From 39cafd66089878f3d0d997260f1d0b1ede356e0d Mon Sep 17 00:00:00 2001
From: "Justin M. Forbes" <jforbes@fedoraproject.org>
Date: Fri, 11 Dec 2020 11:14:46 -0600
Subject: kernel-5.10.0-0.rc7.20201211git33dc9614dc20.97

* Fri Dec 11 2020 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.10.0-0.rc7.20201211git33dc9614dc20.97]
- Remove cp instruction already handled in instruction below. ("Paulo E. Castro")
- Add all the dependencies gleaned from running `make prepare` on a bloated devel kernel. ("Paulo E. Castro")
- Add tools to path mangling script. ("Paulo E. Castro")
- Remove duplicate cp statement which is also not specific to x86. ("Paulo E. Castro")
- Correct orc_types failure whilst running `make prepare` https://bugzilla.redhat.com/show_bug.cgi?id=1882854 ("Paulo E. Castro")
- build_configs.sh: Fix syntax flagged by shellcheck (Ben Crocker)
- genspec.sh: Fix syntax flagged by shellcheck (Ben Crocker)
- ark-rebase-patches.sh: Fix for shellcheck (Ben Crocker)
- ark-create-release.sh: Fix syntax flagged by shellcheck (Ben Crocker)
- merge-subtrees.sh: Fix syntax flagged by shellcheck (Ben Crocker)
- rh-dist-git.sh: Fix syntax flagged by shellcheck (Ben Crocker)
- update_scripts.sh: Fix syntax flagged by shellcheck (Ben Crocker)
- x86_rngd.sh: Fix syntax flagged by shellcheck (Ben Crocker)
- parallel_xz.sh: Fix syntax flagged by shellcheck (Ben Crocker)
- expand_srpm.sh: Fix syntax flagged by shellcheck (Ben Crocker)
- create-tarball.sh: Fix syntax flagged by shellcheck (Ben Crocker)
- generate_bls_conf.sh: Fix syntax flagged by shellcheck (Ben Crocker)
- clone_tree.sh: Fix syntax flagged by shellcheck (Ben Crocker)
- new_release.sh: Fix syntax flagged by shellcheck (Ben Crocker)
- download_cross.sh: Fix syntax flagged by shellcheck (Ben Crocker)
- create_distgit_changelog.sh: Fix syntax flagged by shellcheck (Ben Crocker)
- generate_cross_report.sh: Fix syntax flagged by shellcheck (Ben Crocker)
- run_kabi-dw.sh: Fix syntax flagged by shellcheck (Ben Crocker)
- mod-blacklist.sh: Fix syntax flagged by shellcheck (Ben Crocker)
- scripts/configdiff.sh: Fix syntax flagged by shellcheck (Ben Crocker)
Resolves: rhbz#

Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
---
 Makefile.rhelver                        |  2 +-
 kernel-aarch64-debug-fedora.config      | 30 +++++++++++++++++++---
 kernel-aarch64-debug-rhel.config        | 32 ++++++++++++++---------
 kernel-aarch64-fedora.config            | 30 +++++++++++++++++++---
 kernel-aarch64-rhel.config              | 32 ++++++++++++++---------
 kernel-armv7hl-debug-fedora.config      |  7 ++++-
 kernel-armv7hl-fedora.config            |  7 ++++-
 kernel-armv7hl-lpae-debug-fedora.config |  7 ++++-
 kernel-armv7hl-lpae-fedora.config       |  7 ++++-
 kernel-i686-debug-fedora.config         | 11 ++++++--
 kernel-i686-fedora.config               | 11 ++++++--
 kernel-ppc64le-debug-fedora.config      | 12 +++++++--
