-core
-This package includes a version of the Linux kernel with support for up to
-64GB of high memory. It requires a CPU with Physical Address Extensions (PAE).
-The non-PAE kernel can only address up to 4GB of memory.
-Install the kernel-PAE package if your machine has more than 4GB of memory.
-
-This variant of the kernel has numerous debugging options enabled.
-It should only be installed when trying to gather additional information
-on kernel bugs, as some of these options impact performance noticably.
-%endif
-
 %define variant_summary The Linux kernel compiled with extra debugging enabled
 %kernel_variant_package debug
 %description debug-core
@@ -1365,7 +1339,7 @@ BuildKernel() {
     fi
     rm -f $RPM_BUILD_ROOT/lib/modules/$KernelVer/build/scripts/*.o
     rm -f $RPM_BUILD_ROOT/lib/modules/$KernelVer/build/scripts/*/*.o
-%ifarch %{power64}
+%ifarch ppc64le
     cp -a --parents arch/powerpc/lib/crtsavres.[So] $RPM_BUILD_ROOT/lib/modules/$KernelVer/build/
 %endif
     if [ -d arch/%{asmarch}/include ]; then
@@ -1564,12 +1538,8 @@ cd linux-%{KVERREL}
 BuildKernel %make_target %kernel_image %{_use_vdso} debug
 %endif
 
-%if %{with_pae_debug}
-BuildKernel %make_target %kernel_image %{use_vdso} %{pae}debug
-%endif
-
 %if %{with_pae}
-BuildKernel %make_target %kernel_image %{use_vdso} %{pae}
+BuildKernel %make_target %kernel_image %{use_vdso} lpae
 %endif
 
 %if %{with_up}
@@ -1590,14 +1560,11 @@ BuildKernel %make_target %kernel_image %{_use_vdso}
 %define __modsign_install_post \
   if [ "%{signmodules}" -eq "1" ]; then \
     if [ "%{with_pae}" -ne "0" ]; then \
-      %{modsign_cmd} certs/signing_key.pem.sign+%{pae} certs/signing_key.x509.sign+%{pae} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}/ \
+      %{modsign_cmd} certs/signing_key.pem.sign+lpae certs/signing_key.x509.sign+lpae $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+lpae/ \
     fi \
     if [ "%{with_debug}" -ne "0" ]; then \
       %{modsign_cmd} certs/signing_key.pem.sign+debug certs/signing_key.x509.sign+debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+debug/ \
     fi \
-    if [ "%{with_pae_debug}" -ne "0" ]; then \
-      %{modsign_cmd} certs/signing_key.pem.sign+%{pae}debug certs/signing_key.x509.sign+%{pae}debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}debug/ \
-    fi \
     if [ "%{with_up}" -ne "0" ]; then \
       %{modsign_cmd} certs/signing_key.pem.sign certs/signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \
     fi \
@@ -1776,11 +1743,8 @@ fi}\
 %kernel_variant_post -r kernel-smp
 
 %if %{with_pae}
-%kernel_variant_preun %{pae}
-%kernel_variant_post -v %{pae} -r (kernel|kernel-smp)
-
-%kernel_variant_post -v %{pae}debug -r (kernel|kernel-smp)
-%kernel_variant_preun %{pae}debug
+%kernel_variant_preun lpae
+%kernel_variant_post -v lpae -r (kernel|kernel-smp)
 %endif
 
 %kernel_variant_preun debug
@@ -1864,14 +1828,85 @@ fi
 
 %kernel_variant_files %{_use_vdso} %{with_up}
 %kernel_variant_files %{_use_vdso} %{with_debug} debug
-%kernel_variant_files %{use_vdso} %{with_pae} %{pae}
-%kernel_variant_files %{use_vdso} %{with_pae_debug} %{pae}debug
+%kernel_variant_files %{use_vdso} %{with_pae} lpae
 
