Merge remote-tracking branch 'origin/f28' into f28-user-thl-vanilla-fedora

4 files changed, 560 insertions, 1 deletions

diff --git a/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch b/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch
new file mode 100644
index 000000000..816c4f0ea
--- /dev/null
+++ b/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch
@@ -0,0 +1,85 @@
+From 219a3e8676f3132d27b530c7d2d6bcab89536b57 Mon Sep 17 00:00:00 2001
+From: Kairui Song <kasong@redhat.com>
+Date: Mon, 21 Jan 2019 17:59:28 +0800
+Subject: [PATCH] integrity, KEYS: add a reference to platform keyring
+
+commit 9dc92c45177a ("integrity: Define a trusted platform keyring")
+introduced a .platform keyring for storing preboot keys, used for
+verifying kernel image signatures. Currently only IMA-appraisal is able
+to use the keyring to verify kernel images that have their signature
+stored in xattr.
+
+This patch exposes the .platform keyring, making it accessible for
+verifying PE signed kernel images as well.
+
+Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Kairui Song <kasong@redhat.com>
+Cc: David Howells <dhowells@redhat.com>
+[zohar@linux.ibm.com: fixed checkpatch errors, squashed with patch fix]
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+---
+ certs/system_keyring.c        | 10 ++++++++++
+ include/keys/system_keyring.h |  8 ++++++++
+ security/integrity/digsig.c   |  3 +++
+ 3 files changed, 21 insertions(+)
+
+diff --git a/certs/system_keyring.c b/certs/system_keyring.c
+index 81728717523d..da055e901df4 100644
+--- a/certs/system_keyring.c
++++ b/certs/system_keyring.c
+@@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys;
+ #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
+ static struct key *secondary_trusted_keys;
+ #endif
++#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
++static struct key *platform_trusted_keys;
++#endif
+ 
+ extern __initconst const u8 system_certificate_list[];
+ extern __initconst const unsigned long system_certificate_list_size;
+@@ -266,3 +269,10 @@ int verify_pkcs7_signature(const void *data, size_t len,
+ EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
+ 
+ #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
++
++#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
++void __init set_platform_trusted_keys(struct key *keyring)
++{
++	platform_trusted_keys = keyring;
++}
++#endif
+diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
+index 359c2f936004..42a93eda331c 100644
+--- a/include/keys/system_keyring.h
++++ b/include/keys/system_keyring.h
+@@ -61,5 +61,13 @@ static inline struct key *get_ima_blacklist_keyring(void)
+ }
+ #endif /* CONFIG_IMA_BLACKLIST_KEYRING */
+ 
++#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \
++	defined(CONFIG_SYSTEM_TRUSTED_KEYRING)
++extern void __init set_platform_trusted_keys(struct key *keyring);
++#else
++static inline void set_platform_trusted_keys(struct key *keyring)
++{
++}
++#endif
+ 
+ #endif /* _KEYS_SYSTEM_KEYRING_H */
+diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
+index f45d6edecf99..e19c2eb72c51 100644
+--- a/security/integrity/digsig.c
++++ b/security/integrity/digsig.c
+@@ -87,6 +87,9 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm,
+ 		pr_info("Can't allocate %s keyring (%d)\n",
+ 			keyring_name[id], err);
+ 		keyring[id] = NULL;
++	} else {
++		if (id == INTEGRITY_KEYRING_PLATFORM)
++			set_platform_trusted_keys(keyring[id]);
+ 	}
+ 
+ 	return err;
+-- 
+2.20.1
+
diff --git a/0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch b/0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch
new file mode 100644
index 000000000..af0d926e7
--- /dev/null
+++ b/0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch
@@ -0,0 +1,98 @@
+From 278311e417be60f7caef6fcb12bda4da2711ceff Mon Sep 17 00:00:00 2001
+From: Kairui Song <kasong@redhat.com>
+Date: Mon, 21 Jan 2019 17:59:29 +0800
+Subject: [PATCH] kexec, KEYS: Make use of platform keyring for signature
+ verify
+
+This patch allows the kexec_file_load syscall to verify the PE signed
+kernel image signature based on the preboot keys stored in the .platform
+keyring, as fall back, if the signature verification failed due to not
+finding the public key in the secondary or builtin keyrings.