 kernel-ppc64le-debug-rhel.config        | 15 +++++++----
 kernel-ppc64le-fedora.config            | 12 +++++++--
 kernel-ppc64le-rhel.config              | 15 +++++++----
 kernel-s390x-debug-fedora.config        |  7 ++++-
 kernel-s390x-debug-rhel.config          | 29 +++++++++++++--------
 kernel-s390x-fedora.config              |  7 ++++-
 kernel-s390x-rhel.config                | 29 +++++++++++++--------
 kernel-s390x-zfcpdump-rhel.config       | 29 +++++++++++++--------
 kernel-x86_64-debug-fedora.config       | 12 ++++++---
 kernel-x86_64-debug-rhel.config         | 25 +++++++++++-------
 kernel-x86_64-fedora.config             | 12 ++++++---
 kernel-x86_64-rhel.config               | 25 +++++++++++-------
 kernel.spec                             | 45 ++++++++++++++++++++++++---------
 patch-5.10.0-redhat.patch               |  2 +-
 sources                                 |  6 ++---
 27 files changed, 328 insertions(+), 130 deletions(-)

diff --git a/Makefile.rhelver b/Makefile.rhelver
index a6b858d9a..e5179f2d3 100644
--- a/Makefile.rhelver
+++ b/Makefile.rhelver
@@ -12,7 +12,7 @@ RHEL_MINOR = 99
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 95
+RHEL_RELEASE = 97
 
 #
 # Early y+1 numbering
diff --git a/kernel-aarch64-debug-fedora.config b/kernel-aarch64-debug-fedora.config
index 66a60609a..2eddd1dea 100644
--- a/kernel-aarch64-debug-fedora.config
+++ b/kernel-aarch64-debug-fedora.config
@@ -1143,7 +1143,17 @@ CONFIG_CONTEXT_SWITCH_TRACER=y
 # CONFIG_CONTEXT_TRACKING_FORCE is not set
 CONFIG_CORDIC=m
 CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y
-# CONFIG_CORESIGHT is not set
+CONFIG_CORESIGHT_CATU=m
+CONFIG_CORESIGHT_CPU_DEBUG=m
+# CONFIG_CORESIGHT_CTI_INTEGRATION_REGS is not set
+CONFIG_CORESIGHT_CTI=m
+CONFIG_CORESIGHT_LINK_AND_SINK_TMC=m
+CONFIG_CORESIGHT_LINKS_AND_SINKS=m
+CONFIG_CORESIGHT=m
+CONFIG_CORESIGHT_SINK_ETBV10=m
+CONFIG_CORESIGHT_SINK_TPIU=m
+CONFIG_CORESIGHT_SOURCE_ETM4X=m
+CONFIG_CORESIGHT_STM=m
 CONFIG_CORTINA_PHY=m
 # CONFIG_COUNTER is not set
 CONFIG_CP15_BARRIER_EMULATION=y
@@ -1968,7 +1978,10 @@ CONFIG_ETHERNET=y
 CONFIG_ETHOC=m
 CONFIG_ETHTOOL_NETLINK=y
 # CONFIG_EUROTECH_WDT is not set
-# CONFIG_EVM is not set
+# CONFIG_EVM_ADD_XATTRS is not set
+CONFIG_EVM_ATTR_FSUUID=y
+# CONFIG_EVM_LOAD_X509 is not set
+CONFIG_EVM=y
 CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
 CONFIG_EXFAT_FS=m
 # CONFIG_EXPERT is not set
@@ -2722,6 +2735,7 @@ CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
 # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
 CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 CONFIG_IMA_KEXEC=y
@@ -3216,6 +3230,7 @@ CONFIG_KALLSYMS_ALL=y
 CONFIG_KALLSYMS=y
 CONFIG_KARMA_PARTITION=y
 # CONFIG_KASAN is not set
+# CONFIG_KASAN_SW_TAGS is not set
 CONFIG_KASAN_VMALLOC=y
 # CONFIG_KCOV is not set
 CONFIG_KDB_CONTINUE_CATASTROPHIC=0
@@ -4517,6 +4532,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
