Use the latest version of the kernel lockdown patch set. This includes a
few configuration renames:
CONFIG_KEXEC_VERIFY_SIG became CONFIG_KEXEC_SIG and
CONFIG_KEXEC_SIG_FORCE was added. CONFIG_KEXEC_SIG_FORCE=n because the
"kexec_file: Restrict at runtime if the kernel is locked down" patch
enforces the signature requirement when the kernel is locked down.
CONFIG_LOCK_DOWN_MANDATORY got renamed to CONFIG_LOCK_DOWN_KERNEL_FORCE
and remains false as LOCK_DOWN_IN_EFI_SECURE_BOOT covers enabling it for
EFI Secure Boot users.
Finally, the SysRq patches got dropped for the present.
There are 23 Kconfig symbols referenced in the files used for
configuration generation and in the shipped .config files that were
dropped in upstream v5.1-rc1. The references to these symbols can be
safely removed.
These symbols are:
CONFIG_AD7152
CONFIG_DEFAULT_SECURITY_DAC
CONFIG_DEFAULT_SECURITY_SELINUX
CONFIG_EARLY_PRINTK_EFI
CONFIG_EXOFS_FS
CONFIG_EXT4_ENCRYPTION
CONFIG_F2FS_FS_ENCRYPTION
CONFIG_FB_XGI
CONFIG_MTD_MT81xx_NOR
CONFIG_NFT_CHAIN_NAT_IPV4
CONFIG_NFT_CHAIN_NAT_IPV6
CONFIG_NFT_MASQ_IPV4
CONFIG_NFT_MASQ_IPV6
CONFIG_NFT_REDIR_IPV4
CONFIG_NFT_REDIR_IPV6
CONFIG_SCSI_OSD_DEBUG
CONFIG_SCSI_OSD_DPRINT_SENSE
CONFIG_SCSI_OSD_INITIATOR
CONFIG_SCSI_OSD_ULD
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE
CONFIG_SND_AUDIO_GRAPH_SCU_CARD
CONFIG_SND_SIMPLE_SCU_CARD
CONFIG_UBIFS_FS_ENCRYPTION
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Three Kconfig symbols were added to upstream v5.0-rc1 but dropped before
v5.0 was released (for various reasons): FB_LOGO_CENTER, RESCTRL, and
X86_RESCTRL. Remove them from our configuration generation system too.
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
There are 255 overrides that have no effect as they are identical to the
files they override. In other words: these overrides have no effect on
the shipped .config files. They can safely be dropped.
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
It's off in the generic config, no need to make it more off.
Fat-fingered-by: Jeremy Cline <jcline@redhat.com>
Spotted-by: Paul Bolle <pebolle@tiscali.nl>
These non-standard filenames have no effect on the build, but should
still be fixed since they could be confusing (to people and scripts).
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
There are 26 Kconfig symbols referenced in the files used for
configuration generation and in the shipped .config files that were
dropped in upstream v5.0-rc1. The references to these symbols can be
safely removed.
These symbols are:
CONFIG_BLK_WBT_SQ
CONFIG_CFQ_GROUP_IOSCHED
CONFIG_DEFAULT_CFQ
CONFIG_DEFAULT_DEADLINE
CONFIG_DEFAULT_NOOP
CONFIG_DRM_EXYNOS_IOMMU
CONFIG_IMX7_PM_DOMAINS
CONFIG_INTEL_RDT
CONFIG_IOSCHED_CFQ
CONFIG_IOSCHED_DEADLINE
CONFIG_IOSCHED_NOOP
CONFIG_MICROCHIP_KSZ
CONFIG_MICROCHIP_KSZ_SPI_DRIVER
CONFIG_MTD_PHYSMAP_OF_GEMINI
CONFIG_MTD_PHYSMAP_OF_VERSATILE
CONFIG_MTD_SPINAND_MT29F
CONFIG_MTD_SPINAND_ONDIEECC
CONFIG_QTNFMAC_PEARL_PCIE
CONFIG_SCSI_MQ_DEFAULT
CONFIG_SND_AM33XX_SOC_EVM
CONFIG_SND_DAVINCI_SOC
CONFIG_SND_DAVINCI_SOC_GENERIC_EVM
CONFIG_SND_DAVINCI_SOC_I2S
CONFIG_SND_DAVINCI_SOC_MCASP
CONFIG_SND_DAVINCI_SOC_VCIF
CONFIG_SND_EDMA_SOC
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Commit cc1db7f347 ("Updates for secure boot") and commit 8e8de459e7
("Forgot to remove dropped patches") removed the patches that added
Kconfig symbols EFI_SIGNATURE_LIST_PARSER and LOAD_UEFI_KEYS. Remove
these symbols from the configuration generation directory and from the
shipped .config files.
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Waaay back in October, we saw some issues with various system firmware
talking to the AMD SP PSP devices (the secure processor feature), and so
CONFIG_CRYPTO_DEV_SP_PSP got disabled in all of our kernel trees, as
Laura noted here: https://bugzilla.redhat.com/show_bug.cgi?id=1608242#c44 .
I'm trying to use it, and this obviously makes that impossible to do, so
I'm going to re-enable it in rawhide, because the timeout that's being
discussed in that bugzilla thread is already there, and so this firmware
bugs people saw before shouldn't make things completely unusable.
If you *do* see debilitating stalls on AMD EPYC hardware starting after
the next rawhide build, make some noise so we can disable it again.
(I've also posted this to kernel@l.fp.o: https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org/thread/22XCMRU4R75M4D5OSXE7YMWYVOBQIU2M/ )
Signed-off-by: Peter Jones <pjones@redhat.com>