Linux v4.18.20

Linux v4.18.19
Fix CVE-2018-18710 (rhbz 1645140 1648485)
2018-11-21 11:10:41 -05:00 · 2018-11-14 16:40:51 -05:00 · 2018-11-14 16:34:23 -05:00 · 2018-11-11 18:45:55 -08:00 · 2018-11-05 09:30:38 -08:00 · 2018-10-23 03:29:31 -07:00
21372 changed files with 160253 additions and 392344 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,10 @@
+clog
 *.xz
 *.bz2
+*.rpm
+*.orig
+*.sign
+kernel-[234].*/
+perf-man-*.tar.gz
+kernel-tools/
+kernel-headers/
--- a/0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch
+++ b/0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch
@ -0,0 +1,109 @@
+From 3ce5852ec6add45a28fe1706e9163351940e905c Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 2 Oct 2017 18:25:29 -0400
+Subject: [PATCH 1/3] Make get_cert_list() not complain about cert lists that
+ aren't present.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ certs/load_uefi.c | 37 ++++++++++++++++++++++---------------
+ 1 file changed, 22 insertions(+), 15 deletions(-)
+
+diff --git a/certs/load_uefi.c b/certs/load_uefi.c
+index 3d884598601..9ef34c44fd1 100644
+--- a/certs/load_uefi.c
+++ b/certs/load_uefi.c
+@@ -35,8 +35,8 @@ static __init bool uefi_check_ignore_db(void)
+ /*
+  * Get a certificate list blob from the named EFI variable.
+  */
+-static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
+-				  unsigned long *size)
+static __init int get_cert_list(efi_char16_t *name, efi_guid_t *guid,
+				unsigned long *size, void **cert_list)
+ {
+ 	efi_status_t status;
+ 	unsigned long lsize = 4;
+@@ -44,26 +44,33 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
+ 	void *db;
+ 
+ 	status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
+	if (status == EFI_NOT_FOUND) {
+		*size = 0;
+		*cert_list = NULL;
+		return 0;
+	}
+
+ 	if (status != EFI_BUFFER_TOO_SMALL) {
+ 		pr_err("Couldn't get size: 0x%lx\n", status);
+-		return NULL;
+		return efi_status_to_err(status);
+ 	}
+ 
+ 	db = kmalloc(lsize, GFP_KERNEL);
+ 	if (!db) {
+ 		pr_err("Couldn't allocate memory for uefi cert list\n");
+-		return NULL;
+		return -ENOMEM;
+ 	}
+ 
+ 	status = efi.get_variable(name, guid, NULL, &lsize, db);
+ 	if (status != EFI_SUCCESS) {
+ 		kfree(db);
+ 		pr_err("Error reading db var: 0x%lx\n", status);
+-		return NULL;
+		return efi_status_to_err(status);
+ 	}
+ 
+ 	*size = lsize;
+-	return db;
+	*cert_list = db;
+	return 0;
+ }
+ 
+ /*
+@@ -152,10 +159,10 @@ static int __init load_uefi_certs(void)
+ 	 * an error if we can't get them.
+ 	 */
+ 	if (!uefi_check_ignore_db()) {
+-		db = get_cert_list(L"db", &secure_var, &dbsize);
+-		if (!db) {
+		rc = get_cert_list(L"db", &secure_var, &dbsize, &db);
+		if (rc < 0) {
+ 			pr_err("MODSIGN: Couldn't get UEFI db list\n");
+-		} else {
+		} else if (dbsize != 0) {
+ 			rc = parse_efi_signature_list("UEFI:db",
+ 						      db, dbsize, get_handler_for_db);
+ 			if (rc)
+@@ -164,10 +171,10 @@ static int __init load_uefi_certs(void)
+ 		}
+ 	}
+ 
+-	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
+-	if (!mok) {
+	rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok);
+	if (rc < 0) {
+ 		pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
+-	} else {
+	} else if (moksize != 0) {
+ 		rc = parse_efi_signature_list("UEFI:MokListRT",
+ 					      mok, moksize, get_handler_for_db);
+ 		if (rc)
+@@ -175,10 +182,10 @@ static int __init load_uefi_certs(void)
+ 		kfree(mok);
+ 	}
+ 
+-	dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
+-	if (!dbx) {
+	rc = get_cert_list(L"dbx", &secure_var, &dbxsize, &dbx);
+	if (rc < 0) {
+ 		pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
+-	} else {
+	} else if (dbxsize != 0) {
+ 		rc = parse_efi_signature_list("UEFI:dbx",
+ 					      dbx, dbxsize,
+ 					      get_handler_for_dbx);
+-- 
+2.15.0
+
--- a/0001-iio-Use-event-header-from-kernel-tree.patch
+++ b/0001-iio-Use-event-header-from-kernel-tree.patch
@ -0,0 +1,64 @@
+From 0eadbb65c0026fb4eec89c54f6b48a0febd87f92 Mon Sep 17 00:00:00 2001
+From: Laura Abbott <labbott@redhat.com>
+Date: Fri, 9 Sep 2016 08:19:17 -0700
+Subject: [PATCH] iio: Use type header from kernel tree
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+To: Jonathan Cameron <jic23@kernel.org>
+To: Hartmut Knaack <knaack.h@gmx.de>
+To: Lars-Peter Clausen <lars@metafoo.de>
+To: Peter Meerwald-Stadler <pmeerw@pmeerw.net>
+Cc: linux-iio@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+
+
+The iio tools have been updated as new event types have been added to
+the kernel. The tools currently use the standard system headers which
+means that the system may not have the newest defintitions. This leads
+to build failures when building newer tools on older hosts:
+
+gcc -Wall -g -D_GNU_SOURCE   -c -o iio_event_monitor.o
+iio_event_monitor.c
+iio_event_monitor.c:59:3: error: ‘IIO_UVINDEX’ undeclared here (not in a
+function)
+  [IIO_UVINDEX] = "uvindex",
+   ^~~~~~~~~~~
+iio_event_monitor.c:59:3: error: array index in initializer not of
+integer type
+iio_event_monitor.c:59:3: note: (near initialization for
+‘iio_chan_type_name_spec’)
+iio_event_monitor.c:97:3: error: ‘IIO_MOD_LIGHT_UV’ undeclared here (not
+in a function)
+  [IIO_MOD_LIGHT_UV] = "uv",
+   ^~~~~~~~~~~~~~~~
+iio_event_monitor.c:97:3: error: array index in initializer not of
+integer type
+iio_event_monitor.c:97:3: note: (near initialization for
+‘iio_modifier_names’)
+<builtin>: recipe for target 'iio_event_monitor.o' failed
+
+Switch to using the header from the kernel tree to ensure the newest
+defintions are always picked up.
+
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+---
+ tools/iio/iio_event_monitor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/iio/iio_event_monitor.c b/tools/iio/iio_event_monitor.c
+index d9b7e0f..f02523d 100644
+--- a/tools/iio/iio_event_monitor.c
+++ b/tools/iio/iio_event_monitor.c
+@@ -26,7 +26,7 @@
+ #include <sys/ioctl.h>
+ #include "iio_utils.h"
+ #include <linux/iio/events.h>
+-#include <linux/iio/types.h>
+#include "../../include/uapi/linux/iio/types.h"
+ 
+ static const char * const iio_chan_type_name_spec[] = {
+ 	[IIO_VOLTAGE] = "voltage",
+-- 
+2.7.4
+
--- a/0001-random-add-a-config-option-to-trust-the-CPU-s-hwrng.patch
+++ b/0001-random-add-a-config-option-to-trust-the-CPU-s-hwrng.patch
@ -0,0 +1,78 @@
+From 39a8883a2b989d1d21bd8dd99f5557f0c5e89694 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Tue, 17 Jul 2018 18:24:27 -0400
+Subject: [PATCH] random: add a config option to trust the CPU's hwrng
+
+This gives the user building their own kernel (or a Linux
+distribution) the option of deciding whether or not to trust the CPU's
+hardware random number generator (e.g., RDRAND for x86 CPU's) as being
+correctly implemented and not having a back door introduced (perhaps
+courtesy of a Nation State's law enforcement or intelligence
+agencies).
+
+This will prevent getrandom(2) from blocking, if there is a
+willingness to trust the CPU manufacturer.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+---
+ drivers/char/Kconfig  | 14 ++++++++++++++
+ drivers/char/random.c | 11 ++++++++++-
+ 2 files changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig
+index 212f447938ae..ce277ee0a28a 100644
+--- a/drivers/char/Kconfig
+++ b/drivers/char/Kconfig
+@@ -554,3 +554,17 @@ config ADI
+ 
+ endmenu
+ 
+config RANDOM_TRUST_CPU
+	bool "Trust the CPU manufacturer to initialize Linux's CRNG"
+	depends on X86 || S390 || PPC
+	default n
+	help
+	Assume that CPU manufacturer (e.g., Intel or AMD for RDSEED or
+	RDRAND, IBM for the S390 and Power PC architectures) is trustworthy
+	for the purposes of initializing Linux's CRNG.  Since this is not
+	something that can be independently audited, this amounts to trusting
+	that CPU manufacturer (perhaps with the insistence or mandate
+	of a Nation State's intelligence or law enforcement agencies)
+	has not installed a hidden back door to compromise the CPU's
+	random number generation facilities.
+
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index 34ddfd57419b..f4013b8a711b 100644
+--- a/drivers/char/random.c
+++ b/drivers/char/random.c
+@@ -782,6 +782,7 @@ static void invalidate_batched_entropy(void);
+ static void crng_initialize(struct crng_state *crng)
+ {
+ 	int		i;
+	int		arch_init = 1;
+ 	unsigned long	rv;
+ 
+ 	memcpy(&crng->state[0], "expand 32-byte k", 16);
+@@ -792,10 +793,18 @@ static void crng_initialize(struct crng_state *crng)
+ 		_get_random_bytes(&crng->state[4], sizeof(__u32) * 12);
+ 	for (i = 4; i < 16; i++) {
+ 		if (!arch_get_random_seed_long(&rv) &&
+-		    !arch_get_random_long(&rv))
+		    !arch_get_random_long(&rv)) {
+ 			rv = random_get_entropy();
+			arch_init = 0;
+		}
+ 		crng->state[i] ^= rv;
+ 	}
+#ifdef CONFIG_RANDOM_TRUST_CPU
+	if (arch_init) {
+		crng_init = 2;
+		pr_notice("random: crng done (trusting CPU's manufacturer)\n");
+	}
+#endif
+ 	crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
+ }
+ 
+-- 
+2.17.1
+
--- a/0001-random-make-CPU-trust-a-boot-parameter.patch
+++ b/0001-random-make-CPU-trust-a-boot-parameter.patch
@ -0,0 +1,82 @@
+From 9b25436662d5fb4c66eb527ead53cab15f596ee0 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 27 Aug 2018 14:51:54 -0700
+Subject: [PATCH] random: make CPU trust a boot parameter
+
+Instead of forcing a distro or other system builder to choose
+at build time whether the CPU is trusted for CRNG seeding via
+CONFIG_RANDOM_TRUST_CPU, provide a boot-time parameter for end users to
+control the choice. The CONFIG will set the default state instead.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+---
+ Documentation/admin-guide/kernel-parameters.txt |  6 ++++++
+ drivers/char/Kconfig                            |  4 ++--
+ drivers/char/random.c                           | 11 ++++++++---
+ 3 files changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
+index 0c8f7889efa1..227c5c6fa4c1 100644
+--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -3390,6 +3390,12 @@
+ 	ramdisk_size=	[RAM] Sizes of RAM disks in kilobytes
+ 			See Documentation/blockdev/ramdisk.txt.
+ 
+	random.trust_cpu={on,off}
+			[KNL] Enable or disable trusting the use of the
+			CPU's random number generator (if available) to
+			fully seed the kernel's CRNG. Default is controlled
+			by CONFIG_RANDOM_TRUST_CPU.
+
+ 	ras=option[,option,...]	[KNL] RAS-specific options
+ 
+ 		cec_disable	[X86]
+diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig
+index ce277ee0a28a..40728491f37b 100644
+--- a/drivers/char/Kconfig
+++ b/drivers/char/Kconfig
+@@ -566,5 +566,5 @@ config RANDOM_TRUST_CPU
+ 	that CPU manufacturer (perhaps with the insistence or mandate
+ 	of a Nation State's intelligence or law enforcement agencies)
+ 	has not installed a hidden back door to compromise the CPU's
+-	random number generation facilities.
+-
+	random number generation facilities. This can also be configured
+	at boot with "random.trust_cpu=on/off".
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index bf5f99fc36f1..c75b6cdf0053 100644
+--- a/drivers/char/random.c
+++ b/drivers/char/random.c
+@@ -779,6 +779,13 @@ static struct crng_state **crng_node_pool __read_mostly;
+ 
+ static void invalidate_batched_entropy(void);
+ 
+static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
+static int __init parse_trust_cpu(char *arg)
+{
+	return kstrtobool(arg, &trust_cpu);
+}
+early_param("random.trust_cpu", parse_trust_cpu);
+
+ static void crng_initialize(struct crng_state *crng)
+ {
+ 	int		i;
+@@ -799,12 +806,10 @@ static void crng_initialize(struct crng_state *crng)
+ 		}
+ 		crng->state[i] ^= rv;
+ 	}
+-#ifdef CONFIG_RANDOM_TRUST_CPU
+-	if (arch_init) {
+	if (trust_cpu && arch_init) {
+ 		crng_init = 2;
+ 		pr_notice("random: crng done (trusting CPU's manufacturer)\n");
+ 	}
+-#endif
+ 	crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
+ }
+ 
+-- 
+2.17.1
+
--- a/0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch
+++ b/0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch
@ -0,0 +1,183 @@
+From c8218e9b3c38fcd36a2d06eec09952a0c6cee9e0 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 2 Oct 2017 18:22:13 -0400
+Subject: [PATCH 2/3] Add efi_status_to_str() and rework efi_status_to_err().