 # plz don't put in a version string unless you're going to tag
 # and build.
 #
 #
 %changelog
+* Fri May 03 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc7.git4.1
+- Linux v5.1-rc7-131-gea9866793d1e
+
+* Thu May 02 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc7.git3.1
+- Linux v5.1-rc7-29-g600d7258316d
+
+* Wed May 01 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc7.git2.1
+- Linux v5.1-rc7-16-gf2bc9c908dfe
+
+* Tue Apr 30 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc7.git1.1
+- Linux v5.1-rc7-5-g83a50840e72a
+
+* Tue Apr 30 2019 Jeremy Cline <jcline@redhat.com>
+- Reenable debugging options.
+
+* Tue Apr 30 2019 Hans de Goede <hdegoede@redhat.com>
+- Fix wifi on various ideapad models not working (rhbz#1703338)
+
+* Mon Apr 29 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc7.git0.1
+- Linux v5.1-rc7
+
+* Mon Apr 29 2019 Jeremy Cline <jcline@redhat.com>
+- Disable debugging options.
+
+* Fri Apr 26 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc6.git4.1
+- Linux v5.1-rc6-72-g8113a85f8720
+
+* Thu Apr 25 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc6.git3.1
+- Linux v5.1-rc6-64-gcd8dead0c394
+
+* Thu Apr 25 2019 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2019-3900 (rhbz 1698757 1702940)
+
+* Wed Apr 24 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc6.git2.1
+- Linux v5.1-rc6-15-gba25b50d582f
+
+* Tue Apr 23 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc6.git1.1
+- Linux v5.1-rc6-4-g7142eaa58b49
+
+* Tue Apr 23 2019 Jeremy Cline <jcline@redhat.com>
+- Reenable debugging options.
+
+* Tue Apr 23 2019 Jeremy Cline <jcline@redhat.com>
+- Allow modules signed by keys in the platform keyring (rbhz 1701096)
+
+* Mon Apr 22 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc6.git0.1
+- Linux v5.1-rc6
+
+* Mon Apr 22 2019 Jeremy Cline <jcline@redhat.com>
+- Disable debugging options.
+
+* Wed Apr 17 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc5.git2.1
+- Linux v5.1-rc5-36-g444fe9913539
+
+* Tue Apr 16 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc5.git1.1
+- Linux v5.1-rc5-10-g618d919cae2f
+
+* Tue Apr 16 2019 Jeremy Cline <jcline@redhat.com>
+- Reenable debugging options.
+
+* Mon Apr 15 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc5.git0.1
+- Linux v5.1-rc5
+
+* Mon Apr 15 2019 Jeremy Cline <jcline@redhat.com>
+- Disable debugging options.
+
+* Fri Apr 12 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc4.git4.1
+- Linux v5.1-rc4-184-g8ee15f324866
+
+* Thu Apr 11 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc4.git3.1
+- Linux v5.1-rc4-58-g582549e3fbe1
+
 * Wed Apr 10 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc4.git2.1
 - Linux v5.1-rc4-43-g771acc7e4a6e
 