@@ -4958,7 +4974,7 @@ CONFIG_PHY_TEGRA_XUSB=m
 CONFIG_PHY_XGENE=y
 CONFIG_PHY_XILINX_ZYNQMP=m
 # CONFIG_PI433 is not set
-# CONFIG_PID_IN_CONTEXTIDR is not set
+CONFIG_PID_IN_CONTEXTIDR=y
 CONFIG_PID_NS=y
 CONFIG_PINCONF=y
 CONFIG_PINCTRL_AMD=y
@@ -6837,7 +6853,8 @@ CONFIG_STK3310=m
 # CONFIG_STK8312 is not set
 # CONFIG_STK8BA50 is not set
 # CONFIG_STM32_FMC2_EBI is not set
-# CONFIG_STM is not set
+# CONFIG_STM_DUMMY is not set
+CONFIG_STM=m
 CONFIG_STMMAC_ETH=m
 # CONFIG_STMMAC_PCI is not set
 CONFIG_STMMAC_PLATFORM=m
@@ -6845,6 +6862,11 @@ CONFIG_STMMAC_PLATFORM=m
 CONFIG_STMPE_ADC=m
 CONFIG_STMPE_I2C=y
 CONFIG_STMPE_SPI=y
+# CONFIG_STM_PROTO_BASIC is not set
+# CONFIG_STM_PROTO_SYS_T is not set
+# CONFIG_STM_SOURCE_CONSOLE is not set
+# CONFIG_STM_SOURCE_FTRACE is not set
+# CONFIG_STM_SOURCE_HEARTBEAT is not set
 CONFIG_STRICT_DEVMEM=y
 CONFIG_STRICT_KERNEL_RWX=y
 # CONFIG_STRING_SELFTEST is not set
diff --git a/kernel-aarch64-debug-rhel.config b/kernel-aarch64-debug-rhel.config
index 459ba71c0..7b8143b27 100644
--- a/kernel-aarch64-debug-rhel.config
+++ b/kernel-aarch64-debug-rhel.config
@@ -1502,7 +1502,7 @@ CONFIG_ENABLE_MUST_CHECK=y
 # CONFIG_ENABLE_WARN_DEPRECATED is not set
 CONFIG_ENA_ETHERNET=m
 CONFIG_ENCLOSURE_SERVICES=m
-CONFIG_ENCRYPTED_KEYS=m
+CONFIG_ENCRYPTED_KEYS=y
 CONFIG_ENERGY_MODEL=y
 CONFIG_ENIC=m
 CONFIG_EPIC100=m
@@ -1515,7 +1515,10 @@ CONFIG_ETHTOOL_NETLINK=y
 # CONFIG_EUROTECH_WDT is not set
 CONFIG_EVENT_TRACING=y
 # CONFIG_EVM_ADD_XATTRS is not set
-# CONFIG_EVM is not set
+CONFIG_EVM_ATTR_FSUUID=y
+CONFIG_EVM_LOAD_X509=y
+CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"
+CONFIG_EVM=y
 # CONFIG_EXFAT_FS is not set
 # CONFIG_EXPERT is not set
 CONFIG_EXPORTFS_BLOCK_OPS=y
@@ -2141,25 +2144,28 @@ CONFIG_IIO_CONSUMERS_PER_TRIGGER=2
 # CONFIG_IIO_TRIGGERED_EVENT is not set
 # CONFIG_IKCONFIG is not set
 # CONFIG_IKHEADERS is not set
-# CONFIG_IMA_APPRAISE_BOOTPARAM is not set
-# CONFIG_IMA_APPRAISE is not set
-# CONFIG_IMA_APPRAISE_MODSIG is not set
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+CONFIG_IMA_APPRAISE_MODSIG=y
+# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
+CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 # CONFIG_IMA_KEXEC is not set
 # CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
-# CONFIG_IMA_LOAD_X509 is not set
+CONFIG_IMA_LOAD_X509=y
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
-CONFIG_IMA_NG_TEMPLATE=y
-# CONFIG_IMA_READ_POLICY is not set
-# CONFIG_IMA_SIG_TEMPLATE is not set
+# CONFIG_IMA_NG_TEMPLATE is not set
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_SIG_TEMPLATE=y
 # CONFIG_IMA_TEMPLATE is not set
 CONFIG_IMA_TRUSTED_KEYRING=y
 # CONFIG_IMA_WRITE_POLICY is not set
+CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
 CONFIG_IMA=y
 # CONFIG_IMG_ASCII_LCD is not set
 # CONFIG_IMX_SC_WDT is not set
@@ -2277,9 +2283,9 @@ CONFIG_INPUT=y
 CONFIG_INPUT_YEALINK=m