+
+This adds efi_status_to_str() for use when printing efi_status_t
+messages, and reworks efi_status_to_err() so that the two use a common
+list of errors.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ include/linux/efi.h        |   3 ++
+ drivers/firmware/efi/efi.c | 122 ++++++++++++++++++++++++++++++++++-----------
+ 2 files changed, 95 insertions(+), 30 deletions(-)
+
+diff --git a/include/linux/efi.h b/include/linux/efi.h
+index 18b16bf5ce1..436b3c93c3d 100644
+--- a/include/linux/efi.h
+++ b/include/linux/efi.h
+@@ -42,6 +42,8 @@
+ #define EFI_ABORTED		(21 | (1UL << (BITS_PER_LONG-1)))
+ #define EFI_SECURITY_VIOLATION	(26 | (1UL << (BITS_PER_LONG-1)))
+ 
+#define EFI_IS_ERROR(x)		((x) & (1UL << (BITS_PER_LONG-1)))
+
+ typedef unsigned long efi_status_t;
+ typedef u8 efi_bool_t;
+ typedef u16 efi_char16_t;		/* UNICODE character */
+@@ -1183,6 +1185,7 @@ static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {}
+ #endif
+ 
+ extern int efi_status_to_err(efi_status_t status);
+extern const char *efi_status_to_str(efi_status_t status);
+ 
+ /*
+  * Variable Attributes
+diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
+index 557a47829d0..e8f9c7d84e9 100644
+--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
+@@ -31,6 +31,7 @@
+ #include <linux/acpi.h>
+ #include <linux/ucs2_string.h>
+ #include <linux/memblock.h>
+#include <linux/bsearch.h>
+ 
+ #include <asm/early_ioremap.h>
+ 
+@@ -865,40 +866,101 @@ int efi_mem_type(unsigned long phys_addr)
+ }
+ #endif
+ 
+struct efi_error_code {
+	efi_status_t status;
+	int errno;
+	const char *description;
+};
+
+static const struct efi_error_code efi_error_codes[] = {
+	{ EFI_SUCCESS, 0, "Success"},
+#if 0
+	{ EFI_LOAD_ERROR, -EPICK_AN_ERRNO, "Load Error"},
+#endif
+	{ EFI_INVALID_PARAMETER, -EINVAL, "Invalid Parameter"},
+	{ EFI_UNSUPPORTED, -ENOSYS, "Unsupported"},
+	{ EFI_BAD_BUFFER_SIZE, -ENOSPC, "Bad Buffer Size"},
+	{ EFI_BUFFER_TOO_SMALL, -ENOSPC, "Buffer Too Small"},
+	{ EFI_NOT_READY, -EAGAIN, "Not Ready"},
+	{ EFI_DEVICE_ERROR, -EIO, "Device Error"},
+	{ EFI_WRITE_PROTECTED, -EROFS, "Write Protected"},
+	{ EFI_OUT_OF_RESOURCES, -ENOMEM, "Out of Resources"},
+#if 0
+	{ EFI_VOLUME_CORRUPTED, -EPICK_AN_ERRNO, "Volume Corrupt"},
+	{ EFI_VOLUME_FULL, -EPICK_AN_ERRNO, "Volume Full"},
+	{ EFI_NO_MEDIA, -EPICK_AN_ERRNO, "No Media"},
+	{ EFI_MEDIA_CHANGED, -EPICK_AN_ERRNO, "Media changed"},
+#endif
+	{ EFI_NOT_FOUND, -ENOENT, "Not Found"},
+#if 0
+	{ EFI_ACCESS_DENIED, -EPICK_AN_ERRNO, "Access Denied"},
+	{ EFI_NO_RESPONSE, -EPICK_AN_ERRNO, "No Response"},
+	{ EFI_NO_MAPPING, -EPICK_AN_ERRNO, "No mapping"},
+	{ EFI_TIMEOUT, -EPICK_AN_ERRNO, "Time out"},
+	{ EFI_NOT_STARTED, -EPICK_AN_ERRNO, "Not started"},
+	{ EFI_ALREADY_STARTED, -EPICK_AN_ERRNO, "Already started"},
+#endif
+	{ EFI_ABORTED, -EINTR, "Aborted"},
+#if 0
+	{ EFI_ICMP_ERROR, -EPICK_AN_ERRNO, "ICMP Error"},
+	{ EFI_TFTP_ERROR, -EPICK_AN_ERRNO, "TFTP Error"},
+	{ EFI_PROTOCOL_ERROR, -EPICK_AN_ERRNO, "Protocol Error"},
+	{ EFI_INCOMPATIBLE_VERSION, -EPICK_AN_ERRNO, "Incompatible Version"},
+#endif
+	{ EFI_SECURITY_VIOLATION, -EACCES, "Security Policy Violation"},
+#if 0
+	{ EFI_CRC_ERROR, -EPICK_AN_ERRNO, "CRC Error"},
+	{ EFI_END_OF_MEDIA, -EPICK_AN_ERRNO, "End of Media"},
+	{ EFI_END_OF_FILE, -EPICK_AN_ERRNO, "End of File"},
+	{ EFI_INVALID_LANGUAGE, -EPICK_AN_ERRNO, "Invalid Languages"},
+	{ EFI_COMPROMISED_DATA, -EPICK_AN_ERRNO, "Compromised Data"},
+
+	// warnings
+	{ EFI_WARN_UNKOWN_GLYPH, -EPICK_AN_ERRNO, "Warning Unknown Glyph"},
+	{ EFI_WARN_DELETE_FAILURE, -EPICK_AN_ERRNO, "Warning Delete Failure"},
+	{ EFI_WARN_WRITE_FAILURE, -EPICK_AN_ERRNO, "Warning Write Failure"},
+	{ EFI_WARN_BUFFER_TOO_SMALL, -EPICK_AN_ERRNO, "Warning Buffer Too Small"},
+#endif
+};
+
+static int
+efi_status_cmp_bsearch(const void *key, const void *item)
+{
+	u64 status = (u64)(uintptr_t)key;
+	struct efi_error_code *code = (struct efi_error_code *)item;
+
+	if (status < code->status)
+		return -1;
+	if (status > code->status)
+		return 1;
+	return 0;
+}
+
+ int efi_status_to_err(efi_status_t status)
+ {
+-	int err;
+	struct efi_error_code *found;
+	size_t num = sizeof(efi_error_codes) / sizeof(struct efi_error_code);
+ 
+-	switch (status) {
+-	case EFI_SUCCESS:
+-		err = 0;
+-		break;
+-	case EFI_INVALID_PARAMETER:
+-		err = -EINVAL;
+-		break;
+-	case EFI_OUT_OF_RESOURCES:
+-		err = -ENOSPC;
+-		break;
+-	case EFI_DEVICE_ERROR:
+-		err = -EIO;
+-		break;
+-	case EFI_WRITE_PROTECTED:
+-		err = -EROFS;
+-		break;
+-	case EFI_SECURITY_VIOLATION:
+-		err = -EACCES;
+-		break;
+-	case EFI_NOT_FOUND:
+-		err = -ENOENT;
+-		break;
+-	case EFI_ABORTED:
+-		err = -EINTR;
+-		break;
+-	default:
+-		err = -EINVAL;
+-	}
+	found = bsearch((void *)(uintptr_t)status, efi_error_codes,
+			sizeof(struct efi_error_code), num,
+			efi_status_cmp_bsearch);
+	if (!found)
+		return -EINVAL;
+	return found->errno;
+}
+ 
+-	return err;
+const char *
+efi_status_to_str(efi_status_t status)
+{
+	struct efi_error_code *found;
+	size_t num = sizeof(efi_error_codes) / sizeof(struct efi_error_code);
+
+	found = bsearch((void *)(uintptr_t)status, efi_error_codes,
+			sizeof(struct efi_error_code), num,
+			efi_status_cmp_bsearch);
+	if (!found)
+		return "Unknown error code";
+	return found->description;
+ }
+ 
+ bool efi_is_table_address(unsigned long phys_addr)
+-- 
+2.15.0
+
--- a/0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch
+++ b/0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch
@ -0,0 +1,38 @@
+From 520e902d864930e2d4f329983d9ae9781a24231f Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 2 Oct 2017 18:18:30 -0400
+Subject: [PATCH 3/3] Make get_cert_list() use efi_status_to_str() to print
+ error messages.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ certs/load_uefi.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/certs/load_uefi.c b/certs/load_uefi.c
+index 9ef34c44fd1..13a2826715d 100644
+--- a/certs/load_uefi.c
+++ b/certs/load_uefi.c
+@@ -51,7 +51,8 @@ static __init int get_cert_list(efi_char16_t *name, efi_guid_t *guid,
+ 	}
+ 
+ 	if (status != EFI_BUFFER_TOO_SMALL) {
+-		pr_err("Couldn't get size: 0x%lx\n", status);
+		pr_err("Couldn't get size: %s (0x%lx)\n",
+		       efi_status_to_str(status), status);
+ 		return efi_status_to_err(status);
+ 	}
+ 
+@@ -64,7 +65,8 @@ static __init int get_cert_list(efi_char16_t *name, efi_guid_t *guid,
+ 	status = efi.get_variable(name, guid, NULL, &lsize, db);
+ 	if (status != EFI_SUCCESS) {
+ 		kfree(db);
+-		pr_err("Error reading db var: 0x%lx\n", status);
+		pr_err("Error reading db var: %s (0x%lx)\n",
+		       efi_status_to_str(status), status);
+ 		return efi_status_to_err(status);
+ 	}
+ 
+-- 
+2.15.0
+
--- a/ACPI-irq-Workaround-firmware-issue-on-X-Gene-based-m400.patch
+++ b/ACPI-irq-Workaround-firmware-issue-on-X-Gene-based-m400.patch
@ -0,0 +1,64 @@
+From dbdda4277cf0422a9ccb7ea98d0263c3cdbecdf6 Mon Sep 17 00:00:00 2001
+From: Mark Salter <msalter@redhat.com>
+Date: Tue, 8 May 2018 21:54:39 -0400
+Subject: [PATCH] ACPI / irq: Workaround firmware issue on X-Gene based
+ m400
+
+The ACPI firmware on the xgene-based m400 platorms erroneously
+describes its UART interrupt as ACPI_PRODUCER rather than
+ACPI_CONSUMER. This leads to the UART driver being unable to
+find its interrupt and the kernel unable find a console.
+Work around this by avoiding the producer/consumer check
+for X-Gene UARTs.
+
+Signed-off-by: Mark Salter <msalter@redhat.com>
+---
+ drivers/acpi/irq.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/acpi/irq.c b/drivers/acpi/irq.c
+index 7c352cba0528..028c1a564cff 100644
+--- a/drivers/acpi/irq.c
+++ b/drivers/acpi/irq.c
+@@ -129,6 +129,7 @@ struct acpi_irq_parse_one_ctx {
+ 	unsigned int index;
+ 	unsigned long *res_flags;
+ 	struct irq_fwspec *fwspec;
+	bool skip_producer_check;
+ };
+ 
+ /**
+@@ -200,7 +201,8 @@ static acpi_status acpi_irq_parse_one_cb(struct acpi_resource *ares,
+ 		return AE_CTRL_TERMINATE;
+ 	case ACPI_RESOURCE_TYPE_EXTENDED_IRQ:
+ 		eirq = &ares->data.extended_irq;
+-		if (eirq->producer_consumer == ACPI_PRODUCER)
+		if (!ctx->skip_producer_check &&
+		    eirq->producer_consumer == ACPI_PRODUCER)
+ 			return AE_OK;
+ 		if (ctx->index >= eirq->interrupt_count) {
+ 			ctx->index -= eirq->interrupt_count;
+@@ -235,8 +237,19 @@ static acpi_status acpi_irq_parse_one_cb(struct acpi_resource *ares,
+ static int acpi_irq_parse_one(acpi_handle handle, unsigned int index,
+ 			      struct irq_fwspec *fwspec, unsigned long *flags)
+ {
+-	struct acpi_irq_parse_one_ctx ctx = { -EINVAL, index, flags, fwspec };
+	struct acpi_irq_parse_one_ctx ctx = { -EINVAL, index, flags, fwspec, false };
+ 
+	/*
+	 * Firmware on arm64-based HPE m400 platform incorrectly marks
+	 * its UART interrupt as ACPI_PRODUCER rather than ACPI_CONSUMER.
+	 * Don't do the producer/consumer check for that device.
+	 */
+	if (IS_ENABLED(CONFIG_ARM64)) {
+		struct acpi_device *adev = acpi_bus_get_acpi_device(handle);
+
+		if (adev && !strcmp(acpi_device_hid(adev), "APMC0D08"))
+			ctx.skip_producer_check = true;
+	}
+ 	acpi_walk_resources(handle, METHOD_NAME__CRS, acpi_irq_parse_one_cb, &ctx);
+ 	return ctx.rc;
+ }
+-- 
+2.17.0
+
--- a/ACPI-scan-Fix-regression-related-to-X-Gene-UARTs.patch
+++ b/ACPI-scan-Fix-regression-related-to-X-Gene-UARTs.patch
@ -0,0 +1,44 @@
+From patchwork Fri Apr 20 03:29:47 2018
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: ACPI / scan: Fix regression related to X-Gene UARTs
+From: Mark Salter <msalter@redhat.com>
+X-Patchwork-Id: 10351797
+Message-Id: <20180420032947.23023-1-msalter@redhat.com>
+To: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Danis?= <frederic.danis.oss@gmail.com>
+Cc: "Rafael J . Wysocki" <rjw@rjwysocki.net>,
+ linux-acpi@vger.kernel.org, linux-kernel@vger.kernel.org
+Date: Thu, 19 Apr 2018 23:29:47 -0400
+
+Commit e361d1f85855 ("ACPI / scan: Fix enumeration for special UART
+devices") caused a regression with some X-Gene based platforms (Mustang
+and M400) with invalid DSDT. The DSDT makes it appear that the UART
+device is also a slave device attached to itself. With the above commit
+the UART won't be enumerated by ACPI scan (slave serial devices shouldn't
+be). So check for X-Gene UART device and skip slace device check on it.
+
+Signed-off-by: Mark Salter <msalter@redhat.com>
+---
+ drivers/acpi/scan.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
+index cc234e6a6297..1dcdd0122862 100644
+--- a/drivers/acpi/scan.c
+++ b/drivers/acpi/scan.c
+@@ -1551,6 +1551,14 @@ static bool acpi_device_enumeration_by_parent(struct acpi_device *device)
+ 	     fwnode_property_present(&device->fwnode, "baud")))
+ 		return true;
+ 
+	/*
+	 * Firmware on some arm64 X-Gene platforms will make the UART
+	 * device appear as both a UART and a slave of that UART. Just
+	 * bail out here for X-Gene UARTs.
+	 */
+	if (!strcmp(acpi_device_hid(device), "APMC0D08"))
+		return false;
+
+ 	INIT_LIST_HEAD(&resource_list);
+ 	acpi_dev_get_resources(device, &resource_list,
+ 			       acpi_check_serial_bus_slave,
--- a/ARM-tegra-usb-no-reset.patch
+++ b/ARM-tegra-usb-no-reset.patch
@ -0,0 +1,28 @@
+From: Peter Robinson <pbrobinson@gmail.com>
+Date: Thu, 3 May 2012 20:27:11 +0100
+Subject: [PATCH] ARM: tegra: usb no reset
+
+Patch for disconnect issues with storage attached to a
+ tegra-ehci controller
+---
+ drivers/usb/core/hub.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 43cb2f2e3b43..7f838ec11c81 100644
+--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
+@@ -4996,6 +4996,13 @@ static void hub_event(struct work_struct *work)
+ 			(u16) hub->change_bits[0],
+ 			(u16) hub->event_bits[0]);
+ 
+	/* Don't disconnect USB-SATA on TrimSlice */
+	if (strcmp(dev_name(hdev->bus->controller), "tegra-ehci.0") == 0) {
+		if ((hdev->state == 7) && (hub->change_bits[0] == 0) &&
+				(hub->event_bits[0] == 0x2))
+			hub->event_bits[0] = 0;
+	}
+
+ 	/* Lock the device, then check to see if we were
+ 	 * disconnected while waiting for the lock to succeed. */
+ 	usb_lock_device(hdev);
--- a/Add-EFI-signature-data-types.patch
+++ b/Add-EFI-signature-data-types.patch
@ -0,0 +1,60 @@
+From 0451d4e795929a69a0fda6d960aa4b077c5bd179 Mon Sep 17 00:00:00 2001
+From: Dave Howells <dhowells@redhat.com>
+Date: Fri, 5 May 2017 08:21:58 +0100
+Subject: [PATCH 1/4] efi: Add EFI signature data types
+
+Add the data types that are used for containing hashes, keys and
+certificates for cryptographic verification along with their corresponding
+type GUIDs.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ include/linux/efi.h | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/include/linux/efi.h b/include/linux/efi.h
+index ec36f42..3259ad6 100644
+--- a/include/linux/efi.h
+++ b/include/linux/efi.h
+@@ -614,6 +614,10 @@ void efi_native_runtime_setup(void);
+ #define EFI_IMAGE_SECURITY_DATABASE_GUID	EFI_GUID(0xd719b2cb, 0x3d3a, 0x4596,  0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f)
+ #define EFI_SHIM_LOCK_GUID			EFI_GUID(0x605dab50, 0xe046, 0x4300,  0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23)
+
+#define EFI_CERT_SHA256_GUID			EFI_GUID(0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28)
+#define EFI_CERT_X509_GUID			EFI_GUID(0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72)
+#define EFI_CERT_X509_SHA256_GUID		EFI_GUID(0x3bd2a492, 0x96c0, 0x4079, 0xb4, 0x20, 0xfc, 0xf9, 0x8e, 0xf1, 0x03, 0xed)
+
+ /*
+  * This GUID is used to pass to the kernel proper the struct screen_info
+  * structure that was populated by the stub based on the GOP protocol instance
+@@ -873,6 +877,27 @@ typedef struct {
+ 	efi_memory_desc_t entry[0];
+ } efi_memory_attributes_table_t;
+
+typedef struct  {
+	efi_guid_t signature_owner;
+	u8 signature_data[];
+} efi_signature_data_t;
+
+typedef struct {
+	efi_guid_t signature_type;
+	u32 signature_list_size;
+	u32 signature_header_size;
+	u32 signature_size;
+	u8 signature_header[];
+	/* efi_signature_data_t signatures[][] */
+} efi_signature_list_t;
+
+typedef u8 efi_sha256_hash_t[32];
+
+typedef struct {
+	efi_sha256_hash_t to_be_signed_hash;
+	efi_time_t time_of_revocation;
+} efi_cert_x509_sha256_t;
+
+ /*
+  * All runtime access to EFI goes through this structure:
+  */
+-- 
+2.9.3
+
--- a/Add-an-EFI-signature-blob-parser-and-key-loader.patch
+++ b/Add-an-EFI-signature-blob-parser-and-key-loader.patch
@ -0,0 +1,197 @@
+From e4c62c12635a371e43bd17e8d33a936668264491 Mon Sep 17 00:00:00 2001
+From: Dave Howells <dhowells@redhat.com>
+Date: Fri, 5 May 2017 08:21:58 +0100
+Subject: [PATCH 2/4] efi: Add an EFI signature blob parser
+
+Add a function to parse an EFI signature blob looking for elements of
+interest.  A list is made up of a series of sublists, where all the
+elements in a sublist are of the same type, but sublists can be of
+different types.
+
+For each sublist encountered, the function pointed to by the
+get_handler_for_guid argument is called with the type specifier GUID and
+returns either a pointer to a function to handle elements of that type or
+NULL if the type is not of interest.
+
+If the sublist is of interest, each element is passed to the handler
+function in turn.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ certs/Kconfig       |   8 ++++
+ certs/Makefile      |   1 +
+ certs/efi_parser.c  | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ include/linux/efi.h |   9 +++++
+ 4 files changed, 130 insertions(+)
+ create mode 100644 certs/efi_parser.c
+
+diff --git a/certs/Kconfig b/certs/Kconfig
+index 6ce51ed..630ae09 100644
+--- a/certs/Kconfig
+++ b/certs/Kconfig
+@@ -82,4 +82,12 @@ config SYSTEM_BLACKLIST_HASH_LIST
+ 	  wrapper to incorporate the list into the kernel.  Each <hash> should
+ 	  be a string of hex digits.
+
+config EFI_SIGNATURE_LIST_PARSER
+	bool "EFI signature list parser"
+	depends on EFI
+	select X509_CERTIFICATE_PARSER
+	help
+	  This option provides support for parsing EFI signature lists for
+	  X.509 certificates and turning them into keys.
+
+ endmenu
+diff --git a/certs/Makefile b/certs/Makefile
+index 4119bb3..738151a 100644
+--- a/certs/Makefile
+++ b/certs/Makefile
+@@ -9,6 +9,7 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o
+ else
+ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o
+ endif
+obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o
+
+ ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
+
+diff --git a/certs/efi_parser.c b/certs/efi_parser.c
+new file mode 100644
+index 0000000..4e396f9
+--- /dev/null
+++ b/certs/efi_parser.c
+@@ -0,0 +1,112 @@
+/* EFI signature/key/certificate list parser
+ *
+ * Copyright (C) 2012, 2016 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#define pr_fmt(fmt) "EFI: "fmt
+#include <linux/module.h>
+#include <linux/printk.h>
+#include <linux/err.h>
+#include <linux/efi.h>
+
+/**
+ * parse_efi_signature_list - Parse an EFI signature list for certificates
+ * @source: The source of the key
+ * @data: The data blob to parse
+ * @size: The size of the data blob
+ * @get_handler_for_guid: Get the handler func for the sig type (or NULL)
+ *
+ * Parse an EFI signature list looking for elements of interest.  A list is
+ * made up of a series of sublists, where all the elements in a sublist are of
+ * the same type, but sublists can be of different types.
+ *
+ * For each sublist encountered, the @get_handler_for_guid function is called
+ * with the type specifier GUID and returns either a pointer to a function to
+ * handle elements of that type or NULL if the type is not of interest.
+ *
+ * If the sublist is of interest, each element is passed to the handler
+ * function in turn.
+ *
+ * Error EBADMSG is returned if the list doesn't parse correctly and 0 is
+ * returned if the list was parsed correctly.  No error can be returned from
+ * the @get_handler_for_guid function or the element handler function it
+ * returns.