+
+This commit adds a VERIFY_USE_PLATFORM_KEYRING similar to previous
+VERIFY_USE_SECONDARY_KEYRING indicating that verify_pkcs7_signature
+should verify the signature using platform keyring.  Also, decrease
+the error message log level when verification failed with -ENOKEY,
+so that if called tried multiple time with different keyring it
+won't generate extra noises.
+
+Signed-off-by: Kairui Song <kasong@redhat.com>
+Cc: David Howells <dhowells@redhat.com>
+Acked-by: Dave Young <dyoung@redhat.com> (for kexec_file_load part)
+[zohar@linux.ibm.com: tweaked the first paragraph of the patch description,
+ and fixed checkpatch warning.]
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+---
+ arch/x86/kernel/kexec-bzimage64.c | 14 +++++++++++---
+ certs/system_keyring.c            | 13 ++++++++++++-
+ include/linux/verification.h      |  1 +
+ 3 files changed, 24 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
+index 278cd07228dd..e1215a600064 100644
+--- a/arch/x86/kernel/kexec-bzimage64.c
++++ b/arch/x86/kernel/kexec-bzimage64.c
+@@ -531,9 +531,17 @@ static int bzImage64_cleanup(void *loader_data)
+ #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
+ static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
+ {
+-	return verify_pefile_signature(kernel, kernel_len,
+-				       VERIFY_USE_SECONDARY_KEYRING,
+-				       VERIFYING_KEXEC_PE_SIGNATURE);
++	int ret;
++
++	ret = verify_pefile_signature(kernel, kernel_len,
++				      VERIFY_USE_SECONDARY_KEYRING,
++				      VERIFYING_KEXEC_PE_SIGNATURE);
++	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
++		ret = verify_pefile_signature(kernel, kernel_len,
++					      VERIFY_USE_PLATFORM_KEYRING,
++					      VERIFYING_KEXEC_PE_SIGNATURE);
++	}
++	return ret;
+ }
+ #endif
+ 
+diff --git a/certs/system_keyring.c b/certs/system_keyring.c
+index da055e901df4..c05c29ae4d5d 100644
+--- a/certs/system_keyring.c
++++ b/certs/system_keyring.c
+@@ -240,11 +240,22 @@ int verify_pkcs7_signature(const void *data, size_t len,
+ #else
+ 		trusted_keys = builtin_trusted_keys;
+ #endif
++	} else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
++#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
++		trusted_keys = platform_trusted_keys;
++#else
++		trusted_keys = NULL;
++#endif
++		if (!trusted_keys) {
++			ret = -ENOKEY;
++			pr_devel("PKCS#7 platform keyring is not available\n");
++			goto error;
++		}
+ 	}
+ 	ret = pkcs7_validate_trust(pkcs7, trusted_keys);
+ 	if (ret < 0) {
+ 		if (ret == -ENOKEY)
+-			pr_err("PKCS#7 signature not signed with a trusted key\n");
++			pr_devel("PKCS#7 signature not signed with a trusted key\n");
+ 		goto error;
+ 	}
+ 
+diff --git a/include/linux/verification.h b/include/linux/verification.h
+index cfa4730d607a..018fb5f13d44 100644
+--- a/include/linux/verification.h
++++ b/include/linux/verification.h
+@@ -17,6 +17,7 @@
+  * should be used.
+  */
+ #define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL)
++#define VERIFY_USE_PLATFORM_KEYRING  ((struct key *)2UL)
+ 
+ /*
+  * The use to which an asymmetric key is being put.
+-- 
+2.20.1
+
diff --git a/0001-platform-x86-ideapad-laptop-Remove-no_hw_rfkill_list.patch b/0001-platform-x86-ideapad-laptop-Remove-no_hw_rfkill_list.patch
new file mode 100644
index 000000000..5ecaffc1a
--- /dev/null
+++ b/0001-platform-x86-ideapad-laptop-Remove-no_hw_rfkill_list.patch
@@ -0,0 +1,365 @@
+From de5d850913e9d5fb272f386fb36ef5f5776afb0c Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 29 Apr 2019 15:11:26 +0200
+Subject: [PATCH] platform/x86: ideapad-laptop: Remove no_hw_rfkill_list
+
+When the ideapad-laptop driver was first written it was written for laptops
+which had a hardware rfkill switch. So when the first ideapad laptops
+showed up without a hw rfkill switch and it turned out that in this case
+the ideapad firmware interface would always report the wifi being hardware-
+blocked, a DMI id list of models which lack a hw rfkill switch was started
+(by yours truly). Things were done this way to avoid regressing existing
+models with a hw rfkill switch. In hindsight this was a mistake.