 # CONFIG_INT3406_THERMAL is not set
 CONFIG_INTEGRITY_AUDIT=y
-# CONFIG_INTEGRITY is not set
 # CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
 # CONFIG_INTEGRITY_SIGNATURE is not set
+CONFIG_INTEGRITY=y
 # CONFIG_INTEL_ATOMISP2_PM is not set
 # CONFIG_INTEL_IDMA64 is not set
 CONFIG_INTEL_IDXD=m
@@ -2567,6 +2573,7 @@ CONFIG_KALLSYMS=y
 CONFIG_KASAN_GENERIC=y
 CONFIG_KASAN_INLINE=y
 # CONFIG_KASAN_OUTLINE is not set
+# CONFIG_KASAN_SW_TAGS is not set
 CONFIG_KASAN_VMALLOC=y
 CONFIG_KASAN=y
 # CONFIG_KCOV is not set
@@ -3630,6 +3637,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
diff --git a/kernel-aarch64-fedora.config b/kernel-aarch64-fedora.config
index 58ddc8cb3..be9ca63de 100644
--- a/kernel-aarch64-fedora.config
+++ b/kernel-aarch64-fedora.config
@@ -1143,7 +1143,17 @@ CONFIG_CONTEXT_SWITCH_TRACER=y
 # CONFIG_CONTEXT_TRACKING_FORCE is not set
 CONFIG_CORDIC=m
 CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y
-# CONFIG_CORESIGHT is not set
+CONFIG_CORESIGHT_CATU=m
+CONFIG_CORESIGHT_CPU_DEBUG=m
+# CONFIG_CORESIGHT_CTI_INTEGRATION_REGS is not set
+CONFIG_CORESIGHT_CTI=m
+CONFIG_CORESIGHT_LINK_AND_SINK_TMC=m
+CONFIG_CORESIGHT_LINKS_AND_SINKS=m
+CONFIG_CORESIGHT=m
+CONFIG_CORESIGHT_SINK_ETBV10=m
+CONFIG_CORESIGHT_SINK_TPIU=m
+CONFIG_CORESIGHT_SOURCE_ETM4X=m
+CONFIG_CORESIGHT_STM=m
 CONFIG_CORTINA_PHY=m
 # CONFIG_COUNTER is not set
 CONFIG_CP15_BARRIER_EMULATION=y
@@ -1960,7 +1970,10 @@ CONFIG_ETHERNET=y
 CONFIG_ETHOC=m
 CONFIG_ETHTOOL_NETLINK=y
 # CONFIG_EUROTECH_WDT is not set
-# CONFIG_EVM is not set
+# CONFIG_EVM_ADD_XATTRS is not set
+CONFIG_EVM_ATTR_FSUUID=y
+# CONFIG_EVM_LOAD_X509 is not set
+CONFIG_EVM=y
 CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
 CONFIG_EXFAT_FS=m
 # CONFIG_EXPERT is not set
@@ -2706,6 +2719,7 @@ CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
 # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
 CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 CONFIG_IMA_KEXEC=y
@@ -3200,6 +3214,7 @@ CONFIG_KALLSYMS_ALL=y
 CONFIG_KALLSYMS=y
 CONFIG_KARMA_PARTITION=y
 # CONFIG_KASAN is not set
+# CONFIG_KASAN_SW_TAGS is not set
 # CONFIG_KASAN_VMALLOC is not set
 # CONFIG_KCOV is not set
 CONFIG_KDB_CONTINUE_CATASTROPHIC=0
@@ -4498,6 +4513,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
@@ -4939,7 +4955,7 @@ CONFIG_PHY_TEGRA_XUSB=m
 CONFIG_PHY_XGENE=y
 CONFIG_PHY_XILINX_ZYNQMP=m
 # CONFIG_PI433 is not set
-# CONFIG_PID_IN_CONTEXTIDR is not set
+CONFIG_PID_IN_CONTEXTIDR=y
 CONFIG_PID_NS=y
 CONFIG_PINCONF=y
 CONFIG_PINCTRL_AMD=y
@@ -6816,7 +6832,8 @@ CONFIG_STK3310=m
 # CONFIG_STK8312 is not set
 # CONFIG_STK8BA50 is not set
 # CONFIG_STM32_FMC2_EBI is not set
-# CONFIG_STM is not set
+# CONFIG_STM_DUMMY is not set
+CONFIG_STM=m
 CONFIG_STMMAC_ETH=m
 # CONFIG_STMMAC_PCI is not set
 CONFIG_STMMAC_PLATFORM=m
@@ -6824,6 +6841,11 @@ CONFIG_STMMAC_PLATFORM=m
 CONFIG_STMPE_ADC=m
 CONFIG_STMPE_I2C=y
 CONFIG_STMPE_SPI=y
+# CONFIG_STM_PROTO_BASIC is not set