+ */
+int __init parse_efi_signature_list(
+	const char *source,
+	const void *data, size_t size,
+	efi_element_handler_t (*get_handler_for_guid)(const efi_guid_t *))
+{
+	efi_element_handler_t handler;
+	unsigned offs = 0;
+
+	pr_devel("-->%s(,%zu)\n", __func__, size);
+
+	while (size > 0) {
+		const efi_signature_data_t *elem;
+		efi_signature_list_t list;
+		size_t lsize, esize, hsize, elsize;
+
+		if (size < sizeof(list))
+			return -EBADMSG;
+
+		memcpy(&list, data, sizeof(list));
+		pr_devel("LIST[%04x] guid=%pUl ls=%x hs=%x ss=%x\n",
+			 offs,
+			 list.signature_type.b, list.signature_list_size,
+			 list.signature_header_size, list.signature_size);
+
+		lsize = list.signature_list_size;
+		hsize = list.signature_header_size;
+		esize = list.signature_size;
+		elsize = lsize - sizeof(list) - hsize;
+
+		if (lsize > size) {
+			pr_devel("<--%s() = -EBADMSG [overrun @%x]\n",
+				 __func__, offs);
+			return -EBADMSG;
+		}
+
+		if (lsize < sizeof(list) ||
+		    lsize - sizeof(list) < hsize ||
+		    esize < sizeof(*elem) ||
+		    elsize < esize ||
+		    elsize % esize != 0) {
+			pr_devel("- bad size combo @%x\n", offs);
+			return -EBADMSG;
+		}
+
+		handler = get_handler_for_guid(&list.signature_type);
+		if (!handler) {
+			data += lsize;
+			size -= lsize;
+			offs += lsize;
+			continue;
+		}
+
+		data += sizeof(list) + hsize;
+		size -= sizeof(list) + hsize;
+		offs += sizeof(list) + hsize;
+
+		for (; elsize > 0; elsize -= esize) {
+			elem = data;
+
+			pr_devel("ELEM[%04x]\n", offs);
+			handler(source,
+				&elem->signature_data,
+				esize - sizeof(*elem));
+
+			data += esize;
+			size -= esize;
+			offs += esize;
+		}
+	}
+
+	return 0;
+}
+diff --git a/include/linux/efi.h b/include/linux/efi.h
+index 3259ad6..08024c6 100644
+--- a/include/linux/efi.h
+++ b/include/linux/efi.h
+@@ -1055,6 +1055,15 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
+ char * __init efi_md_typeattr_format(char *buf, size_t size,
+ 				     const efi_memory_desc_t *md);
+
+
+typedef void (*efi_element_handler_t)(const char *source,
+				      const void *element_data,
+				      size_t element_size);
+extern int __init parse_efi_signature_list(
+	const char *source,
+	const void *data, size_t size,
+	efi_element_handler_t (*get_handler_for_guid)(const efi_guid_t *));
+
+ /**
+  * efi_range_is_wc - check the WC bit on an address range
+  * @start: starting kvirt address
+-- 
+2.9.3
+
--- a/Add-option-to-automatically-enforce-module-signature.patch
+++ b/Add-option-to-automatically-enforce-module-signature.patch
@ -0,0 +1,217 @@
+From 6b6203b92cfb457a0669a9c87a29b360405bffc6 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Fri, 9 Aug 2013 18:36:30 -0400
+Subject: [PATCH 10/20] Add option to automatically enforce module signatures
+ when in Secure Boot mode
+
+UEFI Secure Boot provides a mechanism for ensuring that the firmware will
+only load signed bootloaders and kernels. Certain use cases may also
+require that all kernel modules also be signed. Add a configuration option
+that enforces this automatically when enabled.
+
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+---
+ Documentation/x86/zero-page.txt       |  2 ++
+ arch/x86/Kconfig                      | 11 ++++++
+ arch/x86/boot/compressed/eboot.c      | 66 +++++++++++++++++++++++++++++++++++
+ arch/x86/include/uapi/asm/bootparam.h |  3 +-
+ arch/x86/kernel/setup.c               |  6 ++++
+ include/linux/module.h                |  6 ++++
+ kernel/module.c                       |  7 ++++
+ 7 files changed, 100 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
+index 95a4d34af3fd..b8527c6b7646 100644
+--- a/Documentation/x86/zero-page.txt
+++ b/Documentation/x86/zero-page.txt
+@@ -31,6 +31,8 @@ Offset	Proto	Name		Meaning
+ 1E9/001	ALL	eddbuf_entries	Number of entries in eddbuf (below)
+ 1EA/001	ALL	edd_mbr_sig_buf_entries	Number of entries in edd_mbr_sig_buffer
+ 				(below)
+1EB/001	ALL     kbd_status      Numlock is enabled
+1EC/001	ALL     secure_boot	Secure boot is enabled in the firmware
+ 1EF/001	ALL	sentinel	Used to detect broken bootloaders
+ 290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures
+ 2D0/A00	ALL	e820_map	E820 memory map table
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index bada636d1065..d666ef8b616c 100644
+--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
+@@ -1786,6 +1786,17 @@ config EFI_MIXED
+ 
+ 	   If unsure, say N.
+ 
+config EFI_SECURE_BOOT_SIG_ENFORCE
+	def_bool n
+	depends on EFI
+	prompt "Force module signing when UEFI Secure Boot is enabled"
+	---help---
+	  UEFI Secure Boot provides a mechanism for ensuring that the
+	  firmware will only load signed bootloaders and kernels. Certain
+	  use cases may also require that all kernel modules also be signed.
+	  Say Y here to automatically enable module signature enforcement
+	  when a system boots with UEFI Secure Boot enabled.
+
+ config SECCOMP
+ 	def_bool y
+ 	prompt "Enable seccomp to safely compute untrusted bytecode"
+diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
+index cc69e37548db..ebc85c1eefd6 100644
+--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
+@@ -12,6 +12,7 @@
+ #include <asm/efi.h>
+ #include <asm/setup.h>
+ #include <asm/desc.h>
+#include <asm/bootparam_utils.h>
+ 
+ #include "../string.h"
+ #include "eboot.h"
+@@ -537,6 +538,67 @@ static void setup_efi_pci(struct boot_params *params)
+ 	efi_call_early(free_pool, pci_handle);
+ }
+ 
+static int get_secure_boot(void)
+{
+	u8 sb, setup;
+	unsigned long datasize = sizeof(sb);
+	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
+	efi_status_t status;
+
+	status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
+				L"SecureBoot", &var_guid, NULL, &datasize, &sb);
+
+	if (status != EFI_SUCCESS)
+		return 0;
+
+	if (sb == 0)
+		return 0;
+
+
+	status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
+				L"SetupMode", &var_guid, NULL, &datasize,
+				&setup);
+
+	if (status != EFI_SUCCESS)
+		return 0;
+
+	if (setup == 1)
+		return 0;
+
+	return 1;
+}
+
+
+/*
+ * See if we have Graphics Output Protocol
+ */
+static efi_status_t setup_gop(struct screen_info *si, efi_guid_t *proto,
+			      unsigned long size)
+{
+	efi_status_t status;
+	void **gop_handle = NULL;
+
+	status = efi_call_early(allocate_pool, EFI_LOADER_DATA,
+				size, (void **)&gop_handle);
+	if (status != EFI_SUCCESS)
+		return status;
+
+	status = efi_call_early(locate_handle,
+				EFI_LOCATE_BY_PROTOCOL,
+				proto, NULL, &size, gop_handle);
+	if (status != EFI_SUCCESS)
+		goto free_handle;
+
+	if (efi_early->is64)
+		status = setup_gop64(si, proto, size, gop_handle);
+	else
+		status = setup_gop32(si, proto, size, gop_handle);
+
+free_handle:
+	efi_call_early(free_pool, gop_handle);
+	return status;
+}
+
+ static efi_status_t
+ setup_uga32(void **uga_handle, unsigned long size, u32 *width, u32 *height)
+ {
+@@ -1094,6 +1156,10 @@ struct boot_params *efi_main(struct efi_config *c,
+ 	else
+ 		setup_boot_services32(efi_early);
+ 
+	sanitize_boot_params(boot_params);
+
+	boot_params->secure_boot = get_secure_boot();
+
+ 	setup_graphics(boot_params);
+ 
+ 	setup_efi_pci(boot_params);
+diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
+index c18ce67495fa..2b3e5427097b 100644
+--- a/arch/x86/include/uapi/asm/bootparam.h
+++ b/arch/x86/include/uapi/asm/bootparam.h
+@@ -134,7 +134,8 @@ struct boot_params {
+ 	__u8  eddbuf_entries;				/* 0x1e9 */
+ 	__u8  edd_mbr_sig_buf_entries;			/* 0x1ea */
+ 	__u8  kbd_status;				/* 0x1eb */
+-	__u8  _pad5[3];					/* 0x1ec */
+	__u8  secure_boot;				/* 0x1ec */
+	__u8  _pad5[2];					/* 0x1ed */
+ 	/*
+ 	 * The sentinel is set to a nonzero value (0xff) in header.S.
+ 	 *
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+index bbfbca5fea0c..d40e961753c9 100644
+--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
+@@ -1160,6 +1160,12 @@ void __init setup_arch(char **cmdline_p)
+ 
+ 	io_delay_init();
+ 
+#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
+	if (boot_params.secure_boot) {
+		enforce_signed_modules();
+	}
+#endif
+
+ 	/*
+ 	 * Parse the ACPI tables for possible boot-time SMP configuration.
+ 	 */
+diff --git a/include/linux/module.h b/include/linux/module.h
+index 05bd6c989a0c..32327704e18d 100644
+--- a/include/linux/module.h
+++ b/include/linux/module.h
+@@ -260,6 +260,12 @@ extern const typeof(name) __mod_##type##__##name##_device_table		\
+ 
+ struct notifier_block;
+ 
+#ifdef CONFIG_MODULE_SIG
+extern void enforce_signed_modules(void);
+#else
+static inline void enforce_signed_modules(void) {};
+#endif
+
+ #ifdef CONFIG_MODULES
+ 
+ extern int modules_disabled; /* for sysctl */
+diff --git a/kernel/module.c b/kernel/module.c
+index cb864505d020..cb1f1da69bf4 100644
+--- a/kernel/module.c
+++ b/kernel/module.c
+@@ -4285,6 +4285,13 @@ void module_layout(struct module *mod,
+ EXPORT_SYMBOL(module_layout);
+ #endif
+ 
+#ifdef CONFIG_MODULE_SIG
+void enforce_signed_modules(void)
+{
+	sig_enforce = true;
+}
+#endif
+
+ bool secure_modules(void)
+ {
+ #ifdef CONFIG_MODULE_SIG
+-- 
+2.9.3
+
--- a/Fix-for-module-sig-verification.patch
+++ b/Fix-for-module-sig-verification.patch
@ -0,0 +1,24 @@
+From ea6e7d9d0fe3e448aef19b3943d4897ae0bef128 Mon Sep 17 00:00:00 2001
+From: Fedora Kernel Team <kernel-team@fedoraproject.org>
+Date: Thu, 3 Aug 2017 13:46:51 -0500
+Subject: [PATCH] Fix for module sig verification
+
+---
+ kernel/module_signing.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/module_signing.c b/kernel/module_signing.c
+index 937c844..d3d6f95 100644
+--- a/kernel/module_signing.c
+++ b/kernel/module_signing.c
+@@ -81,6 +81,6 @@ int mod_verify_sig(const void *mod, unsigned long *_modlen)
+ 	}
+
+ 	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+-				      NULL, VERIFYING_MODULE_SIGNATURE,
+				      (void *)1UL, VERIFYING_MODULE_SIGNATURE,
+ 				      NULL, NULL);
+ }
+-- 
+2.13.3
+
--- a/Input-synaptics-pin-3-touches-when-the-firmware-repo.patch
+++ b/Input-synaptics-pin-3-touches-when-the-firmware-repo.patch
@ -0,0 +1,47 @@
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Thu, 16 Apr 2015 13:01:46 -0400
+Subject: [PATCH] Input - synaptics: pin 3 touches when the firmware reports 3
+ fingers
+
+Synaptics PS/2 touchpad can send only 2 touches in a report. They can
+detect 4 or 5 and this information is valuable.
+
+In commit 63c4fda (Input: synaptics - allocate 3 slots to keep stability
+in image sensors), we allocate 3 slots, but we still continue to report
+the 2 available fingers. That means that the client sees 2 used slots while
+there is a total of 3 fingers advertised by BTN_TOOL_TRIPLETAP.
+
+For old kernels this is not a problem because max_slots was 2 and libinput/
+xorg-synaptics knew how to deal with that. Now that max_slot is 3, the
+clients ignore BTN_TOOL_TRIPLETAP and count the actual used slots (so 2).
+It then gets confused when receiving the BTN_TOOL_TRIPLETAP and DOUBLETAP
+information, and goes wild.
+
+We can pin the 3 slots until we get a total number of fingers below 2.
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1212230
+
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+---
+ drivers/input/mouse/synaptics.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
+index 3a32caf06bf1..58102970f94f 100644
+--- a/drivers/input/mouse/synaptics.c
+++ b/drivers/input/mouse/synaptics.c
+@@ -940,6 +940,14 @@ static void synaptics_report_mt_data(struct psmouse *psmouse,
+ 		input_report_abs(dev, ABS_MT_PRESSURE, hw[i]->z);
+ 	}
+ 
+	/* keep (slot count <= num_fingers) by pinning all slots */
+	if (num_fingers >= 3) {
+		for (i = 0; i < 3; i++) {
+			input_mt_slot(dev, i);
+			input_mt_report_slot_state(dev, MT_TOOL_FINGER, true);
+		}
+	}
+
+ 	input_mt_drop_unused(dev);
+ 
+ 	/* Don't use active slot count to generate BTN_TOOL events. */
--- a/KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch
+++ b/KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch
@ -0,0 +1,95 @@
+From fb2ac204a70da565de9ef9a9d6d69a40c2d59727 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Fri, 5 May 2017 08:21:56 +0100
+Subject: [PATCH] KEYS: Allow unrestricted boot-time addition of keys to
+ secondary keyring
+
+Allow keys to be added to the system secondary certificates keyring during
+kernel initialisation in an unrestricted fashion.  Such keys are implicitly
+trusted and don't have their trust chains checked on link.
+
+This allows keys in the UEFI database to be added in secure boot mode for
+the purposes of module signing.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ certs/internal.h       | 18 ++++++++++++++++++
+ certs/system_keyring.c | 33 +++++++++++++++++++++++++++++++++
+ 2 files changed, 51 insertions(+)
+ create mode 100644 certs/internal.h
+
+diff --git a/certs/internal.h b/certs/internal.h
+new file mode 100644
+index 0000000..5dcbefb
+--- /dev/null
+++ b/certs/internal.h
+@@ -0,0 +1,18 @@
+/* Internal definitions
+ *
+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+/*
+ * system_keyring.c
+ */
+#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
+extern void __init add_trusted_secondary_key(const char *source,
+					     const void *data, size_t len);
+#endif
+diff --git a/certs/system_keyring.c b/certs/system_keyring.c
+index 6251d1b..5ac8ba6 100644
+--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
+@@ -18,6 +18,7 @@
+ #include <keys/asymmetric-type.h>
+ #include <keys/system_keyring.h>
+ #include <crypto/pkcs7.h>
+#include "internal.h"
+
+ static struct key *builtin_trusted_keys;
+ #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
+@@ -265,3 +266,35 @@ int verify_pkcs7_signature(const void *data, size_t len,
+ EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
+
+ #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
+
+#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
+/**
+ * add_trusted_secondary_key - Add to secondary keyring with no validation
+ * @source: Source of key
+ * @data: The blob holding the key
+ * @len: The length of the data blob
+ *
+ * Add a key to the secondary keyring without checking its trust chain.  This
+ * is available only during kernel initialisation.
+ */
+void __init add_trusted_secondary_key(const char *source,
+				      const void *data, size_t len)
+{
+	key_ref_t key;
+
+	key = key_create_or_update(make_key_ref(secondary_trusted_keys, 1),
+				   "asymmetric",
+				   NULL, data, len,
+				   (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+				   KEY_USR_VIEW,
+				   KEY_ALLOC_NOT_IN_QUOTA |
+				   KEY_ALLOC_BYPASS_RESTRICTION);
+
+	if (IS_ERR(key))
+		pr_err("Problem loading %s X.509 certificate (%ld)\n",
+		       source, PTR_ERR(key));
+	else
+		pr_notice("Loaded %s cert '%s' linked to secondary sys keyring\n",
+			  source, key_ref_to_ptr(key)->description);
+}
+#endif /* CONFIG_SECONDARY_TRUSTED_KEYRING */
+-- 
+2.9.3
+
--- a/Kbuild-Add-an-option-to-enable-GCC-VTA.patch
+++ b/Kbuild-Add-an-option-to-enable-GCC-VTA.patch
@ -0,0 +1,89 @@
+From: Josh Stone <jistone@redhat.com>
+Date: Fri, 21 Nov 2014 10:40:00 -0800
+Subject: [PATCH] Kbuild: Add an option to enable GCC VTA
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Due to recent codegen issues, gcc -fvar-tracking-assignments was
+unconditionally disabled in commit 2062afb4f804a ("Fix gcc-4.9.0
+miscompilation of load_balance() in scheduler").  However, this reduces
+the debuginfo coverage for variable locations, especially in inline
+functions.  VTA is certainly not perfect either in those cases, but it
+is much better than without.  With compiler versions that have fixed the
+codegen bugs, we would prefer to have the better details for SystemTap,
+and surely other debuginfo consumers like perf will benefit as well.
+
+This patch simply makes CONFIG_DEBUG_INFO_VTA an option.  I considered
+Frank and Linus's discussion of a cc-option-like -fcompare-debug test,
+but I'm convinced that a narrow test of an arch-specific codegen issue
+is not really useful.  GCC has their own regression tests for this, so
+I'd suggest GCC_COMPARE_DEBUG=-fvar-tracking-assignments-toggle is more
+useful for kernel developers to test confidence.
+
+In fact, I ran into a couple more issues when testing for this patch[1],
+although neither of those had any codegen impact.
+ [1] https://bugzilla.redhat.com/show_bug.cgi?id=1140872
+
+With gcc-4.9.2-1.fc22, I can now build v3.18-rc5 with Fedora's i686 and
+x86_64 configs, and this is completely clean with GCC_COMPARE_DEBUG.
+
+Cc: Frank Ch. Eigler <fche@redhat.com>
+Cc: Jakub Jelinek <jakub@redhat.com>
+Cc: Josh Boyer <jwboyer@fedoraproject.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Markus Trippelsdorf <markus@trippelsdorf.de>
+Cc: Michel Dänzer <michel@daenzer.net>
+Signed-off-by: Josh Stone <jistone@redhat.com>
+---
+ Makefile          |  4 ++++
+ lib/Kconfig.debug | 18 +++++++++++++++++-
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 257ef5892ab7..3cc6f4477e78 100644
+--- a/Makefile
+++ b/Makefile
+@@ -701,7 +701,11 @@ KBUILD_CFLAGS	+= -fomit-frame-pointer
+ endif
+ endif
+ 
+ifdef CONFIG_DEBUG_INFO_VTA
+KBUILD_CFLAGS   += $(call cc-option, -fvar-tracking-assignments)
+else
+ KBUILD_CFLAGS   += $(call cc-option, -fno-var-tracking-assignments)
+endif
+ 
+ ifdef CONFIG_DEBUG_INFO
+ ifdef CONFIG_DEBUG_INFO_SPLIT
+diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
+index e2894b23efb6..d98afe18f704 100644
+--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
+@@ -165,7 +165,23 @@ config DEBUG_INFO_DWARF4
+ 	  Generate dwarf4 debug info. This requires recent versions
+ 	  of gcc and gdb. It makes the debug information larger.