+
+Lenovo releases a lot of ideapad models every year and even the latest
+models still use the "VPC2004" ACPI interface the ideapad-laptop driver
+binds to. Having a hw rfkill switch is quite rare on modern hardware, so
+all these new models need to be added to the no_hw_rfkill_list, leading
+to a never ending game of whack a mole.
+
+Worse the failure mode when not present on the list, is very bad. In this
+case the ideapad-laptop driver will report the wifi as being hw-blocked,
+at which points NetworkManager does not even try to use it and the user
+ends up with non working wifi.
+
+This leads to various Linux fora on the internet being filled with
+wifi not working on ideapad laptops stories, which does not make Linux
+look good.
+
+The failure mode when we flip the default to assuming that a hw rfkill
+switch is not present OTOH is quite benign. When we properly report the
+wifi as being hw-blocked on ideapads which do have the hw-switch; and it
+is in the wifi-off position, then at least when using NetworkManager +
+GNOME3 the user will get a "wifi disabled in hardware" message when trying
+to connect to the wifi from the UI. If OTOH we assume there is no hardware
+rfkill switch, then the user will get an empty list for the list of
+available networks. Although the empty list vs the "wifi disabled in
+hardware" message is a regression, it is a very minor regression and it
+can easily be fixed on a model by model basis by filling the new
+hw_rfkill_list this commit introduces.
+
+Therefor this commit removes the ever growing no_hw_rfkill_list, flipping
+the default to assuming there is no hw rfkill switch and adding a new
+hw_rfkill_list. Thereby fixing the wifi not working on all the current
+ideapad and yoga models which are not on the list yet and also fixing it
+for all future ideapad and yoga models using the "VPC2004" ACPI interface.
+
+Note once this patch has been accepted upstream. I plan to write a blog
+post asking for users of ideapads and yoga's with a hw rfkill switch to
+step forward, so that we can populate the new hw_rfkill_list with the few
+older yoga and ideapad models which actually have a hw rfkill switch.
+
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1703338
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+---
+ drivers/platform/x86/ideapad-laptop.c | 321 ++------------------------
+ 1 file changed, 15 insertions(+), 306 deletions(-)
+
+diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c
+index c53ae86b59c7..2d94536dea88 100644
+--- a/drivers/platform/x86/ideapad-laptop.c
++++ b/drivers/platform/x86/ideapad-laptop.c
+@@ -980,277 +980,21 @@ static void ideapad_wmi_notify(u32 value, void *context)
+ #endif
+ 
+ /*
+- * Some ideapads don't have a hardware rfkill switch, reading VPCCMD_R_RF
+- * always results in 0 on these models, causing ideapad_laptop to wrongly
+- * report all radios as hardware-blocked.
++ * Some ideapads have a hardware rfkill switch, but most do not have one.
++ * Reading VPCCMD_R_RF always results in 0 on models without a hardware rfkill,
++ * switch causing ideapad_laptop to wrongly report all radios as hw-blocked.
++ * There used to be a long list of DMI ids for models without a hw rfkill
++ * switch here, but that resulted in playing whack a mole.
++ * More importantly wrongly reporting the wifi radio as hw-blocked, results in
++ * non working wifi. Whereas not reporting it hw-blocked, when it actually is
++ * hw-blocked results in an empty SSID list, which is a much more benign
++ * failure mode.
++ * So the default now is the much safer option of assuming there is no
++ * hardware rfkill switch. This default also actually matches most hardware,
++ * since having a hw rfkill switch is quite rare on modern hardware, so this
++ * also leads to a much shorter list.