+# CONFIG_STM_PROTO_SYS_T is not set
+# CONFIG_STM_SOURCE_CONSOLE is not set
+# CONFIG_STM_SOURCE_FTRACE is not set
+# CONFIG_STM_SOURCE_HEARTBEAT is not set
 CONFIG_STRICT_DEVMEM=y
 CONFIG_STRICT_KERNEL_RWX=y
 # CONFIG_STRING_SELFTEST is not set
diff --git a/kernel-aarch64-rhel.config b/kernel-aarch64-rhel.config
index 213910612..c8effcd96 100644
--- a/kernel-aarch64-rhel.config
+++ b/kernel-aarch64-rhel.config
@@ -1494,7 +1494,7 @@ CONFIG_ENABLE_MUST_CHECK=y
 # CONFIG_ENABLE_WARN_DEPRECATED is not set
 CONFIG_ENA_ETHERNET=m
 CONFIG_ENCLOSURE_SERVICES=m
-CONFIG_ENCRYPTED_KEYS=m
+CONFIG_ENCRYPTED_KEYS=y
 CONFIG_ENERGY_MODEL=y
 CONFIG_ENIC=m
 CONFIG_EPIC100=m
@@ -1507,7 +1507,10 @@ CONFIG_ETHTOOL_NETLINK=y
 # CONFIG_EUROTECH_WDT is not set
 CONFIG_EVENT_TRACING=y
 # CONFIG_EVM_ADD_XATTRS is not set
-# CONFIG_EVM is not set
+CONFIG_EVM_ATTR_FSUUID=y
+CONFIG_EVM_LOAD_X509=y
+CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"
+CONFIG_EVM=y
 # CONFIG_EXFAT_FS is not set
 # CONFIG_EXPERT is not set
 CONFIG_EXPORTFS_BLOCK_OPS=y
@@ -2125,25 +2128,28 @@ CONFIG_IIO_CONSUMERS_PER_TRIGGER=2
 # CONFIG_IIO_TRIGGERED_EVENT is not set
 # CONFIG_IKCONFIG is not set
 # CONFIG_IKHEADERS is not set
-# CONFIG_IMA_APPRAISE_BOOTPARAM is not set
-# CONFIG_IMA_APPRAISE is not set
-# CONFIG_IMA_APPRAISE_MODSIG is not set
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+CONFIG_IMA_APPRAISE_MODSIG=y
+# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
+CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 # CONFIG_IMA_KEXEC is not set
 # CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
-# CONFIG_IMA_LOAD_X509 is not set
+CONFIG_IMA_LOAD_X509=y
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
-CONFIG_IMA_NG_TEMPLATE=y
-# CONFIG_IMA_READ_POLICY is not set
-# CONFIG_IMA_SIG_TEMPLATE is not set
+# CONFIG_IMA_NG_TEMPLATE is not set
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_SIG_TEMPLATE=y
 # CONFIG_IMA_TEMPLATE is not set
 CONFIG_IMA_TRUSTED_KEYRING=y
 # CONFIG_IMA_WRITE_POLICY is not set
+CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
 CONFIG_IMA=y
 # CONFIG_IMG_ASCII_LCD is not set
 # CONFIG_IMX_SC_WDT is not set
@@ -2261,9 +2267,9 @@ CONFIG_INPUT=y
 CONFIG_INPUT_YEALINK=m
 # CONFIG_INT3406_THERMAL is not set
 CONFIG_INTEGRITY_AUDIT=y
-# CONFIG_INTEGRITY is not set
 # CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
 # CONFIG_INTEGRITY_SIGNATURE is not set
+CONFIG_INTEGRITY=y
 # CONFIG_INTEL_ATOMISP2_PM is not set
 # CONFIG_INTEL_IDMA64 is not set
 CONFIG_INTEL_IDXD=m
@@ -2551,6 +2557,7 @@ CONFIG_KALLSYMS=y
 # CONFIG_KASAN_GENERIC is not set
 # CONFIG_KASAN is not set
 # CONFIG_KASAN_OUTLINE is not set
+# CONFIG_KASAN_SW_TAGS is not set
 # CONFIG_KASAN_VMALLOC is not set
 # CONFIG_KCOV is not set
 CONFIG_KDB_CONTINUE_CATASTROPHIC=0
@@ -3613,6 +3620,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
diff --git a/kernel-armv7hl-debug-fedora.config b/kernel-armv7hl-debug-fedora.config