+ 	  But it significantly improves the success of resolving
+-	  variables in gdb on optimized code.
+	  variables in gdb on optimized code.  The gcc docs also
+	  recommend enabling -fvar-tracking-assignments for maximum
+	  benefit. (see DEBUG_INFO_VTA)
+
+config DEBUG_INFO_VTA
+	bool "Enable var-tracking-assignments for debuginfo"
+	depends on DEBUG_INFO
+	help
+	  Enable gcc -fvar-tracking-assignments for improved debug
+	  information on variable locations in optimized code.  Per
+	  gcc, DEBUG_INFO_DWARF4 is recommended for best use of VTA.
+
+	  VTA has been implicated in codegen bugs (gcc PR61801,
+	  PR61904), so this may deserve some caution.  One can set
+	  GCC_COMPARE_DEBUG=-fvar-tracking-assignments-toggle in the
+	  environment to automatically compile everything both ways,
+	  generating an error if anything differs.
+ 
+ config GDB_SCRIPTS
+ 	bool "Provide GDB scripts for kernel debugging"
--- a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
+++ b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
@ -0,0 +1,246 @@
+From 90dc66270b02981b19a085c6a9184e3452b7b3e8 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Fri, 5 May 2017 08:21:59 +0100
+Subject: [PATCH 3/4] MODSIGN: Import certificates from UEFI Secure Boot
+
+Secure Boot stores a list of allowed certificates in the 'db' variable.
+This imports those certificates into the system trusted keyring.  This
+allows for a third party signing certificate to be used in conjunction
+with signed modules.  By importing the public certificate into the 'db'
+variable, a user can allow a module signed with that certificate to
+load.  The shim UEFI bootloader has a similar certificate list stored
+in the 'MokListRT' variable.  We import those as well.
+
+Secure Boot also maintains a list of disallowed certificates in the 'dbx'
+variable.  We load those certificates into the newly introduced system
+blacklist keyring and forbid any module signed with those from loading and
+forbid the use within the kernel of any key with a matching hash.
+
+This facility is enabled by setting CONFIG_LOAD_UEFI_KEYS.
+
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ certs/Kconfig     |  16 ++++++
+ certs/Makefile    |   4 ++
+ certs/load_uefi.c | 168 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 188 insertions(+)
+ create mode 100644 certs/load_uefi.c
+
+diff --git a/certs/Kconfig b/certs/Kconfig
+index 630ae09..edf9f75 100644
+--- a/certs/Kconfig
+++ b/certs/Kconfig
+@@ -90,4 +90,20 @@ config EFI_SIGNATURE_LIST_PARSER
+ 	  This option provides support for parsing EFI signature lists for
+ 	  X.509 certificates and turning them into keys.
+
+config LOAD_UEFI_KEYS
+	bool "Load certs and blacklist from UEFI db for module checking"
+	depends on SYSTEM_BLACKLIST_KEYRING
+	depends on SECONDARY_TRUSTED_KEYRING
+	depends on EFI
+	depends on EFI_SIGNATURE_LIST_PARSER
+	help
+	  If the kernel is booted in secure boot mode, this option will cause
+	  the kernel to load the certificates from the UEFI db and MokListRT
+	  into the secondary trusted keyring.  It will also load any X.509
+	  SHA256 hashes in the dbx list into the blacklist.
+
+	  The effect of this is that, if the kernel is booted in secure boot
+	  mode, modules signed with UEFI-stored keys will be permitted to be
+	  loaded and keys that match the blacklist will be rejected.
+
+ endmenu
+diff --git a/certs/Makefile b/certs/Makefile
+index 738151a..a5e057a 100644
+--- a/certs/Makefile
+++ b/certs/Makefile
+@@ -11,6 +11,10 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o
+ endif
+ obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o
+
+obj-$(CONFIG_LOAD_UEFI_KEYS) += load_uefi.o
+$(obj)/load_uefi.o: KBUILD_CFLAGS += -fshort-wchar
+
+
+ ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
+
+ $(eval $(call config_filename,SYSTEM_TRUSTED_KEYS))
+diff --git a/certs/load_uefi.c b/certs/load_uefi.c
+new file mode 100644
+index 0000000..b44e464
+--- /dev/null
+++ b/certs/load_uefi.c
+@@ -0,0 +1,168 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/cred.h>
+#include <linux/err.h>
+#include <linux/efi.h>
+#include <linux/slab.h>
+#include <keys/asymmetric-type.h>
+#include <keys/system_keyring.h>
+#include "internal.h"
+
+static __initdata efi_guid_t efi_cert_x509_guid = EFI_CERT_X509_GUID;
+static __initdata efi_guid_t efi_cert_x509_sha256_guid = EFI_CERT_X509_SHA256_GUID;
+static __initdata efi_guid_t efi_cert_sha256_guid = EFI_CERT_SHA256_GUID;
+
+/*
+ * Get a certificate list blob from the named EFI variable.
+ */
+static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
+				  unsigned long *size)
+{
+	efi_status_t status;
+	unsigned long lsize = 4;
+	unsigned long tmpdb[4];
+	void *db;
+
+	status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
+	if (status != EFI_BUFFER_TOO_SMALL) {
+		pr_err("Couldn't get size: 0x%lx\n", status);
+		return NULL;
+	}
+
+	db = kmalloc(lsize, GFP_KERNEL);
+	if (!db) {
+		pr_err("Couldn't allocate memory for uefi cert list\n");
+		return NULL;
+	}
+
+	status = efi.get_variable(name, guid, NULL, &lsize, db);
+	if (status != EFI_SUCCESS) {
+		kfree(db);
+		pr_err("Error reading db var: 0x%lx\n", status);
+		return NULL;
+	}
+
+	*size = lsize;
+	return db;
+}
+
+/*
+ * Blacklist an X509 TBS hash.
+ */
+static __init void uefi_blacklist_x509_tbs(const char *source,
+					   const void *data, size_t len)
+{
+	char *hash, *p;
+
+	hash = kmalloc(4 + len * 2 + 1, GFP_KERNEL);
+	if (!hash)
+		return;
+	p = memcpy(hash, "tbs:", 4);
+	p += 4;
+	bin2hex(p, data, len);
+	p += len * 2;
+	*p = 0;
+
+	mark_hash_blacklisted(hash);
+	kfree(hash);
+}
+
+/*
+ * Blacklist the hash of an executable.
+ */
+static __init void uefi_blacklist_binary(const char *source,
+					 const void *data, size_t len)
+{
+	char *hash, *p;
+
+	hash = kmalloc(4 + len * 2 + 1, GFP_KERNEL);
+	if (!hash)
+		return;
+	p = memcpy(hash, "bin:", 4);
+	p += 4;
+	bin2hex(p, data, len);
+	p += len * 2;
+	*p = 0;
+
+	mark_hash_blacklisted(hash);
+	kfree(hash);
+}
+
+/*
+ * Return the appropriate handler for particular signature list types found in
+ * the UEFI db and MokListRT tables.
+ */
+static __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
+{
+	if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
+		return add_trusted_secondary_key;
+	return 0;
+}
+
+/*
+ * Return the appropriate handler for particular signature list types found in
+ * the UEFI dbx and MokListXRT tables.
+ */
+static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type)
+{
+	if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0)
+		return uefi_blacklist_x509_tbs;
+	if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
+		return uefi_blacklist_binary;
+	return 0;
+}
+
+/*
+ * Load the certs contained in the UEFI databases
+ */
+static int __init load_uefi_certs(void)
+{
+	efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
+	efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
+	void *db = NULL, *dbx = NULL, *mok = NULL;
+	unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
+	int rc = 0;
+
+	if (!efi.get_variable)
+		return false;
+
+	/* Get db, MokListRT, and dbx.  They might not exist, so it isn't
+	 * an error if we can't get them.
+	 */
+	db = get_cert_list(L"db", &secure_var, &dbsize);
+	if (!db) {
+		pr_err("MODSIGN: Couldn't get UEFI db list\n");
+	} else {
+		rc = parse_efi_signature_list("UEFI:db",
+					      db, dbsize, get_handler_for_db);
+		if (rc)
+			pr_err("Couldn't parse db signatures: %d\n", rc);
+		kfree(db);
+	}
+
+	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
+	if (!mok) {
+		pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
+	} else {
+		rc = parse_efi_signature_list("UEFI:MokListRT",
+					      mok, moksize, get_handler_for_db);
+		if (rc)
+			pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
+		kfree(mok);
+	}
+
+	dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
+	if (!dbx) {
+		pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
+	} else {
+		rc = parse_efi_signature_list("UEFI:dbx",
+					      dbx, dbxsize,
+					      get_handler_for_dbx);
+		if (rc)
+			pr_err("Couldn't parse dbx signatures: %d\n", rc);
+		kfree(dbx);
+	}
+
+	return rc;
+}
+late_initcall(load_uefi_certs);
+-- 
+2.9.3
+
--- a/MODSIGN-Support-not-importing-certs-from-db.patch
+++ b/MODSIGN-Support-not-importing-certs-from-db.patch
@ -0,0 +1,88 @@
+From 9f1958a0cc911e1f79b2733ee5029dbd819ff328 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Fri, 5 May 2017 08:21:59 +0100
+Subject: [PATCH 4/4] MODSIGN: Allow the "db" UEFI variable to be suppressed
+
+If a user tells shim to not use the certs/hashes in the UEFI db variable
+for verification purposes, shim will set a UEFI variable called
+MokIgnoreDB.  Have the uefi import code look for this and ignore the db
+variable if it is found.
+
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ certs/load_uefi.c | 44 ++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 34 insertions(+), 10 deletions(-)
+
+diff --git a/certs/load_uefi.c b/certs/load_uefi.c
+index b44e464..3d88459 100644
+--- a/certs/load_uefi.c
+++ b/certs/load_uefi.c
+@@ -13,6 +13,26 @@ static __initdata efi_guid_t efi_cert_x509_sha256_guid = EFI_CERT_X509_SHA256_GU
+ static __initdata efi_guid_t efi_cert_sha256_guid = EFI_CERT_SHA256_GUID;
+
+ /*
+ * Look to see if a UEFI variable called MokIgnoreDB exists and return true if
+ * it does.
+ *
+ * This UEFI variable is set by the shim if a user tells the shim to not use
+ * the certs/hashes in the UEFI db variable for verification purposes.  If it
+ * is set, we should ignore the db variable also and the true return indicates
+ * this.
+ */
+static __init bool uefi_check_ignore_db(void)
+{
+	efi_status_t status;
+	unsigned int db = 0;
+	unsigned long size = sizeof(db);
+	efi_guid_t guid = EFI_SHIM_LOCK_GUID;
+
+	status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db);
+	return status == EFI_SUCCESS;
+}
+
+/*
+  * Get a certificate list blob from the named EFI variable.
+  */
+ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
+@@ -113,7 +133,9 @@ static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_ty
+ }
+
+ /*
+- * Load the certs contained in the UEFI databases
+ * Load the certs contained in the UEFI databases into the secondary trusted
+ * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist
+ * keyring.
+  */
+ static int __init load_uefi_certs(void)
+ {
+@@ -129,15 +151,17 @@ static int __init load_uefi_certs(void)
+ 	/* Get db, MokListRT, and dbx.  They might not exist, so it isn't
+ 	 * an error if we can't get them.
+ 	 */
+-	db = get_cert_list(L"db", &secure_var, &dbsize);
+-	if (!db) {
+-		pr_err("MODSIGN: Couldn't get UEFI db list\n");
+-	} else {
+-		rc = parse_efi_signature_list("UEFI:db",
+-					      db, dbsize, get_handler_for_db);
+-		if (rc)
+-			pr_err("Couldn't parse db signatures: %d\n", rc);
+-		kfree(db);
+	if (!uefi_check_ignore_db()) {
+		db = get_cert_list(L"db", &secure_var, &dbsize);
+		if (!db) {
+			pr_err("MODSIGN: Couldn't get UEFI db list\n");
+		} else {
+			rc = parse_efi_signature_list("UEFI:db",
+						      db, dbsize, get_handler_for_db);
+			if (rc)
+				pr_err("Couldn't parse db signatures: %d\n", rc);
+			kfree(db);
+		}
+ 	}
+
+ 	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
+-- 
+2.9.3
+
--- a/50
+++ b/50
@ -0,0 +1,50 @@
+# Makefile for source rpm: kernel
+SPECFILE := kernel.spec
+
+# we only check the .sign signatures
+UPSTREAM_CHECKS = sign
+
+.PHONY: help
+help:
+%:
+	@echo "Try fedpkg $@ or something like that"
+	@exit 1
+
+prep: config-files
+	fedpkg -v prep
+
+noarch:
+	fedpkg -v local --arch=noarch
+
+# 'make local' also needs to build the noarch firmware package
+local:
+	fedpkg -v local
+
+extremedebug:
+	@perl -pi -e 's/# CONFIG_DEBUG_PAGEALLOC is not set/CONFIG_DEBUG_PAGEALLOC=y/' config-nodebug
+
+config-files:
+	@./build_configs.sh
+
+debug:
+	@perl -pi -e 's/^%define debugbuildsenabled 1/%define debugbuildsenabled 0/' kernel.spec
+	@rpmdev-bumpspec -c "Reenable debugging options." kernel.spec
+
+release:
+	@perl -pi -e 's/^%define debugbuildsenabled 0/%define debugbuildsenabled 1/' kernel.spec
+	@rpmdev-bumpspec -c "Disable debugging options." kernel.spec
+
+nodebuginfo:
+	@perl -pi -e 's/^%define with_debuginfo %\{\?_without_debuginfo: 0\} %\{\?\!_without_debuginfo: 1\}/%define with_debuginfo %\{\?_without_debuginfo: 0\} %\{\?\!_without_debuginfo: 0\}/' kernel.spec
+
+nodebug: release
+	@perl -pi -e 's/^%define debugbuildsenabled 1/%define debugbuildsenabled 0/' kernel.spec
+
+ifeq ($(MAKECMDGOALS),me a sandwich)
+.PHONY: me a sandwich
+me a:
+	@:
+
+sandwich:
+	@[ `id -u` -ne 0 ] && echo "What? Make it yourself." || echo Okay.
+endif
--- a/Makefile.rhelver
+++ b/Makefile.rhelver
@ -1,60 +0,0 @@
-RHEL_MAJOR = 10
-RHEL_MINOR = 99
-
-#
-# RHEL_RELEASE
-# -------------
-#
-# Represents build number in 'release' part of RPM's name-version-release.
-#   name is <package_name>, e.g. kernel
-#   version is upstream kernel version this kernel is based on, e.g. 4.18.0
-#   release is <RHEL_RELEASE>.<dist_tag>[<buildid>], e.g. 100.el8
-#
-# Use this spot to avoid future merge conflicts.
-# Do not trim this comment.
-RHEL_RELEASE = 38
-
-#
-# RHEL_REBASE_NUM
-# ----------------
-#
-# Used in RPM version string for Gemini kernels, which dont use upstream
-# VERSION/PATCHLEVEL/SUBLEVEL. The number represents rebase number for
-# current MAJOR release.
-#
-# Use this spot to avoid future merge conflicts.
-# Do not trim this comment.
-RHEL_REBASE_NUM = 1
-
-
-#
-# ZSTREAM
-# -------
-#
-#  This variable controls whether we use zstream numbering or not for the
-#  package release. The zstream release keeps the build number of the last
-#  build done for ystream for the Beta milestone, and increments a second
-#  number for each build. The third number is used for branched builds
-#  (eg.: for builds with security fixes or hot fixes done outside of the
-#  batch release process).
-#
-#  For example, with ZSTREAM unset or set to "no", all builds will contain
-#  a release with only the build number, eg.: kernel-<kernel version>-X.el*,
-#  where X is the build number. With ZSTREAM set to "yes", we will have
-#  builds with kernel-<kernel version>-X.Y.Z.el*, where X is the last
-#  RHEL_RELEASE number before ZSTREAM flag was set to yes, Y will now be the
-#  build number and Z will always be 1 except if you're doing a branched build
-#  (when you give RHDISTGIT_BRANCH on the command line, in which case the Z
-#  number will be incremented instead of the Y).
-#
-ZSTREAM ?= no
-
-#
-# Automotive
-# ----------
-#
-# Represents the major and minor release used by automotive.
-# Primarily this is used to to identify the build target when
-# building the automotive kernel package.