net-vhost_net-fix-possible-infinite-loop.patch

@@ -0,0 +1,200 @@
+From patchwork Thu Apr 25 07:33:19 2019
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+X-Patchwork-Submitter: Jason Wang <jasowang@redhat.com>
+X-Patchwork-Id: 10916185
+Return-Path: <kvm-owner@kernel.org>
+Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
+ [172.30.200.125])
+	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E4F501575
+	for <patchwork-kvm@patchwork.kernel.org>;
+ Thu, 25 Apr 2019 07:33:33 +0000 (UTC)
+Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
+	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D276828BD7
+	for <patchwork-kvm@patchwork.kernel.org>;
+ Thu, 25 Apr 2019 07:33:33 +0000 (UTC)
+Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
+	id C64AC28BE1; Thu, 25 Apr 2019 07:33:33 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
+	pdx-wl-mail.web.codeaurora.org
+X-Spam-Level: 
+X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
+	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
+Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
+	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 590B228BD7
+	for <patchwork-kvm@patchwork.kernel.org>;
+ Thu, 25 Apr 2019 07:33:33 +0000 (UTC)
+Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
+        id S1726957AbfDYHd1 (ORCPT
+        <rfc822;patchwork-kvm@patchwork.kernel.org>);
+        Thu, 25 Apr 2019 03:33:27 -0400
+Received: from mx1.redhat.com ([209.132.183.28]:60130 "EHLO mx1.redhat.com"
+        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
+        id S1726317AbfDYHd1 (ORCPT <rfc822;kvm@vger.kernel.org>);
+        Thu, 25 Apr 2019 03:33:27 -0400
+Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com
+ [10.5.11.22])
+        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
+        (No client certificate requested)
+        by mx1.redhat.com (Postfix) with ESMTPS id C2BCE3002619;
+        Thu, 25 Apr 2019 07:33:26 +0000 (UTC)
+Received: from hp-dl380pg8-02.lab.eng.pek2.redhat.com
+ (hp-dl380pg8-02.lab.eng.pek2.redhat.com [10.73.8.12])
+        by smtp.corp.redhat.com (Postfix) with ESMTP id 5DA021001DDB;
+        Thu, 25 Apr 2019 07:33:21 +0000 (UTC)
+From: Jason Wang <jasowang@redhat.com>
+To: mst@redhat.com, jasowang@redhat.com, kvm@vger.kernel.org,
+        virtualization@lists.linux-foundation.org, netdev@vger.kernel.org,
+        linux-kernel@vger.kernel.org
+Cc: ppandit@redhat.com
+Subject: [PATCH net] vhost_net: fix possible infinite loop
+Date: Thu, 25 Apr 2019 03:33:19 -0400
+Message-Id: <1556177599-56248-1-git-send-email-jasowang@redhat.com>
+X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
+X-Greylist: Sender IP whitelisted,
+ not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]);
+ Thu, 25 Apr 2019 07:33:26 +0000 (UTC)
+Sender: kvm-owner@vger.kernel.org
+Precedence: bulk
+List-ID: <kvm.vger.kernel.org>
+X-Mailing-List: kvm@vger.kernel.org
+X-Virus-Scanned: ClamAV using ClamSMTP
+
+When the rx buffer is too small for a packet, we will discard the vq
+descriptor and retry it for the next packet:
+
+while ((sock_len = vhost_net_rx_peek_head_len(net, sock->sk,
+					      &busyloop_intr))) {
+...
+	/* On overrun, truncate and discard */
+	if (unlikely(headcount > UIO_MAXIOV)) {
+		iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1);
+		err = sock->ops->recvmsg(sock, &msg,
+					 1, MSG_DONTWAIT | MSG_TRUNC);
+		pr_debug("Discarded rx packet: len %zd\n", sock_len);
+		continue;
+	}
+...
+}
+
+This makes it possible to trigger a infinite while..continue loop
+through the co-opreation of two VMs like:
+
+1) Malicious VM1 allocate 1 byte rx buffer and try to slow down the
+   vhost process as much as possible e.g using indirect descriptors or
+   other.
+2) Malicious VM2 generate packets to VM1 as fast as possible
+
+Fixing this by checking against weight at the end of RX and TX
+loop. This also eliminate other similar cases when:
+
+- userspace is consuming the packets in the meanwhile
+- theoretical TOCTOU attack if guest moving avail index back and forth
+  to hit the continue after vhost find guest just add new buffers
+
+This addresses CVE-2019-3900.
+
+Fixes: d8316f3991d20 ("vhost: fix total length when packets are too short")
+Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server")
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ drivers/vhost/net.c | 41 +++++++++++++++++++++--------------------
+ 1 file changed, 21 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
+index df51a35..fb46e6b 100644
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -778,8 +778,9 @@ static void handle_tx_copy(struct vhost_net *net, struct socket *sock)
+ 	int err;
+ 	int sent_pkts = 0;
+ 	bool sock_can_batch = (sock->sk->sk_sndbuf == INT_MAX);
++	bool next_round = false;
+ 
+-	for (;;) {
++	do {
+ 		bool busyloop_intr = false;
+ 
+ 		if (nvq->done_idx == VHOST_NET_BATCH)
+@@ -845,11 +846,10 @@ static void handle_tx_copy(struct vhost_net *net, struct socket *sock)
+ 		vq->heads[nvq->done_idx].id = cpu_to_vhost32(vq, head);
+ 		vq->heads[nvq->done_idx].len = 0;
+ 		++nvq->done_idx;
+-		if (vhost_exceeds_weight(++sent_pkts, total_len)) {
+-			vhost_poll_queue(&vq->poll);
+-			break;
+-		}
+-	}
++	} while (!(next_round = vhost_exceeds_weight(++sent_pkts, total_len)));
++
++	if (next_round)
++		vhost_poll_queue(&vq->poll);
+ 
+ 	vhost_tx_batch(net, nvq, sock, &msg);
+ }
+@@ -873,8 +873,9 @@ static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock)
+ 	struct vhost_net_ubuf_ref *uninitialized_var(ubufs);
+ 	bool zcopy_used;
+ 	int sent_pkts = 0;
++	bool next_round = false;
+ 
+-	for (;;) {
++	do {
+ 		bool busyloop_intr;
+ 
+ 		/* Release DMAs done buffers first */
+@@ -951,11 +952,10 @@ static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock)
+ 		else
+ 			vhost_zerocopy_signal_used(net, vq);
+ 		vhost_net_tx_packet(net);
+-		if (unlikely(vhost_exceeds_weight(++sent_pkts, total_len))) {
+-			vhost_poll_queue(&vq->poll);
+-			break;
+-		}
+-	}
++	} while (!(next_round = vhost_exceeds_weight(++sent_pkts, total_len)));
++
++	if (next_round)
++		vhost_poll_queue(&vq->poll);
+ }
+ 
+ /* Expects to be always run from workqueue - which acts as
+@@ -1134,6 +1134,7 @@ static void handle_rx(struct vhost_net *net)
+ 	struct iov_iter fixup;
+ 	__virtio16 num_buffers;
+ 	int recv_pkts = 0;
++	bool next_round = false;
+ 
+ 	mutex_lock_nested(&vq->mutex, VHOST_NET_VQ_RX);
+ 	sock = vq->private_data;
+@@ -1153,8 +1154,11 @@ static void handle_rx(struct vhost_net *net)
+ 		vq->log : NULL;
+ 	mergeable = vhost_has_feature(vq, VIRTIO_NET_F_MRG_RXBUF);
+ 
+-	while ((sock_len = vhost_net_rx_peek_head_len(net, sock->sk,
+-						      &busyloop_intr))) {
++	do {
++		sock_len = vhost_net_rx_peek_head_len(net, sock->sk,
++						      &busyloop_intr);
++		if (!sock_len)
++			break;
+ 		sock_len += sock_hlen;
+ 		vhost_len = sock_len + vhost_hlen;
+ 		headcount = get_rx_bufs(vq, vq->heads + nvq->done_idx,
+@@ -1239,12 +1243,9 @@ static void handle_rx(struct vhost_net *net)
+ 			vhost_log_write(vq, vq_log, log, vhost_len,
+ 					vq->iov, in);
+ 		total_len += vhost_len;
+-		if (unlikely(vhost_exceeds_weight(++recv_pkts, total_len))) {
+-			vhost_poll_queue(&vq->poll);
+-			goto out;
+-		}
+-	}
+-	if (unlikely(busyloop_intr))
++	} while (!(next_round = vhost_exceeds_weight(++recv_pkts, total_len)));
++
++	if (unlikely(busyloop_intr || next_round))
+ 		vhost_poll_queue(&vq->poll);
+ 	else
+ 		vhost_net_enable_vq(net, vq);