index d6e8511d6..89f4f2a59 100644
--- a/kernel-armv7hl-debug-fedora.config
+++ b/kernel-armv7hl-debug-fedora.config
@@ -2002,7 +2002,10 @@ CONFIG_ETHERNET=y
 CONFIG_ETHOC=m
 CONFIG_ETHTOOL_NETLINK=y
 # CONFIG_EUROTECH_WDT is not set
-# CONFIG_EVM is not set
+# CONFIG_EVM_ADD_XATTRS is not set
+CONFIG_EVM_ATTR_FSUUID=y
+# CONFIG_EVM_LOAD_X509 is not set
+CONFIG_EVM=y
 CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
 CONFIG_EXFAT_FS=m
 # CONFIG_EXPERT is not set
@@ -2749,6 +2752,7 @@ CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
 # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
 CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 CONFIG_IMA_KEXEC=y
@@ -4593,6 +4597,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
diff --git a/kernel-armv7hl-fedora.config b/kernel-armv7hl-fedora.config
index fe5ff8d17..1c8445ecc 100644
--- a/kernel-armv7hl-fedora.config
+++ b/kernel-armv7hl-fedora.config
@@ -1995,7 +1995,10 @@ CONFIG_ETHERNET=y
 CONFIG_ETHOC=m
 CONFIG_ETHTOOL_NETLINK=y
 # CONFIG_EUROTECH_WDT is not set
-# CONFIG_EVM is not set
+# CONFIG_EVM_ADD_XATTRS is not set
+CONFIG_EVM_ATTR_FSUUID=y
+# CONFIG_EVM_LOAD_X509 is not set
+CONFIG_EVM=y
 CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
 CONFIG_EXFAT_FS=m
 # CONFIG_EXPERT is not set
@@ -2734,6 +2737,7 @@ CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
 # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
 CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 CONFIG_IMA_KEXEC=y
@@ -4575,6 +4579,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
diff --git a/kernel-armv7hl-lpae-debug-fedora.config b/kernel-armv7hl-lpae-debug-fedora.config
index 21a669f59..6cca56afc 100644
--- a/kernel-armv7hl-lpae-debug-fedora.config
+++ b/kernel-armv7hl-lpae-debug-fedora.config
@@ -1954,7 +1954,10 @@ CONFIG_ETHERNET=y
 CONFIG_ETHOC=m
 CONFIG_ETHTOOL_NETLINK=y
 # CONFIG_EUROTECH_WDT is not set
-# CONFIG_EVM is not set
+# CONFIG_EVM_ADD_XATTRS is not set
+CONFIG_EVM_ATTR_FSUUID=y
+# CONFIG_EVM_LOAD_X509 is not set
+CONFIG_EVM=y
 CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
 CONFIG_EXFAT_FS=m
 # CONFIG_EXPERT is not set
@@ -2692,6 +2695,7 @@ CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
 # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
 CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 CONFIG_IMA_KEXEC=y
@@ -4492,6 +4496,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
diff --git a/kernel-armv7hl-lpae-fedora.config b/kernel-armv7hl-lpae-fedora.config
index a51a51a72..9aa58d5fa 100644
--- a/kernel-armv7hl-lpae-fedora.config
+++ b/kernel-armv7hl-lpae-fedora.config
@@ -1947,7 +1947,10 @@ CONFIG_ETHERNET=y
 CONFIG_ETHOC=m
 CONFIG_ETHTOOL_NETLINK=y
 # CONFIG_EUROTECH_WDT is not set
-# CONFIG_EVM is not set
+# CONFIG_EVM_ADD_XATTRS is not set
+CONFIG_EVM_ATTR_FSUUID=y
+# CONFIG_EVM_LOAD_X509 is not set
+CONFIG_EVM=y
 CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