-AUTOMOTIVE_MAJOR = 2
-AUTOMOTIVE_MINOR = 99
--- a/Module.kabi_aarch64
+++ b/Module.kabi_aarch64
--- a/Module.kabi_dup_aarch64
+++ b/Module.kabi_dup_aarch64
--- a/Module.kabi_dup_ppc64le
+++ b/Module.kabi_dup_ppc64le
--- a/Module.kabi_dup_riscv64
+++ b/Module.kabi_dup_riscv64
--- a/Module.kabi_dup_s390x
+++ b/Module.kabi_dup_s390x
--- a/Module.kabi_dup_x86_64
+++ b/Module.kabi_dup_x86_64
--- a/Module.kabi_ppc64le
+++ b/Module.kabi_ppc64le
--- a/Module.kabi_riscv64
+++ b/Module.kabi_riscv64
--- a/Module.kabi_s390x
+++ b/Module.kabi_s390x
--- a/Module.kabi_x86_64
+++ b/Module.kabi_x86_64
--- a/PatchList.txt
+++ b/PatchList.txt
@ -0,0 +1,76 @@
+# This file contains patches that we intend to carry for longer than
+# "Should show up in a stable release soonish"
+# Some of these may eventually drop out
+
+kbuild-AFTER_LINK.patch
+
+arm64-avoid-needing-console-to-enable-serial-console.patch
+
+geekbox-v4-device-tree-support.patch
+
+Initial-AllWinner-A64-and-PINE64-support.patch
+
+arm64-pcie-quirks-xgene.patch
+
+usb-phy-tegra-Add-38.4MHz-clock-table-entry.patch
+
+ARM-tegra-usb-no-reset.patch
+
+bcm283x-upstream-fixes.patch
+
+lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch
+
+input-kill-stupid-messages.patch
+
+die-floppy-die.patch
+
+no-pcspkr-modalias.patch
+
+silence-fbcon-logo.patch
+
+Kbuild-Add-an-option-to-enable-GCC-VTA.patch
+
+crash-driver.patch
+
+#Secure boot patches
+Add-secure_modules-call.patch
+PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
+x86-Lock-down-IO-port-access-when-module-security-is.patch
+ACPI-Limit-access-to-custom_method.patch
+asus-wmi-Restrict-debugfs-interface-when-module-load.patch
+Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
+acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
+kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
+x86-Restrict-MSR-access-when-module-loading-is-restr.patch
+Add-option-to-automatically-enforce-module-signature.patch
+efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
+efi-Add-EFI_SECURE_BOOT-bit.patch
+hibernate-Disable-in-a-signed-modules-environment.patch
+Add-EFI-signature-data-types.patch
+Add-an-EFI-signature-blob-parser-and-key-loader.patch
+KEYS-Add-a-system-blacklist-keyring.patch
+MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
+MODSIGN-Support-not-importing-certs-from-db.patch
+Add-sysrq-option-to-disable-secure-boot-mode.patch
+kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
+
+drm-i915-hush-check-crtc-state.patch
+
+disable-i8042-check-on-apple-mac.patch
+
+lis3-improve-handling-of-null-rate.patch
+
+scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch
+
+criu-no-expert.patch
+
+ath9k-rx-dma-stop-check.patch
+
+xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch
+
+Input-synaptics-pin-3-touches-when-the-firmware-repo.patch
+
+firmware-Drop-WARN-from-usermodehelper_read_trylock-.patch
+
+drm-i915-turn-off-wc-mmaps.patch
+
--- a/Patchlist.changelog
+++ b/Patchlist.changelog
@ -1,474 +0,0 @@
-https://gitlab.com/cki-project/kernel-ark/-/commit/831ff9bcd8e9eab864062470a3250beb1e1ec924
- 831ff9bcd8e9eab864062470a3250beb1e1ec924 rust: Add -fdiagnostics-show-context to bindgen_skip_c_flags
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/fe3e9e24af806d756edbda922103b1fa95d9b89b
- fe3e9e24af806d756edbda922103b1fa95d9b89b Revert "Removing Obsolete hba pci-ids from rhel8"
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/c4a0a995da9df8732f688d09db5252173277589d
- c4a0a995da9df8732f688d09db5252173277589d rh_messages.h: add missing lpfc devices
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/0ad9a88c3263fa8fa39437f69472588917255c99
- 0ad9a88c3263fa8fa39437f69472588917255c99 kernel: extend rh_waived to cope better with the CVE mitigations case
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/cf18c49636f2583c85831f909699034026325242
- cf18c49636f2583c85831f909699034026325242 rh_messages.h: add missing aacraid device
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/26ca931184edb2c3c7f7c1951f53fa3333d9c90e
- 26ca931184edb2c3c7f7c1951f53fa3333d9c90e rh_messages.h: update unmaintained drivers
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/c1c1a1b7059900f4b9b657f5189285a287160e11
- c1c1a1b7059900f4b9b657f5189285a287160e11 arm64: add early lockdown for secure boot
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/a613ae52a8d9378e6fa70f697b3ce0acee220491
- a613ae52a8d9378e6fa70f697b3ce0acee220491 efi: pass secure boot mode to kernel proper
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/f869258b6b654d316e84325e46e431da4dfd04e7
- f869258b6b654d316e84325e46e431da4dfd04e7 selftests/bpf: Remove ksyms_weak_lskel test
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/8b69219fe6a11766cf1a2e07dc94e56448b47824
- 8b69219fe6a11766cf1a2e07dc94e56448b47824 Simplify include Makefile.rhelver
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/c2621ac616e25a9a04fbcb8af0c1f8b2bdd8c099
- c2621ac616e25a9a04fbcb8af0c1f8b2bdd8c099 redhat: make ENABLE_WERROR also enable OBJTOOL_WERROR
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/d28cbdeb89fe565e10fb4be8d8378153e86611f6
- d28cbdeb89fe565e10fb4be8d8378153e86611f6 main.c: fix initcall blacklisted
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/b71ab57c8db44881edc32a124ddc2ebe536b6a4c
- b71ab57c8db44881edc32a124ddc2ebe536b6a4c arch/x86/kernel/setup.c: fix rh_check_supported
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/c4ea2384863e54e0c5582b3508518e659581ce69
- c4ea2384863e54e0c5582b3508518e659581ce69 efi,lockdown: fix kernel lockdown on Secure Boot
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/60b2ddeb0986e1c43a98b44a4ab414a7e2744701
- 60b2ddeb0986e1c43a98b44a4ab414a7e2744701 Revert "nvme: Return BLK_STS_TARGET if the DNR bit is set"
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/860632dd288c7aa7807959a79af9159482510cd1
- 860632dd288c7aa7807959a79af9159482510cd1 Revert "nvme: allow local retry and proper failover for REQ_FAILFAST_TRANSPORT"
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/aaef2c3ee081c8980bb60fd4b7a6ed9e187d9048
- aaef2c3ee081c8980bb60fd4b7a6ed9e187d9048 Revert "nvme: decouple basic ANA log page re-read support from native multipathing"
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/5cd4353dae0ee79d13f57b7ccee85cd0bcbe4b4f
- 5cd4353dae0ee79d13f57b7ccee85cd0bcbe4b4f Revert "nvme: nvme_mpath_init remove multipath check"
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/656a0565ffe54f99ac1390a68c5ee7050ab6fb25
- 656a0565ffe54f99ac1390a68c5ee7050ab6fb25 redhat: automotive: define CONFIG_RH_AUTOMOTIVE
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/f1025d6236c72b4fbd03940b6fa2178f2a84f418
- f1025d6236c72b4fbd03940b6fa2178f2a84f418 redhat: fix modules.order target
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/6e0fa997052c92d6085a50083e75dedc0160443f
- 6e0fa997052c92d6085a50083e75dedc0160443f [redhat] rh_messages.h: driver and device updates
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/d8822fd0573e9f254f097c1743078e4e74ac70f5
- d8822fd0573e9f254f097c1743078e4e74ac70f5 crypto: rng - Fix extrng EFAULT handling
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/c224e4b6a61af08574bb0565755ed609bf08cacb
- c224e4b6a61af08574bb0565755ed609bf08cacb crypto: sig - Disable signing
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/39417e970be7f6bc63f34d5ed5511f7e629802c2
- 39417e970be7f6bc63f34d5ed5511f7e629802c2 crypto: rng - Ensure stdrng is tested before user-space starts
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/52be246b6342ed5b1486729fd5c5893b10549a92
- 52be246b6342ed5b1486729fd5c5893b10549a92 [redhat] rh_messages.h: Mark BlueField-4 as disabled
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/2c9e64af9fa1f8599ce05877441afcac8ac91b04
- 2c9e64af9fa1f8599ce05877441afcac8ac91b04 Update the RHEL_DIFFERENCES help string
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/beef34cb1efc34b7fbee35535c66915995d12ed1
- beef34cb1efc34b7fbee35535c66915995d12ed1 redhat: include resolve_btfids in kernel-devel
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/1a1426b7a8df854c78385dd8ce8b74e9ee641477
- 1a1426b7a8df854c78385dd8ce8b74e9ee641477 redhat: workaround CKI cross compilation for scripts
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/2c83d6cfffe1f891bf024df81be6cd41c2073ad9
- 2c83d6cfffe1f891bf024df81be6cd41c2073ad9 crypto: akcipher - Disable signing and decryption
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/af93553b8d335ccf5dd4f90ab9419e497aa36a80
- af93553b8d335ccf5dd4f90ab9419e497aa36a80 crypto: dh - implement FIPS PCT
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/f0540d9d32978dff227cbb930193e8dc2557b23b
- f0540d9d32978dff227cbb930193e8dc2557b23b crypto: ecdh - disallow plain "ecdh" usage in FIPS mode
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/243ef89ad354eea332d7bfb23fd4cf259240de91
- 243ef89ad354eea332d7bfb23fd4cf259240de91 crypto: seqiv - flag instantiations as FIPS compliant
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/6a23cbc588e9b9f7b2bc7250c6c6903d4d904eb1
- 6a23cbc588e9b9f7b2bc7250c6c6903d4d904eb1 [kernel] bpf: set default value for bpf_jit_harden
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/bb84b630a172d0204c8d243c57a6a1d2eae7843c
- bb84b630a172d0204c8d243c57a6a1d2eae7843c not upstream: Disable vdso getrandom when FIPS is enabled
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/b643998c61552fb5615268e7e529999d64d54175
- b643998c61552fb5615268e7e529999d64d54175 Add support to rh_waived cmdline boot parameter
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/a1e04b6f3580382a902256c7bf8b395b9a1be47f
- a1e04b6f3580382a902256c7bf8b395b9a1be47f rh_flags: fix failed when register_sysctl_sz rh_flags_table to kernel
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/03cf1862c6221ee2a6de9a5ab25adaec6460b62e
- 03cf1862c6221ee2a6de9a5ab25adaec6460b62e [redhat] rh_flags: constify the ctl_table argument of proc_handler
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/e2708e55f9151652da80e388b4bf88c649288c0f
- e2708e55f9151652da80e388b4bf88c649288c0f redhat: rh_flags: declare proper static methods when !CONFIG_RHEL_DIFFERENCES
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/6f593811cc1e5664f45fe2d09916eada1187e992
- 6f593811cc1e5664f45fe2d09916eada1187e992 redhat: make bnx2xx drivers unmaintained in rhel-10
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/5db8220bd67c719a20c1269233585b40f48837da
- 5db8220bd67c719a20c1269233585b40f48837da rh_flags: Rename rh_features to rh_flags
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/19ca502a0087eed65a014c6271f9bfc207d8d7eb
- 19ca502a0087eed65a014c6271f9bfc207d8d7eb kernel: rh_features: fix reading empty feature list from /proc
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/ba24639032f00b47748a6f39a4eb33950df015c2
- ba24639032f00b47748a6f39a4eb33950df015c2 rh_features: move rh_features entry to sys/kernel
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/883e43fe6a0da0d9ad90e7c997a95f11bab9b888
- 883e43fe6a0da0d9ad90e7c997a95f11bab9b888 rh_features: convert to atomic allocation
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/c8daa2e832df14ee9174435a357b2ae0994a3ef3
- c8daa2e832df14ee9174435a357b2ae0994a3ef3 add rh_features to /proc
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/4f33dbbe3ec578d49e12c07421b913bf480fccef
- 4f33dbbe3ec578d49e12c07421b913bf480fccef add support for rh_features
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/53a5900b05260b81f13eb3b9d6a9419429f310ab
- 53a5900b05260b81f13eb3b9d6a9419429f310ab [redhat] PCI: Fix pci_rh_check_status() call semantics
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/aeb9a237a0ec39b7bde89d8bb040cd5b267f6802
- aeb9a237a0ec39b7bde89d8bb040cd5b267f6802 scsi: sd: condition probe_type under RHEL_DIFFERENCES
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/159e72af8b1631b720f4a7e0012fa624764cecde
- 159e72af8b1631b720f4a7e0012fa624764cecde scsi: sd: remove unused sd_probe_types
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/d8c04860eb7bf29617ca1754f1076fd9f5992e77
- d8c04860eb7bf29617ca1754f1076fd9f5992e77 [redhat] rh_messages.h: mark mlx5 on Bluefield-3 as unmaintained
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/496c64b4afece4ab525467a6be71ffe60d0c564f
- 496c64b4afece4ab525467a6be71ffe60d0c564f [redhat] rh_messages.h: initial driver and device lists
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/5cf456aaba6f5c9406421c04c65d43b2c71f5927
- 5cf456aaba6f5c9406421c04c65d43b2c71f5927 arch/x86: Fix XSAVE check for x86_64-v2 check
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/252bf9586fca6e57a51966c0294a9a0cb33ff4f5
- 252bf9586fca6e57a51966c0294a9a0cb33ff4f5 arch/x86/kernel/setup.c: fixup rh_check_supported
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/30faf17591afbd4230d590355351044294ad43d2
- 30faf17591afbd4230d590355351044294ad43d2 lsm: update security_lock_kernel_down
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/e88ee9e2e869e7259faa5bf3ff6689becabb53cb
- e88ee9e2e869e7259faa5bf3ff6689becabb53cb arch/x86: mark x86_64-v1 and x86_64-v2 processors as deprecated
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/26ebc304df38a49ce7cc69b4bdf220298cff2460
- 26ebc304df38a49ce7cc69b4bdf220298cff2460 redhat: kABI: add missing RH_KABI_SIZE_ALIGN_CHECKS Kconfig option
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/8c71392703448be8e8217592dd46ea1cc8b157e1
- 8c71392703448be8e8217592dd46ea1cc8b157e1 redhat: rh_kabi: introduce RH_KABI_EXCLUDE_WITH_SIZE
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/d42afcb843fcc87e59ba39b5574c18d89fd07a91
- d42afcb843fcc87e59ba39b5574c18d89fd07a91 redhat: rh_kabi: move semicolon inside __RH_KABI_CHECK_SIZE
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/95a56955f9ba6ef1e1dd2d99d8f98254da274267
- 95a56955f9ba6ef1e1dd2d99d8f98254da274267 random: replace import_single_range() with import_ubuf()
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/92d6612578b79fd3a09e10504ed71209ba43c271
- 92d6612578b79fd3a09e10504ed71209ba43c271 ext4: Mark mounting fs-verity filesystems as tech-preview
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/5c51745b8aec113ff0605ab833c3e472d99c55c8
- 5c51745b8aec113ff0605ab833c3e472d99c55c8 erofs: Add tech preview markers at mount
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/6d687c70a7eda10eac0ddc6eedeaccc30eef5349
- 6d687c70a7eda10eac0ddc6eedeaccc30eef5349 kernel/rh_messages.c: Mark functions as possibly unused
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/dfb09b1d833cad815ea2f5cb69505010de260c40
- dfb09b1d833cad815ea2f5cb69505010de260c40 crypto: rng - Override drivers/char/random in FIPS mode
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/ddbe3667f2462817f3f936141fff08604dde1564
- ddbe3667f2462817f3f936141fff08604dde1564 random: Add hook to override device reads and getrandom(2)
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/92525a9129d85fa6400c9e653379862a67cb43b2
- 92525a9129d85fa6400c9e653379862a67cb43b2 [redhat] kernel/rh_messages.c: move hardware tables to rh_messages.h
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/eacd81fdaf31d456a82c553735faf64c8efad2eb
- eacd81fdaf31d456a82c553735faf64c8efad2eb [redhat] kernel/rh_messages.c: Wire up new calls
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/32af8640a651c642ee5706dda0cf35ff508bcdcb
- 32af8640a651c642ee5706dda0cf35ff508bcdcb [redhat] drivers/pci: Update rh_messages.c
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/db366977f9e13f903cc9b7f22936b581594a7731
- db366977f9e13f903cc9b7f22936b581594a7731 [redhat] drivers/pci: Remove RHEL-only pci_hw_*() functions
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/402504ff66e5d118b514253df5d55f8413e2e167
- 402504ff66e5d118b514253df5d55f8413e2e167 scsi: sd: Add "probe_type" module parameter to allow synchronous probing
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/5e96a345c6fb24e282ce1769223c1a339d0dbe94
- 5e96a345c6fb24e282ce1769223c1a339d0dbe94 Revert "Remove EXPERT from ARCH_FORCE_MAX_ORDER for aarch64"
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/ce943989ae8cb2b8e0b4699c148584d3cd18ec9b
- ce943989ae8cb2b8e0b4699c148584d3cd18ec9b kernel/rh_messages.c: Another gcc12 warning on redundant NULL test
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/c0624b3913d8c3f262e20910a2f2c4d2f99ce61f
- c0624b3913d8c3f262e20910a2f2c4d2f99ce61f Enable IO_URING for RHEL
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/861f2d38d82cfb374799ec517f18cc021701068e
- 861f2d38d82cfb374799ec517f18cc021701068e Remove EXPERT from ARCH_FORCE_MAX_ORDER for aarch64
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/e02ec93117d6eea21e80baf69e6f9848cf1a9774
- e02ec93117d6eea21e80baf69e6f9848cf1a9774 redhat: version two of Makefile.rhelver tweaks
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/964e830b4fae678dec5b8b93dcd402c73fdf2912
- 964e830b4fae678dec5b8b93dcd402c73fdf2912 redhat:  adapt to upstream Makefile change
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/60a4025a3b1cdec1c7bbdabf1e30278f615bb493
- 60a4025a3b1cdec1c7bbdabf1e30278f615bb493 kernel/rh_messages.c: gcc12 warning on redundant NULL test
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/a5c9e3c6e3dcda60b5f753d1bae86a686f3ac087
- a5c9e3c6e3dcda60b5f753d1bae86a686f3ac087 Change acpi_bus_get_acpi_device to acpi_get_acpi_dev
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/092e751fe418623c5ad04e77fa6c993d48d96533
- 092e751fe418623c5ad04e77fa6c993d48d96533 ARK: Remove code marking devices unmaintained
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/c27fa327fb3de69773568d211fd2f8f13a72e342
- c27fa327fb3de69773568d211fd2f8f13a72e342 rh_message: Fix function name
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/c9b07fd3a141ad0283d7eaadf5a06aec9af2b8c9
- c9b07fd3a141ad0283d7eaadf5a06aec9af2b8c9 Add Partner Supported taint flag to kAFS
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/6b0e3a47ec436527a736c0e7159b41624d176dd9
- 6b0e3a47ec436527a736c0e7159b41624d176dd9 Add Partner Supported taint flag
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/3a4e2ad92c430d2f584f56ca686bc75a469d06c0