+  */
+-static const struct dmi_system_id no_hw_rfkill_list[] = {
+-	{
+-		.ident = "Lenovo RESCUER R720-15IKBN",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo R720-15IKBN"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo G40-30",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo G40-30"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo G50-30",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo G50-30"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo V310-14IKB",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo V310-14IKB"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo V310-14ISK",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo V310-14ISK"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo V310-15IKB",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo V310-15IKB"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo V310-15ISK",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo V310-15ISK"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo V510-15IKB",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo V510-15IKB"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad 300-15IBR",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 300-15IBR"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad 300-15IKB",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 300-15IKB"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad 300S-11IBR",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 300S-11BR"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad 310-15ABR",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 310-15ABR"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad 310-15IAP",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 310-15IAP"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad 310-15IKB",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 310-15IKB"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad 310-15ISK",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 310-15ISK"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad Y700-14ISK",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-14ISK"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad Y700-15ACZ",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-15ACZ"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad Y700-15ISK",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-15ISK"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad Y700 Touch-15ISK",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700 Touch-15ISK"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad Y700-17ISK",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-17ISK"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo ideapad MIIX 720-12IKB",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "MIIX 720-12IKB"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Legion Y520-15IKB",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Y520-15IKB"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Y520-15IKBM",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Y520-15IKBM"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Legion Y530-15ICH",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Legion Y530-15ICH"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Legion Y720-15IKB",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Y720-15IKB"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Legion Y720-15IKBN",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Y720-15IKBN"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Y720-15IKBM",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Y720-15IKBM"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Yoga 2 11 / 13 / Pro",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Yoga 2"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Yoga 2 11 / 13 / Pro",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_BOARD_NAME, "Yoga2"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Yoga 2 13",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Yoga 2 13"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Yoga 3 1170 / 1470",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Yoga 3"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Yoga 3 Pro 1370",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 3"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Yoga 700",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 700"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Yoga 900",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 900"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Yoga 900",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_BOARD_NAME, "VIUU4"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo YOGA 910-13IKB",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 910-13IKB"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo YOGA 920-13IKB",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 920-13IKB"),
+-		},
+-	},
+-	{
+-		.ident = "Lenovo Zhaoyang E42-80",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-			DMI_MATCH(DMI_PRODUCT_VERSION, "ZHAOYANG E42-80"),
+-		},
+-	},
++static const struct dmi_system_id hw_rfkill_list[] = {
+ 	{}
+ };
+ 
+@@ -1311,7 +1020,7 @@ static int ideapad_acpi_add(struct platform_device *pdev)
+ 	priv->cfg = cfg;
+ 	priv->adev = adev;
+ 	priv->platform_device = pdev;
+-	priv->has_hw_rfkill_switch = !dmi_check_system(no_hw_rfkill_list);
++	priv->has_hw_rfkill_switch = dmi_check_system(hw_rfkill_list);
+ 
+ 	ret = ideapad_sysfs_init(priv);
+ 	if (ret)
+-- 
+2.21.0
+
diff --git a/kernel.spec b/kernel.spec
index 98f1ebff8..1fca90695 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -647,12 +647,17 @@ Patch519: nfsd-wake-waiters-blocked-on-file_lock-before-deleting-it.patch
 Patch520: 0001-brcmfmac-add-subtype-check-for-event-handling-in-dat.patch
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1701096
+Patch521: 0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch
+Patch522: 0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch
 # Submitted upstream at https://lkml.org/lkml/2019/4/23/89
-Patch521: KEYS-Make-use-of-platform-keyring-for-module-signature.patch
+Patch523: KEYS-Make-use-of-platform-keyring-for-module-signature.patch
 
 # CVE-2019-3900 rhbz 1698757 1702940
 Patch524: net-vhost_net-fix-possible-infinite-loop.patch
 
+# Fix wifi on various ideapad models not working (rhbz#1703338)
+Patch525: 0001-platform-x86-ideapad-laptop-Remove-no_hw_rfkill_list.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1943,6 +1948,12 @@ fi
 #
 #
 %changelog
+* Tue Apr 30 2019 Hans de Goede <hdegoede@redhat.com>
+- Fix wifi on various ideapad models not working (rhbz#1703338)
+
+* Mon Apr 29 2019 Laura Abbott <labbott@redhat.com> - 5.0.10-100
+- Linux v5.0.10
+
 * Thu Apr 25 2019 Justin M. Forbes <jforbes@fedoraproject.org>
 - Fix CVE-2019-3900 (rhbz 1698757 1702940)