sources

@@ -1,3 +1,3 @@
 SHA512 (linux-5.0.tar.xz) = 3fbab70c7b03b1a10e9fa14d1e2e1f550faba4f5792b7699ca006951da74ab86e7d7f19c6a67849ab99343186e7d6f2752cd910d76222213b93c1eab90abf1b0
-SHA512 (patch-5.1-rc4.xz) = 1feffe95816601137c4b2a09a5d14d8b023d05d7a3bb259ea42a05fc52ca48c8176a4477f88bfe4bcd8220f3e174793ddbefe7896807fdafaf5153934222eac2
-SHA512 (patch-5.1-rc4-git2.xz) = 81103e3340bc362c523c0c053157d9fe6946fffe03782302154b3be50eec7d7328b95cc50e0269405e8b610265c160ab5ca1df8de348cc0e5630d1edcebd56e8
+SHA512 (patch-5.1-rc7.xz) = 8e2c0f9843f08c9911ca14dedaed48ee1995bb12aec9b1e718d3f4cc23d8a0e8d21c368d40f78a43dcdea628e617a190344f0b6c63a4311a36d906da84d98702
+SHA512 (patch-5.1-rc7-git4.xz) = 496ad8576733ffe434c18544a9d2624281374b3f825f930a7f4518d319001a499b60d06fb6d3b21fd8b85b267666effefd3ad06f6c2a89348b284ea9db7a3f85