- 3a4e2ad92c430d2f584f56ca686bc75a469d06c0 kabi: Add kABI macros for enum type
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/04fbd46f834f3a012ca9d5bef91db377a3dbaed0
- 04fbd46f834f3a012ca9d5bef91db377a3dbaed0 kabi: expand and clarify documentation of aux structs
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/cf8df8ef88e094ebb049a7e1e6fec069aaf54faa
- cf8df8ef88e094ebb049a7e1e6fec069aaf54faa kabi: introduce RH_KABI_USE_AUX_PTR
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/31779ca0c6c9aab28184a42ac3f17ac219b37b2b
- 31779ca0c6c9aab28184a42ac3f17ac219b37b2b kabi: rename RH_KABI_SIZE_AND_EXTEND to AUX
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/2e12a05d339ed936b9cd59f420b161d70b4a130a
- 2e12a05d339ed936b9cd59f420b161d70b4a130a kabi: more consistent _RH_KABI_SIZE_AND_EXTEND
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/b83556eebdc2efdc2d2c22610b7cd7c5cafb2bae
- b83556eebdc2efdc2d2c22610b7cd7c5cafb2bae kabi: use fixed field name for extended part
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/4c9a3b306a34ed7017e35b0de26b2d98e1a04373
- 4c9a3b306a34ed7017e35b0de26b2d98e1a04373 kabi: fix dereference in RH_KABI_CHECK_EXT
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/a961660df0a73bcf2dcd8cb8855c2f5d5ded0ae9
- a961660df0a73bcf2dcd8cb8855c2f5d5ded0ae9 kabi: fix RH_KABI_SET_SIZE macro
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/9f9ef5e8b4694fa7fb6a8f941fb741121fe5aab3
- 9f9ef5e8b4694fa7fb6a8f941fb741121fe5aab3 kabi: expand and clarify documentation
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/308d17beeaa6cb4a514f77319b636c9a2c15f5eb
- 308d17beeaa6cb4a514f77319b636c9a2c15f5eb kabi: make RH_KABI_USE replace any number of reserved fields
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/f3d12dffffeee8d6692be46044b9fc8448901692
- f3d12dffffeee8d6692be46044b9fc8448901692 kabi: rename RH_KABI_USE2 to RH_KABI_USE_SPLIT
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/520e726b4e78101e73fa3d77cdcbc21d204a75a9
- 520e726b4e78101e73fa3d77cdcbc21d204a75a9 kabi: change RH_KABI_REPLACE2 to RH_KABI_REPLACE_SPLIT
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/7160868bd40d04e6d1a80f55d1bf9bb62ede0ba3
- 7160868bd40d04e6d1a80f55d1bf9bb62ede0ba3 kabi: change RH_KABI_REPLACE_UNSAFE to RH_KABI_BROKEN_REPLACE
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/0b83063cf6c57dc20a80c35396fa425ec1963d53
- 0b83063cf6c57dc20a80c35396fa425ec1963d53 kabi: introduce RH_KABI_ADD_MODIFIER
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/d276c2393792e3eec80a73a4fe964f9ec11145a7
- d276c2393792e3eec80a73a4fe964f9ec11145a7 kabi: Include kconfig.h
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/28c30de9c771ff91994c9f0a42bdcc260fa97c2d
- 28c30de9c771ff91994c9f0a42bdcc260fa97c2d kabi: macros for intentional kABI breakage
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/9b671c725ac69c47874321e5636e6541bb6d219d
- 9b671c725ac69c47874321e5636e6541bb6d219d kabi: fix the note about terminating semicolon
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/6443eef17fb53f62886ecce519b6e12dd310e7f5
- 6443eef17fb53f62886ecce519b6e12dd310e7f5 kabi: introduce RH_KABI_HIDE_INCLUDE and RH_KABI_FAKE_INCLUDE
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/47746fc3837b476ec265e2a0c2aaa86de0d3994e
- 47746fc3837b476ec265e2a0c2aaa86de0d3994e pci.h: Fix static include
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/67ce66385c6b619356c4030e6163c4fb18a50427
- 67ce66385c6b619356c4030e6163c4fb18a50427 drivers/pci/pci-driver.c: Fix if/ifdef typo
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/0dfd7feeadc964ef2a9d118218b54831381c8d7a
- 0dfd7feeadc964ef2a9d118218b54831381c8d7a kernel/rh_taint.c: Update to new messaging
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/35e5ee153637e59c9297c9cc8ba7f3960277ffc2
- 35e5ee153637e59c9297c9cc8ba7f3960277ffc2 redhat: Add mark_driver_deprecated()
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/ff7aa8cae4c7e3e7bbc1bb5612efc2157c81fa7d
- ff7aa8cae4c7e3e7bbc1bb5612efc2157c81fa7d RHEL: disable io_uring support
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/517351ed810bf2707e7fdb2ab22029aeb594db59
- 517351ed810bf2707e7fdb2ab22029aeb594db59 bpf: Fix unprivileged_bpf_disabled setup
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/48fe2e5f40c901e92d1f8c62bc97f58af4b0906a
- 48fe2e5f40c901e92d1f8c62bc97f58af4b0906a nvme: nvme_mpath_init remove multipath check
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/1c9bd09f303e2c9d2c67fdc46604d94e00cbf67c
- 1c9bd09f303e2c9d2c67fdc46604d94e00cbf67c wireguard: disable in FIPS mode
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/57872981891fe8f3f7205daa4b78c8c0d676b171
- 57872981891fe8f3f7205daa4b78c8c0d676b171 nvme: decouple basic ANA log page re-read support from native multipathing
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/0561f5953431ff471193611cd73af65dd394c8cd
- 0561f5953431ff471193611cd73af65dd394c8cd nvme: allow local retry and proper failover for REQ_FAILFAST_TRANSPORT
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/f801483d711fa5f83a0f9d4c479eeba702d1d477
- f801483d711fa5f83a0f9d4c479eeba702d1d477 nvme: Return BLK_STS_TARGET if the DNR bit is set
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/4f2bc09956ad4829d139e9d69b86ba8b9ebc66e2
- 4f2bc09956ad4829d139e9d69b86ba8b9ebc66e2 REDHAT: coresight: etm4x: Disable coresight on HPE Apollo 70
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/65a21d545cc43328ea00fdbd62e7b45f375adce8
- 65a21d545cc43328ea00fdbd62e7b45f375adce8 redhat: remove remaining references of CONFIG_RH_DISABLE_DEPRECATED
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/1c1b5380b0b56d3be978997b128f84aeb9906656
- 1c1b5380b0b56d3be978997b128f84aeb9906656 arch/x86: Remove vendor specific CPU ID checks
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/f7c032c856ba6379a77b76179d0352929d6039ec
- f7c032c856ba6379a77b76179d0352929d6039ec redhat: Replace hardware.redhat.com link in Unsupported message
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/9a6eb49603959cf0aab0198e13946eaee07801c3
- 9a6eb49603959cf0aab0198e13946eaee07801c3 x86: Fix compile issues with rh_check_supported()
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/8a605436efddfa7dbc6e007b2881fa81f17968a5
- 8a605436efddfa7dbc6e007b2881fa81f17968a5 KEYS: Make use of platform keyring for module signature verify
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/c7c191f662438423a23592db42838ff550c2bdda
- c7c191f662438423a23592db42838ff550c2bdda Input: rmi4 - remove the need for artificial IRQ in case of HID
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/4ae139284600cd6fef133ce7a981485ea73381ab
- 4ae139284600cd6fef133ce7a981485ea73381ab ARM: tegra: usb no reset
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/8156e2102f753bbe0f0dd222a5f232e7f3d99883
- 8156e2102f753bbe0f0dd222a5f232e7f3d99883 arm: make CONFIG_HIGHPTE optional without CONFIG_EXPERT
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/823e733a88ddd21c735288dd3b08348e79872b91
- 823e733a88ddd21c735288dd3b08348e79872b91 redhat: rh_kabi: deduplication friendly structs
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/61d2a751fe1b1305684d6c1899f26fa9e38ac0a9
- 61d2a751fe1b1305684d6c1899f26fa9e38ac0a9 redhat: rh_kabi add a comment with warning about RH_KABI_EXCLUDE usage
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/7d09cb3ea3dd2f3cda5a6a31be429f259106ca61
- 7d09cb3ea3dd2f3cda5a6a31be429f259106ca61 redhat: rh_kabi: introduce RH_KABI_EXTEND_WITH_SIZE
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/c0c51c6f123df02948e11680d9b90324593ba547
- c0c51c6f123df02948e11680d9b90324593ba547 redhat: rh_kabi: Indirect EXTEND macros so nesting of other macros will resolve.
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/96b20c70b39cd28efcec2336417cb0db9ff7853c
- 96b20c70b39cd28efcec2336417cb0db9ff7853c redhat: rh_kabi: Fix RH_KABI_SET_SIZE to use dereference operator
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/198030a81d85dbac8f4030e69d3d376327433487
- 198030a81d85dbac8f4030e69d3d376327433487 redhat: rh_kabi: Add macros to size and extend structs
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/695af00ed9e393abe88d9ee4de3702c15ded186d
- 695af00ed9e393abe88d9ee4de3702c15ded186d Removing Obsolete hba pci-ids from rhel8
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/736038bd8039d1543468c1dc8925f20929645804
- 736038bd8039d1543468c1dc8925f20929645804 mptsas: pci-id table changes
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/83cdf2924bdcc90c433a58129b4501e10b1295dc
- 83cdf2924bdcc90c433a58129b4501e10b1295dc mptspi: pci-id table changes
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/0b634d81ed7f0730e13d720508dbaa6ab94e54d2
- 0b634d81ed7f0730e13d720508dbaa6ab94e54d2 qla2xxx: Remove PCI IDs of deprecated adapter
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/0d11491f9e7fe0c8c301db3256cb47c66ae8450f
- 0d11491f9e7fe0c8c301db3256cb47c66ae8450f hpsa: remove old cciss-based smartarray pci ids
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/75f69a4f7b8f9d38c5efb0231186ed8726e526f2
- 75f69a4f7b8f9d38c5efb0231186ed8726e526f2 kernel: add SUPPORT_REMOVED kernel taint
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/50081b0865239d853d77bc71e54d13fad8bac9f0
- 50081b0865239d853d77bc71e54d13fad8bac9f0 Rename RH_DISABLE_DEPRECATED to RHEL_DIFFERENCES
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/dc84f3cc1b19a0524e58a382c382f34081dc6c35
- dc84f3cc1b19a0524e58a382c382f34081dc6c35 s390: Lock down the kernel when the IPL secure flag is set
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/cb55378c04d6516f303e98061ec7ddd6563429a8
- cb55378c04d6516f303e98061ec7ddd6563429a8 efi: Lock down the kernel if booted in secure boot mode
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/9b06e1f07c3cc9e1d0533b8615426d4d5d9e4ebb
- 9b06e1f07c3cc9e1d0533b8615426d4d5d9e4ebb efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/db249925c6802b38d910927e4d032af1e00bee56
- db249925c6802b38d910927e4d032af1e00bee56 security: lockdown: expose a hook to lock the kernel down
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/f9604bcd305aba2a94e713ee758a51143687ae9f
- f9604bcd305aba2a94e713ee758a51143687ae9f Make get_cert_list() use efi_status_to_str() to print error messages.
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/b75eb3e922c93d78d4190a759f5725e856d35439
- b75eb3e922c93d78d4190a759f5725e856d35439 Add efi_status_to_str() and rework efi_status_to_err().
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/2f80042d6b8199fceadf3623243402066e0cd4ea
- 2f80042d6b8199fceadf3623243402066e0cd4ea Add support for deprecating processors
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/5a3b4f5754788e42db8ed550b359382b600f2b08
- 5a3b4f5754788e42db8ed550b359382b600f2b08 arm: aarch64: Drop the EXPERT setting from ARM64_FORCE_52BIT
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/36cd5d0a0aa0a3be8ac385ca8991563c9e58227f
- 36cd5d0a0aa0a3be8ac385ca8991563c9e58227f iommu/arm-smmu: workaround DMA mode issues
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/ca34010e072550c8d5ea57f9436bab254c3521cc
- ca34010e072550c8d5ea57f9436bab254c3521cc rh_kabi: introduce RH_KABI_EXCLUDE
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/26054e2c4e2253fe955a351971dc6b931cb68961
- 26054e2c4e2253fe955a351971dc6b931cb68961 ipmi: do not configure ipmi for HPE m400
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/9cb0f734492a21a7e506d7145caf143ccd927b2a
- 9cb0f734492a21a7e506d7145caf143ccd927b2a kABI: Add generic kABI macros to use for kABI workarounds
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/4960e5ee4a0e9bb28e512eb35cfa633ac4552049
- 4960e5ee4a0e9bb28e512eb35cfa633ac4552049 add pci_hw_vendor_status()
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/291c4e2878431fd6937c5b9248babe8ec8d4233e
- 291c4e2878431fd6937c5b9248babe8ec8d4233e ahci: thunderx2: Fix for errata that affects stop engine
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/996869cc0b3e78cb9182a4ebced2c46ee2774935
- 996869cc0b3e78cb9182a4ebced2c46ee2774935 Vulcan: AHCI PCI bar fix for Broadcom Vulcan early silicon
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/c1c7a887998ab12c5a1180c4bca3b41c31fe4aa6
- c1c7a887998ab12c5a1180c4bca3b41c31fe4aa6 bpf: set unprivileged_bpf_disabled to 1 by default, add a boot parameter
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/e40c9d10474d1a5b5f7f01175a72ba4a3c7f5e8e
- e40c9d10474d1a5b5f7f01175a72ba4a3c7f5e8e add Red Hat-specific taint flags
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/f23f446b724fbb79c1e09a278fcb427fc29c0c05
- f23f446b724fbb79c1e09a278fcb427fc29c0c05 tags.sh: Ignore redhat/rpm
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/a68aa65a20fba1908a7326e5321ce8bc39a9ae14
- a68aa65a20fba1908a7326e5321ce8bc39a9ae14 put RHEL info into generated headers
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/80937f1973d73fccdc75db4026fbed7cba16f489
- 80937f1973d73fccdc75db4026fbed7cba16f489 aarch64: acpi scan: Fix regression related to X-Gene UARTs
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/3362fd10fe075b48ff8af023da5643bc9477a4c6
- 3362fd10fe075b48ff8af023da5643bc9477a4c6 ACPI / irq: Workaround firmware issue on X-Gene based m400
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/ffc66b174954abecfb360dcc3b98c3139ef12d96
- ffc66b174954abecfb360dcc3b98c3139ef12d96 modules: add rhelversion MODULE_INFO tag
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/7e469c23b8f648d79e8a0e82ee41cda0e50b2f19
- 7e469c23b8f648d79e8a0e82ee41cda0e50b2f19 ACPI: APEI: arm64: Ignore broken HPE moonshot APEI support
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/a0f49117d038de2d4db4940f5f039addb2f7231d
- a0f49117d038de2d4db4940f5f039addb2f7231d Add Red Hat tainting
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/fa67c16e780ed355f9847da90e8055ad1175c238
- fa67c16e780ed355f9847da90e8055ad1175c238 Introduce CONFIG_RH_DISABLE_DEPRECATED
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/e7e1371803470a7840dc61da628cb912834ec149
- e7e1371803470a7840dc61da628cb912834ec149 Pull the RHEL version defines out of the Makefile
-
-https://gitlab.com/cki-project/kernel-ark/-/commit/84d1d3e3d0c2c7ed1f571c8495bad3b4d97cfa8e
- 84d1d3e3d0c2c7ed1f571c8495bad3b4d97cfa8e [initial commit] Add Red Hat variables in the top level makefile
-
--- a/README.rst
+++ b/README.rst
@ -1,25 +0,0 @@
-===================
-The Kernel dist-git
-===================
-
-The kernel is maintained in a `source tree`_ rather than directly in dist-git.
-The specfile is maintained as a `template`_ in the source tree along with a set
-of build scripts to generate configurations, (S)RPMs, and to populate the
-dist-git repository.
-
-The `documentation`_ for the source tree covers how to contribute and maintain
-the tree.
-
-If you're looking for the downstream patch set it's available in the source
-tree with "git log master..ark-patches" or
-`online`_.
-
-Each release in dist-git is tagged in the source repository so you can easily
-check out the source tree for a build. The tags are in the format
-name-version-release, but note release doesn't contain the dist tag since the
-source can be built in different build roots (Fedora, CentOS, etc.)
-
-.. _source tree: https://gitlab.com/cki-project/kernel-ark.git
-.. _template: https://gitlab.com/cki-project/kernel-ark/-/blob/os-build/redhat/kernel.spec.template
-.. _documentation: https://gitlab.com/cki-project/kernel-ark/-/wikis/home
-.. _online: https://gitlab.com/cki-project/kernel-ark/-/commits/ark-patches
--- a/README.txt
+++ b/README.txt
@ -0,0 +1,78 @@
+
+		Kernel package tips & tricks.
+		~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The kernel is one of the more complicated packages in the distro, and
+for the newcomer, some of the voodoo in the spec file can be somewhat scary.
+This file attempts to document some of the magic.
+
+
+Speeding up make prep
+---------------------
+The kernel is nearly 500MB of source code, and as such, 'make prep'
+takes a while. The spec file employs some trickery so that repeated
+invocations of make prep don't take as long.  Ordinarily the %prep
+phase of a package will delete the tree it is about to untar/patch.
+The kernel %prep keeps around an unpatched version of the tree,
+and makes a symlink tree clone of that clean tree and than applies
+the patches listed in the spec to the symlink tree.
+This makes a huge difference if you're doing multiple make preps a day.
+As an added bonus, doing a diff between the clean tree and the symlink
+tree is slightly faster than it would be doing two proper copies of the tree.
+
+
+build logs.
+-----------
+There's a convenience helper script in scripts/grab-logs.sh
+that will grab the build logs from koji for the kernel version reported
+by make verrel
+
+
+config heirarchy.
+-----------------
+Instead of having to maintain a config file for every arch variant we build on,
+the kernel spec uses a nested system of configs. Each option CONFIG_FOO is
+represented by a single file named CONFIG_FOO which contains the state (=y, =m,
+=n). These options are collected in the folder base-generic. Architecture
+specific options are set in nested folders. An option set in a nested folder
+will override the same option set in one of the higher levels.
+
+The individual CONFIG_FOO files only exist in the pkg-git repository. The RPM
+contains kernel-foo.config files which are the result of combining all the
+CONFIG_FOO files. The files are combined by running build_configs.sh. This
+script _must_ be run each time one of the options is changed.
+
+Example flow:
+
+# Enable the option CONFIG_ABC123 as a module for all arches
+echo "CONFIG_ABC123=m" > configs/base-generic/CONFIG_ABC1234
+# enable the option CONFIG_XYZ321 for only x86
+echo "# CONFIG_XYZ321 is not set" > configs/base-generic/CONFIG_XYZ321
+echo "CONFIG_XYZ321=m" > configs/base-generic/x86/CONFIG_XYZ321
+# regenerate the combined config files
+./build_configs.sh
+
+The file config_generation gives a listing of what folders go into each
+config file generated.
+
+debug options.
+--------------
+This is a little complicated, as the purpose & meaning of this changes
+depending on where we are in the release cycle.
+If we are building for a current stable release, 'make release' has
+typically been run already, which sets up the following..
+- Two builds occur, a 'kernel' and a 'kernel-debug' flavor.
+- kernel-debug will get various heavyweight debugging options like
+  lockdep etc turned on.
+
+If we are building for rawhide, 'make debug' has been run, which changes
+the status quo to:
+- We only build one kernel 'kernel'
+- The debug options are always turned on.
+This is done to increase coverage testing, as not many people actually
+run kernel-debug.
+
+The debug options are managed in a separate heierarchy under base-debug. This
+works in a similar manner to base-generic. More deeply nested folders, again,
+override options. The file config_generation gives a listing of what folders
+go into each config file generated.
--- a/10
+++ b/10
@ -0,0 +1,10 @@
+Config TODOs:
+* review & disable a bunch of the I2C, RTC, DVB, SOUND options.
+
+Spec file TODOs:
+
+* modules-extra: Do a few more things to make it a bit more robust.
+  - Allow for comments in the mod-extra.list file.
+  - Don't fail the build if a module is listed but not built (maybe).
+  - See if it can be tied into Kconfig instead of module names.
+
--- a/arm-sdhci-esdhc-imx-fixes.patch
+++ b/arm-sdhci-esdhc-imx-fixes.patch
@ -0,0 +1,172 @@
+From patchwork Thu Jun 28 07:31:36 2018
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: mmc: sdhci-esdhc-imx: support eMMC DDR mode when running at 3.3V
+From: Stefan Agner <stefan@agner.ch>
+X-Patchwork-Id: 10493185
+Message-Id: <20180628073136.21748-1-stefan@agner.ch>
+To: adrian.hunter@intel.com, ulf.hansson@linaro.org
+Cc: fabio.estevam@nxp.com, haibo.chen@nxp.com, aisheng.dong@nxp.com,
+ michael@amarulasolutions.com, linux-mmc@vger.kernel.org,
+ linux-kernel@vger.kernel.org, Stefan Agner <stefan@agner.ch>
+Date: Thu, 28 Jun 2018 09:31:36 +0200
+
+The uSDHC supports DDR modes for eMMC devices running at 3.3V. This
+allows to run eMMC with 3.3V signaling voltage at DDR52 mode:
+
+  # cat /sys/kernel/debug/mmc1/ios
+  clock:          52000000 Hz
+  vdd:            21 (3.3 ~ 3.4 V)
+  bus mode:       2 (push-pull)
+  chip select:    0 (don't care)
+  power mode:     2 (on)
+  bus width:      3 (8 bits)
+  timing spec:    8 (mmc DDR52)
+  signal voltage: 0 (3.30 V)
+  driver type:    0 (driver type B)
+
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+---
+ drivers/mmc/host/sdhci-esdhc-imx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c
+index b716b933f00a..6f444731754d 100644
+--- a/drivers/mmc/host/sdhci-esdhc-imx.c
+++ b/drivers/mmc/host/sdhci-esdhc-imx.c
+@@ -1324,7 +1324,7 @@ static int sdhci_esdhc_imx_probe(struct platform_device *pdev)
+ 
+ 	if (esdhc_is_usdhc(imx_data)) {
+ 		host->quirks2 |= SDHCI_QUIRK2_PRESET_VALUE_BROKEN;
+-		host->mmc->caps |= MMC_CAP_1_8V_DDR;
+		host->mmc->caps |= MMC_CAP_1_8V_DDR | MMC_CAP_3_3V_DDR;
+ 		if (!(imx_data->socdata->flags & ESDHC_FLAG_HS200))
+ 			host->quirks2 |= SDHCI_QUIRK2_BROKEN_HS200;
+ 
+From patchwork Thu Jun 28 08:13:29 2018
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [1/3] mmc: sdhci-esdhc-imx: get rid of support_vsel
+From: Stefan Agner <stefan@agner.ch>
+X-Patchwork-Id: 10493269
+Message-Id: <20180628081331.13051-2-stefan@agner.ch>
+To: adrian.hunter@intel.com, ulf.hansson@linaro.org
+Cc: fabio.estevam@nxp.com, haibo.chen@nxp.com, aisheng.dong@nxp.com,
+ michael@amarulasolutions.com, rmk+kernel@armlinux.org.uk,
+ linux-mmc@vger.kernel.org, linux-kernel@vger.kernel.org,
+ Stefan Agner <stefan@agner.ch>
+Date: Thu, 28 Jun 2018 10:13:29 +0200
+
+The field support_vsel is currently only used in the device tree
+case. Get rid of it. No change in behavior.
+
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+---
+ drivers/mmc/host/sdhci-esdhc-imx.c          | 8 ++------
+ include/linux/platform_data/mmc-esdhc-imx.h | 2 --
+ 2 files changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c
+index 6f444731754d..20a420b765b3 100644
+--- a/drivers/mmc/host/sdhci-esdhc-imx.c
+++ b/drivers/mmc/host/sdhci-esdhc-imx.c
+@@ -1145,18 +1145,14 @@ sdhci_esdhc_imx_probe_dt(struct platform_device *pdev,
+ 			     &boarddata->tuning_start_tap);
+ 
+ 	if (of_find_property(np, "no-1-8-v", NULL))
+-		boarddata->support_vsel = false;
+-	else
+-		boarddata->support_vsel = true;
+		host->quirks2 |= SDHCI_QUIRK2_NO_1_8_V;
+ 
+ 	if (of_property_read_u32(np, "fsl,delay-line", &boarddata->delay_line))
+ 		boarddata->delay_line = 0;
+ 
+ 	mmc_of_parse_voltage(np, &host->ocr_mask);
+ 
+-	/* sdr50 and sdr104 need work on 1.8v signal voltage */
+-	if ((boarddata->support_vsel) && esdhc_is_usdhc(imx_data) &&
+-	    !IS_ERR(imx_data->pins_default)) {
+	if (esdhc_is_usdhc(imx_data) && !IS_ERR(imx_data->pins_default)) {
+ 		imx_data->pins_100mhz = pinctrl_lookup_state(imx_data->pinctrl,
+ 						ESDHC_PINCTRL_STATE_100MHZ);
+ 		imx_data->pins_200mhz = pinctrl_lookup_state(imx_data->pinctrl,
+diff --git a/include/linux/platform_data/mmc-esdhc-imx.h b/include/linux/platform_data/mmc-esdhc-imx.h
+index 7daa78a2f342..640dec8b5b0c 100644
+--- a/include/linux/platform_data/mmc-esdhc-imx.h
+++ b/include/linux/platform_data/mmc-esdhc-imx.h
+@@ -34,7 +34,6 @@ enum cd_types {
+  * @cd_gpio:	gpio for card_detect interrupt
+  * @wp_type:	type of write_protect method (see wp_types enum above)
+  * @cd_type:	type of card_detect method (see cd_types enum above)
+- * @support_vsel:  indicate it supports 1.8v switching
+  */
+ 
+ struct esdhc_platform_data {
+@@ -43,7 +42,6 @@ struct esdhc_platform_data {
+ 	enum wp_types wp_type;
+ 	enum cd_types cd_type;
+ 	int max_bus_width;
+-	bool support_vsel;
+ 	unsigned int delay_line;
+ 	unsigned int tuning_step;       /* The delay cell steps in tuning procedure */
+ 	unsigned int tuning_start_tap;	/* The start delay cell point in tuning procedure */
+From patchwork Thu Jun 28 08:13:30 2018
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [2/3] mmc: sdhci: add quirk to prevent higher speed modes
+From: Stefan Agner <stefan@agner.ch>
+X-Patchwork-Id: 10493273
+Message-Id: <20180628081331.13051-3-stefan@agner.ch>
+To: adrian.hunter@intel.com, ulf.hansson@linaro.org
+Cc: fabio.estevam@nxp.com, haibo.chen@nxp.com, aisheng.dong@nxp.com,
+ michael@amarulasolutions.com, rmk+kernel@armlinux.org.uk,
+ linux-mmc@vger.kernel.org, linux-kernel@vger.kernel.org,
+ Stefan Agner <stefan@agner.ch>
+Date: Thu, 28 Jun 2018 10:13:30 +0200
+
+Some hosts are capable of running higher speed modes but do not
+have the board support for it. Introduce a quirk which prevents
+the stack from using modes running at 100MHz or faster.
+
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+---
+ drivers/mmc/host/sdhci.c | 8 ++++++++
+ drivers/mmc/host/sdhci.h | 2 ++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c
+index 1c828e0e9905..8ac257dfaab3 100644
+--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
+@@ -3749,6 +3749,14 @@ int sdhci_setup_host(struct sdhci_host *host)
+ 		}
+ 	}
+ 
+	if (host->quirks2 & SDHCI_QUIRK2_NO_UHS_HS200_HS400) {
+		host->caps1 &= ~(SDHCI_SUPPORT_SDR104 | SDHCI_SUPPORT_SDR50 |
+				 SDHCI_SUPPORT_DDR50);
+
+		mmc->caps2 &= ~(MMC_CAP2_HSX00_1_8V | MMC_CAP2_HSX00_1_2V |
+				MMC_CAP2_HS400_ES);
+	}
+
+ 	if (host->quirks2 & SDHCI_QUIRK2_NO_1_8_V) {
+ 		host->caps1 &= ~(SDHCI_SUPPORT_SDR104 | SDHCI_SUPPORT_SDR50 |
+ 				 SDHCI_SUPPORT_DDR50);
+diff --git a/drivers/mmc/host/sdhci.h b/drivers/mmc/host/sdhci.h
+index 23966f887da6..cb2433d6d61f 100644
+--- a/drivers/mmc/host/sdhci.h
+++ b/drivers/mmc/host/sdhci.h
+@@ -450,6 +450,8 @@ struct sdhci_host {
+  * obtainable timeout.
+  */
+ #define SDHCI_QUIRK2_DISABLE_HW_TIMEOUT			(1<<17)
+/* Do not support any higher speeds (>50MHz) */
+#define SDHCI_QUIRK2_NO_UHS_HS200_HS400			(1<<18)
+ 
+ 	int irq;		/* Device IRQ */
+ 	void __iomem *ioaddr;	/* Mapped address */
--- a/arm64-Add-option-of-13-for-FORCE_MAX_ZONEORDER.patch
+++ b/arm64-Add-option-of-13-for-FORCE_MAX_ZONEORDER.patch
@ -0,0 +1,29 @@
+From 487ff7b0e537506057960a0c2d9482d19f2acf4a Mon Sep 17 00:00:00 2001
+From: Peter Robinson <pbrobinson@gmail.com>
+Date: Wed, 26 Apr 2017 11:12:54 +0100
+Subject: [PATCH] Add option of 13 for FORCE_MAX_ZONEORDER
+
+This is a hack, but it's what the other distros currently use
+for aarch64 with 4K pages so we'll do the same while upstream
+decides what the best outcome is (which isn't this).
+
+Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
+---
+ arch/arm64/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
+index 3741859765cf..deec9511f1d3 100644
+--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
+@@ -751,6 +751,7 @@ config XEN
+ config FORCE_MAX_ZONEORDER
+ 	int
+ 	default "14" if (ARM64_64K_PAGES && TRANSPARENT_HUGEPAGE)
+	default "13" if (ARCH_THUNDER && !ARM64_64K_PAGES)
+ 	default "12" if (ARM64_16K_PAGES && TRANSPARENT_HUGEPAGE)
+ 	default "11"
+ 	help
+-- 
+2.12.2
+
--- a/arm64-ZynqMP-firmware-clock-drivers-core.patch
+++ b/arm64-ZynqMP-firmware-clock-drivers-core.patch
--- a/arm64-arch_timer-Workaround-for-Allwinner-A64-timer-instability.patch
+++ b/arm64-arch_timer-Workaround-for-Allwinner-A64-timer-instability.patch
@ -0,0 +1,184 @@
+From patchwork Fri May 11 02:27:50 2018
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 8bit
+Subject: [1/2] arm64: arch_timer: Workaround for Allwinner A64 timer
+ instability
+From: Samuel Holland <samuel@sholland.org>
+X-Patchwork-Id: 10392891
+Message-Id: <20180511022751.9096-2-samuel@sholland.org>
+To: Maxime Ripard <maxime.ripard@bootlin.com>, Chen-Yu Tsai <wens@csie.org>, 
+ Catalin Marinas <catalin.marinas@arm.com>,
+ Will Deacon <will.deacon@arm.com>,
+ Daniel Lezcano <daniel.lezcano@linaro.org>,
+ Thomas Gleixner <tglx@linutronix.de>, Marc Zyngier <marc.zyngier@arm.com>
+Cc: linux-sunxi@googlegroups.com, linux-kernel@vger.kernel.org,
+ linux-arm-kernel@lists.infradead.org, Samuel Holland <samuel@sholland.org>
+Date: Thu, 10 May 2018 21:27:50 -0500
+
+The Allwinner A64 SoC is known [1] to have an unstable architectural
+timer, which manifests itself most obviously in the time jumping forward
+a multiple of 95 years [2][3]. This coincides with 2^56 cycles at a
+timer frequency of 24 MHz, implying that the time went slightly backward
+(and this was interpreted by the kernel as it jumping forward and
+wrapping around past the epoch).
+
+Further investigation revealed instability in the low bits of CNTVCT at
+the point a high bit rolls over. This leads to power-of-two cycle
+forward and backward jumps. (Testing shows that forward jumps are about
+twice as likely as backward jumps.)
+
+Without trapping reads to CNTVCT, a userspace program is able to read it
+in a loop faster than it changes. A test program running on all 4 CPU
+cores that reported jumps larger than 100 ms was run for 13.6 hours and
+reported the following:
+
+ Count | Event
+-------+---------------------------
+  9940 | jumped backward      699ms
+   268 | jumped backward     1398ms
+     1 | jumped backward     2097ms
+ 16020 | jumped forward       175ms
+  6443 | jumped forward       699ms
+  2976 | jumped forward      1398ms
+     9 | jumped forward    356516ms
+     9 | jumped forward    357215ms
+     4 | jumped forward    714430ms
+     1 | jumped forward   3578440ms
+
+This works out to a jump larger than 100 ms about every 5.5 seconds on
+each CPU core.
+
+The largest jump (almost an hour!) was the following sequence of reads:
+      0x0000007fffffffff → 0x00000093feffffff → 0x0000008000000000
+
+Note that the middle bits don't necessarily all read as all zeroes or
+all ones during the anomalous behavior; however the low 11 bits checked
+by the function in this patch have never been observed with any other
+value.
+
+Also note that smaller jumps are much more common, with the smallest
+backward jumps of 2048 cycles observed over 400 times per second on each
+core. (Of course, this is partially due to lower bits rolling over more
+frequently.) Any one of these could have caused the 95 year time skip.
+
+Similar anomalies were observed while reading CNTPCT (after patching the
+kernel to allow reads from userspace). However, the jumps are much less
+frequent, and only small jumps were observed. The same program as before
+(except now reading CNTPCT) observed after 72 hours:
+
+ Count | Event
+-------+---------------------------
+    17 | jumped backward      699ms
+    52 | jumped forward       175ms
+  2831 | jumped forward       699ms
+     5 | jumped forward      1398ms
+Acked-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Tested-by: Andre Przywara <andre.przywara@arm.com>
+
+========================================================================
+
+Because the CPU can read the CNTPCT/CNTVCT registers faster than they
+change, performing two reads of the register and comparing the high bits
+(like other workarounds) is not a workable solution. And because the
+timer can jump both forward and backward, no pair of reads can
+distinguish a good value from a bad one. The only way to guarantee a
+good value from consecutive reads would be to read _three_ times, and
+take the middle value iff the three values are 1) individually unique
+and 2) increasing. This takes at minimum 3 cycles (125 ns), or more if
+an anomaly is detected.
+
+However, since there is a distinct pattern to the bad values, we can
+optimize the common case (2046/2048 of the time) to a single read by
+simply ignoring values that match the pattern. This still takes no more
+than 3 cycles in the worst case, and requires much less code.
+
+[1]: https://github.com/armbian/build/commit/a08cd6fe7ae9
+[2]: https://forum.armbian.com/topic/3458-a64-datetime-clock-issue/
+[3]: https://irclog.whitequark.org/linux-sunxi/2018-01-26
+
+Signed-off-by: Samuel Holland <samuel@sholland.org>
+---
+ drivers/clocksource/Kconfig          | 11 ++++++++++
+ drivers/clocksource/arm_arch_timer.c | 39 ++++++++++++++++++++++++++++++++++++
+ 2 files changed, 50 insertions(+)
+
+diff --git a/drivers/clocksource/Kconfig b/drivers/clocksource/Kconfig
+index 8e8a09755d10..7a5d434dd30b 100644
+--- a/drivers/clocksource/Kconfig
+++ b/drivers/clocksource/Kconfig
+@@ -364,6 +364,17 @@ config ARM64_ERRATUM_858921
+ 	  The workaround will be dynamically enabled when an affected
+ 	  core is detected.
+ 
+config SUN50I_A64_UNSTABLE_TIMER
+	bool "Workaround for Allwinner A64 timer instability"
+	default y
+	depends on ARM_ARCH_TIMER && ARM64 && ARCH_SUNXI
+	select ARM_ARCH_TIMER_OOL_WORKAROUND
+	help
+	  This option enables a workaround for instability in the timer on
+	  the Allwinner A64 SoC. The workaround will only be active if the
+	  allwinner,sun50i-a64-unstable-timer property is found in the
+	  timer node.
+
+ config ARM_GLOBAL_TIMER
+ 	bool "Support for the ARM global timer" if COMPILE_TEST
+ 	select TIMER_OF if OF
+diff --git a/drivers/clocksource/arm_arch_timer.c b/drivers/clocksource/arm_arch_timer.c
+index 57cb2f00fc07..66ce13578c52 100644
+--- a/drivers/clocksource/arm_arch_timer.c
+++ b/drivers/clocksource/arm_arch_timer.c
+@@ -319,6 +319,36 @@ static u64 notrace arm64_858921_read_cntvct_el0(void)
+ }
+ #endif
+ 
+#ifdef CONFIG_SUN50I_A64_UNSTABLE_TIMER
+/*
+ * The low bits of each register can transiently read as all ones or all zeroes
+ * when bit 11 or greater rolls over. Since the value can jump both backward
+ * (7ff -> 000 -> 800) and forward (7ff -> fff -> 800), it is simplest to just
+ * ignore register values with all ones or zeros in the low bits.
+ */
+static u64 notrace sun50i_a64_read_cntpct_el0(void)
+{
+	u64 val;
+
+	do {
+		val = read_sysreg(cntpct_el0);
+	} while (((val + 1) & GENMASK(10, 0)) <= 1);
+
+	return val;
+}
+
+static u64 notrace sun50i_a64_read_cntvct_el0(void)
+{
+	u64 val;
+
+	do {
+		val = read_sysreg(cntvct_el0);
+	} while (((val + 1) & GENMASK(10, 0)) <= 1);
+
+	return val;
+}
+#endif
+
+ #ifdef CONFIG_ARM_ARCH_TIMER_OOL_WORKAROUND
+ DEFINE_PER_CPU(const struct arch_timer_erratum_workaround *, timer_unstable_counter_workaround);
+ EXPORT_SYMBOL_GPL(timer_unstable_counter_workaround);
+@@ -408,6 +438,15 @@ static const struct arch_timer_erratum_workaround ool_workarounds[] = {
+ 		.read_cntvct_el0 = arm64_858921_read_cntvct_el0,
+ 	},
+ #endif
+#ifdef CONFIG_SUN50I_A64_UNSTABLE_TIMER
+	{
+		.match_type = ate_match_dt,
+		.id = "allwinner,sun50i-a64-unstable-timer",
+		.desc = "Allwinner A64 timer instability",
+		.read_cntpct_el0 = sun50i_a64_read_cntpct_el0,
+		.read_cntvct_el0 = sun50i_a64_read_cntvct_el0,
+	},
+#endif
+ };
+ 
+ typedef bool (*ate_match_fn_t)(const struct arch_timer_erratum_workaround *,
--- a/arm64-dts-allwinner-a64-Enable-A64-timer-workaround.patch
+++ b/arm64-dts-allwinner-a64-Enable-A64-timer-workaround.patch
@ -0,0 +1,38 @@
+From patchwork Fri May 11 02:27:51 2018
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [2/2] arm64: dts: allwinner: a64: Enable A64 timer workaround
+From: Samuel Holland <samuel@sholland.org>
+X-Patchwork-Id: 10392889
+Message-Id: <20180511022751.9096-3-samuel@sholland.org>
+To: Maxime Ripard <maxime.ripard@bootlin.com>, Chen-Yu Tsai <wens@csie.org>, 
+ Catalin Marinas <catalin.marinas@arm.com>,
+ Will Deacon <will.deacon@arm.com>,
+ Daniel Lezcano <daniel.lezcano@linaro.org>,
+ Thomas Gleixner <tglx@linutronix.de>, Marc Zyngier <marc.zyngier@arm.com>
+Cc: linux-sunxi@googlegroups.com, linux-kernel@vger.kernel.org,
+ linux-arm-kernel@lists.infradead.org, Samuel Holland <samuel@sholland.org>
+Date: Thu, 10 May 2018 21:27:51 -0500
+
+As instability in the architectural timer has been observed on multiple
+devices using this SoC, inluding the Pine64 and the Orange Pi Win,
+enable the workaround in the SoC's device tree.
+
+Signed-off-by: Samuel Holland <samuel@sholland.org>
+---
+ arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi b/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi
+index 1b2ef28c42bd..5202b76e9684 100644
+--- a/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi
+++ b/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi
+@@ -152,6 +152,7 @@
+ 
+ 	timer {
+ 		compatible = "arm,armv8-timer";
+		allwinner,sun50i-a64-unstable-timer;
+ 		interrupts = <GIC_PPI 13
+ 			(GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_LEVEL_HIGH)>,
+ 			     <GIC_PPI 14
--- a/ath9k-rx-dma-stop-check.patch
+++ b/ath9k-rx-dma-stop-check.patch
@ -0,0 +1,38 @@
+From: "kernel-team@fedoraproject.org" <kernel-team@fedoraproject.org>
+Date: Wed, 6 Feb 2013 09:57:47 -0500
+Subject: [PATCH] ath9k: rx dma stop check
+
+---
+ drivers/net/wireless/ath/ath9k/mac.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/mac.c b/drivers/net/wireless/ath/ath9k/mac.c
+index bba85d1a6cd1..ebbee8f17130 100644
+--- a/drivers/net/wireless/ath/ath9k/mac.c
+++ b/drivers/net/wireless/ath/ath9k/mac.c
+@@ -693,7 +693,7 @@ bool ath9k_hw_stopdmarecv(struct ath_hw *ah, bool *reset)
+ {
+ #define AH_RX_STOP_DMA_TIMEOUT 10000   /* usec */
+ 	struct ath_common *common = ath9k_hw_common(ah);
+-	u32 mac_status, last_mac_status = 0;
+	u32 mac_status = 0, last_mac_status = 0;
+ 	int i;
+ 
+ 	/* Enable access to the DMA observation bus */
+@@ -723,6 +723,16 @@ bool ath9k_hw_stopdmarecv(struct ath_hw *ah, bool *reset)
+ 	}
+ 
+ 	if (i == 0) {
+		if (!AR_SREV_9300_20_OR_LATER(ah) &&
+		    (mac_status & 0x700) == 0) {
+			/*
+			 * DMA is idle but the MAC is still stuck
+			 * processing events
+			 */
+			*reset = true;
+			return true;
+		}
+
+ 		ath_err(common,
+ 			"DMA failed to stop in %d ms AR_CR=0x%08x AR_DIAG_SW=0x%08x DMADBG_7=0x%08x\n",
+ 			AH_RX_STOP_DMA_TIMEOUT / 1000,
--- a/baseconfig/CONFIG_60XX_WDT
+++ b/baseconfig/CONFIG_60XX_WDT
@ -0,0 +1 @@
+# CONFIG_60XX_WDT is not set
--- a/baseconfig/CONFIG_6LOWPAN
+++ b/baseconfig/CONFIG_6LOWPAN
@ -0,0 +1 @@
+CONFIG_6LOWPAN=m
--- a/baseconfig/CONFIG_6LOWPAN_DEBUGFS
+++ b/baseconfig/CONFIG_6LOWPAN_DEBUGFS
@ -0,0 +1 @@
+CONFIG_6LOWPAN_DEBUGFS=y
--- a/baseconfig/CONFIG_6LOWPAN_GHC_EXT_HDR_DEST
+++ b/baseconfig/CONFIG_6LOWPAN_GHC_EXT_HDR_DEST
@ -0,0 +1 @@
+CONFIG_6LOWPAN_GHC_EXT_HDR_DEST=m
--- a/baseconfig/CONFIG_6LOWPAN_GHC_EXT_HDR_FRAG
+++ b/baseconfig/CONFIG_6LOWPAN_GHC_EXT_HDR_FRAG
@ -0,0 +1 @@
+CONFIG_6LOWPAN_GHC_EXT_HDR_FRAG=m
--- a/baseconfig/CONFIG_6LOWPAN_GHC_EXT_HDR_HOP
+++ b/baseconfig/CONFIG_6LOWPAN_GHC_EXT_HDR_HOP
@ -0,0 +1 @@
+CONFIG_6LOWPAN_GHC_EXT_HDR_HOP=m
--- a/baseconfig/CONFIG_6LOWPAN_GHC_EXT_HDR_ROUTE
+++ b/baseconfig/CONFIG_6LOWPAN_GHC_EXT_HDR_ROUTE
@ -0,0 +1 @@
+CONFIG_6LOWPAN_GHC_EXT_HDR_ROUTE=m
--- a/baseconfig/CONFIG_6LOWPAN_GHC_ICMPV6
+++ b/baseconfig/CONFIG_6LOWPAN_GHC_ICMPV6
@ -0,0 +1 @@
+CONFIG_6LOWPAN_GHC_ICMPV6=m
--- a/baseconfig/CONFIG_6LOWPAN_GHC_UDP
+++ b/baseconfig/CONFIG_6LOWPAN_GHC_UDP
@ -0,0 +1 @@
+CONFIG_6LOWPAN_GHC_UDP=m
--- a/baseconfig/CONFIG_6LOWPAN_NHC
+++ b/baseconfig/CONFIG_6LOWPAN_NHC
@ -0,0 +1 @@
+CONFIG_6LOWPAN_NHC=m
--- a/baseconfig/CONFIG_6LOWPAN_NHC_DEST
+++ b/baseconfig/CONFIG_6LOWPAN_NHC_DEST
@ -0,0 +1 @@
+CONFIG_6LOWPAN_NHC_DEST=m
--- a/baseconfig/CONFIG_6LOWPAN_NHC_FRAGMENT
+++ b/baseconfig/CONFIG_6LOWPAN_NHC_FRAGMENT
@ -0,0 +1 @@
+CONFIG_6LOWPAN_NHC_FRAGMENT=m
--- a/baseconfig/CONFIG_6LOWPAN_NHC_HOP
+++ b/baseconfig/CONFIG_6LOWPAN_NHC_HOP
@ -0,0 +1 @@
+CONFIG_6LOWPAN_NHC_HOP=m
--- a/baseconfig/CONFIG_6LOWPAN_NHC_IPV6
+++ b/baseconfig/CONFIG_6LOWPAN_NHC_IPV6
@ -0,0 +1 @@
+CONFIG_6LOWPAN_NHC_IPV6=m
--- a/baseconfig/CONFIG_6LOWPAN_NHC_MOBILITY
+++ b/baseconfig/CONFIG_6LOWPAN_NHC_MOBILITY
@ -0,0 +1 @@
+CONFIG_6LOWPAN_NHC_MOBILITY=m
--- a/baseconfig/CONFIG_6LOWPAN_NHC_ROUTING
+++ b/baseconfig/CONFIG_6LOWPAN_NHC_ROUTING
@ -0,0 +1 @@
+CONFIG_6LOWPAN_NHC_ROUTING=m
--- a/baseconfig/CONFIG_6LOWPAN_NHC_UDP
+++ b/baseconfig/CONFIG_6LOWPAN_NHC_UDP
@ -0,0 +1 @@
+CONFIG_6LOWPAN_NHC_UDP=m
--- a/baseconfig/CONFIG_6PACK
+++ b/baseconfig/CONFIG_6PACK
@ -0,0 +1 @@
+CONFIG_6PACK=m
--- a/baseconfig/CONFIG_8139CP
+++ b/baseconfig/CONFIG_8139CP
@ -0,0 +1 @@
+CONFIG_8139CP=m
--- a/baseconfig/CONFIG_8139TOO
+++ b/baseconfig/CONFIG_8139TOO
@ -0,0 +1 @@
+CONFIG_8139TOO=m
--- a/baseconfig/CONFIG_8139TOO_8129
+++ b/baseconfig/CONFIG_8139TOO_8129
@ -0,0 +1 @@
+CONFIG_8139TOO_8129=y
--- a/baseconfig/CONFIG_8139TOO_PIO
+++ b/baseconfig/CONFIG_8139TOO_PIO
@ -0,0 +1 @@
+# CONFIG_8139TOO_PIO is not set
--- a/baseconfig/CONFIG_8139TOO_TUNE_TWISTER
+++ b/baseconfig/CONFIG_8139TOO_TUNE_TWISTER
@ -0,0 +1 @@
+# CONFIG_8139TOO_TUNE_TWISTER is not set
--- a/baseconfig/CONFIG_8139_OLD_RX_RESET
+++ b/baseconfig/CONFIG_8139_OLD_RX_RESET
@ -0,0 +1 @@
+# CONFIG_8139_OLD_RX_RESET is not set
--- a/baseconfig/CONFIG_8723AU_AP_MODE
+++ b/baseconfig/CONFIG_8723AU_AP_MODE
@ -0,0 +1 @@
+# CONFIG_8723AU_AP_MODE is not set
--- a/baseconfig/CONFIG_8723AU_BT_COEXIST
+++ b/baseconfig/CONFIG_8723AU_BT_COEXIST
@ -0,0 +1 @@
+# CONFIG_8723AU_BT_COEXIST is not set
--- a/baseconfig/CONFIG_9P_FS
+++ b/baseconfig/CONFIG_9P_FS
@ -0,0 +1 @@
+CONFIG_9P_FS=m
--- a/baseconfig/CONFIG_9P_FSCACHE
+++ b/baseconfig/CONFIG_9P_FSCACHE
@ -0,0 +1 @@
+CONFIG_9P_FSCACHE=y
--- a/baseconfig/CONFIG_9P_FS_POSIX_ACL
+++ b/baseconfig/CONFIG_9P_FS_POSIX_ACL
@ -0,0 +1 @@
+CONFIG_9P_FS_POSIX_ACL=y
--- a/baseconfig/CONFIG_9P_FS_SECURITY
+++ b/baseconfig/CONFIG_9P_FS_SECURITY
@ -0,0 +1 @@
+CONFIG_9P_FS_SECURITY=y
--- a/baseconfig/CONFIG_A11Y_BRAILLE_CONSOLE
+++ b/baseconfig/CONFIG_A11Y_BRAILLE_CONSOLE
@ -0,0 +1 @@
+CONFIG_A11Y_BRAILLE_CONSOLE=y
--- a/baseconfig/CONFIG_AB3100_CORE
+++ b/baseconfig/CONFIG_AB3100_CORE
@ -0,0 +1 @@
+# CONFIG_AB3100_CORE is not set
--- a/baseconfig/CONFIG_AB3100_OTP
+++ b/baseconfig/CONFIG_AB3100_OTP
@ -0,0 +1 @@
+# CONFIG_AB3100_OTP is not set
--- a/baseconfig/CONFIG_ABP060MG
+++ b/baseconfig/CONFIG_ABP060MG
@ -0,0 +1 @@
+CONFIG_ABP060MG=m
--- a/baseconfig/CONFIG_ABX500_CORE
+++ b/baseconfig/CONFIG_ABX500_CORE
@ -0,0 +1 @@
+# CONFIG_ABX500_CORE is not set
--- a/baseconfig/CONFIG_ACCESSIBILITY
+++ b/baseconfig/CONFIG_ACCESSIBILITY
@ -0,0 +1 @@
+CONFIG_ACCESSIBILITY=y
--- a/baseconfig/CONFIG_ACENIC
+++ b/baseconfig/CONFIG_ACENIC
@ -0,0 +1 @@
+CONFIG_ACENIC=m
--- a/baseconfig/CONFIG_ACENIC_OMIT_TIGON_I
+++ b/baseconfig/CONFIG_ACENIC_OMIT_TIGON_I
@ -0,0 +1 @@
+# CONFIG_ACENIC_OMIT_TIGON_I is not set
--- a/baseconfig/CONFIG_ACORN_PARTITION
+++ b/baseconfig/CONFIG_ACORN_PARTITION
@ -0,0 +1 @@
+# CONFIG_ACORN_PARTITION is not set
--- a/baseconfig/CONFIG_ACPI_ALS
+++ b/baseconfig/CONFIG_ACPI_ALS
@ -0,0 +1 @@
+CONFIG_ACPI_ALS=m
--- a/baseconfig/CONFIG_ACPI_DEBUG
+++ b/baseconfig/CONFIG_ACPI_DEBUG
@ -0,0 +1 @@
+# CONFIG_ACPI_DEBUG is not set
--- a/baseconfig/CONFIG_ACPI_DEBUGGER
+++ b/baseconfig/CONFIG_ACPI_DEBUGGER
@ -0,0 +1 @@
+# CONFIG_ACPI_DEBUGGER is not set
--- a/baseconfig/CONFIG_ACPI_NFIT
+++ b/baseconfig/CONFIG_ACPI_NFIT
@ -0,0 +1 @@
+# CONFIG_ACPI_NFIT is not set
--- a/baseconfig/CONFIG_ACPI_PCI_SLOT
+++ b/baseconfig/CONFIG_ACPI_PCI_SLOT
@ -0,0 +1 @@
+CONFIG_ACPI_PCI_SLOT=y
--- a/baseconfig/CONFIG_ACPI_SPCR_TABLE
+++ b/baseconfig/CONFIG_ACPI_SPCR_TABLE
@ -0,0 +1 @@
+CONFIG_ACPI_SPCR_TABLE=y
--- a/baseconfig/CONFIG_ACQUIRE_WDT
+++ b/baseconfig/CONFIG_ACQUIRE_WDT
@ -0,0 +1 @@
+# CONFIG_ACQUIRE_WDT is not set
--- a/baseconfig/CONFIG_AD2S1200
+++ b/baseconfig/CONFIG_AD2S1200
@ -0,0 +1 @@
+# CONFIG_AD2S1200 is not set
--- a/baseconfig/CONFIG_AD2S1210
+++ b/baseconfig/CONFIG_AD2S1210
@ -0,0 +1 @@
+# CONFIG_AD2S1210 is not set
--- a/baseconfig/CONFIG_AD2S90
+++ b/baseconfig/CONFIG_AD2S90
@ -0,0 +1 @@
+# CONFIG_AD2S90 is not set
--- a/baseconfig/CONFIG_AD5064
+++ b/baseconfig/CONFIG_AD5064
@ -0,0 +1 @@
+# CONFIG_AD5064 is not set
--- a/baseconfig/CONFIG_AD525X_DPOT
+++ b/baseconfig/CONFIG_AD525X_DPOT
@ -0,0 +1 @@
+# CONFIG_AD525X_DPOT is not set
--- a/baseconfig/CONFIG_AD5360
+++ b/baseconfig/CONFIG_AD5360
@ -0,0 +1 @@
+# CONFIG_AD5360 is not set
--- a/baseconfig/CONFIG_AD5380
+++ b/baseconfig/CONFIG_AD5380
@ -0,0 +1 @@
+# CONFIG_AD5380 is not set
--- a/baseconfig/CONFIG_AD5421
+++ b/baseconfig/CONFIG_AD5421
@ -0,0 +1 @@
+# CONFIG_AD5421 is not set
--- a/baseconfig/CONFIG_AD5446
+++ b/baseconfig/CONFIG_AD5446
@ -0,0 +1 @@
+# CONFIG_AD5446 is not set
--- a/baseconfig/CONFIG_AD5449
+++ b/baseconfig/CONFIG_AD5449
@ -0,0 +1 @@
+# CONFIG_AD5449 is not set
--- a/baseconfig/CONFIG_AD5504
+++ b/baseconfig/CONFIG_AD5504
@ -0,0 +1 @@
+# CONFIG_AD5504 is not set
--- a/baseconfig/CONFIG_AD5592R
+++ b/baseconfig/CONFIG_AD5592R
@ -0,0 +1 @@
+# CONFIG_AD5592R is not set
--- a/Show more
+++ b/Show more