 CONFIG_EXFAT_FS=m
 # CONFIG_EXPERT is not set
@@ -2677,6 +2680,7 @@ CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
 # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
 CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 CONFIG_IMA_KEXEC=y
@@ -4474,6 +4478,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
diff --git a/kernel-i686-debug-fedora.config b/kernel-i686-debug-fedora.config
index 1c85d7020..145371924 100644
--- a/kernel-i686-debug-fedora.config
+++ b/kernel-i686-debug-fedora.config
@@ -1678,7 +1678,10 @@ CONFIG_ETHERNET=y
 CONFIG_ETHOC=m
 CONFIG_ETHTOOL_NETLINK=y
 # CONFIG_EUROTECH_WDT is not set
-# CONFIG_EVM is not set
+# CONFIG_EVM_ADD_XATTRS is not set
+CONFIG_EVM_ATTR_FSUUID=y
+# CONFIG_EVM_LOAD_X509 is not set
+CONFIG_EVM=y
 CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
 CONFIG_EXFAT_FS=m
 # CONFIG_EXPERT is not set
@@ -2410,9 +2413,10 @@ CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
 CONFIG_IMA_APPRAISE_MODSIG=y
 CONFIG_IMA_APPRAISE=y
-# CONFIG_IMA_ARCH_POLICY is not set
+CONFIG_IMA_ARCH_POLICY=y
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
 # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
 CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 CONFIG_IMA_KEXEC=y
@@ -2422,6 +2426,7 @@ CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
 CONFIG_IMA_NG_TEMPLATE=y
 CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
 # CONFIG_IMA_SIG_TEMPLATE is not set
 # CONFIG_IMA_TEMPLATE is not set
 # CONFIG_IMA_TRUSTED_KEYRING is not set
@@ -2922,6 +2927,7 @@ CONFIG_KARMA_PARTITION=y
 # CONFIG_KASAN is not set
 CONFIG_KASAN_VMALLOC=y
 # CONFIG_KCOV is not set
+# CONFIG_KCSAN is not set
 CONFIG_KDB_CONTINUE_CATASTROPHIC=0
 CONFIG_KDB_DEFAULT_ENABLE=0x0
 CONFIG_KDB_KEYBOARD=y
@@ -4158,6 +4164,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
diff --git a/kernel-i686-fedora.config b/kernel-i686-fedora.config
index 6e6ddbef2..851e5ae9e 100644
--- a/kernel-i686-fedora.config
+++ b/kernel-i686-fedora.config
@@ -1669,7 +1669,10 @@ CONFIG_ETHERNET=y
 CONFIG_ETHOC=m
 CONFIG_ETHTOOL_NETLINK=y
 # CONFIG_EUROTECH_WDT is not set
-# CONFIG_EVM is not set
+# CONFIG_EVM_ADD_XATTRS is not set
+CONFIG_EVM_ATTR_FSUUID=y
+# CONFIG_EVM_LOAD_X509 is not set
+CONFIG_EVM=y
 CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
 CONFIG_EXFAT_FS=m
 # CONFIG_EXPERT is not set
@@ -2393,9 +2396,10 @@ CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
 CONFIG_IMA_APPRAISE_MODSIG=y
 CONFIG_IMA_APPRAISE=y
-# CONFIG_IMA_ARCH_POLICY is not set
+CONFIG_IMA_ARCH_POLICY=y
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
 # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
 CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 CONFIG_IMA_KEXEC=y
@@ -2405,6 +2409,7 @@ CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
 CONFIG_IMA_NG_TEMPLATE=y
 CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
 # CONFIG_IMA_SIG_TEMPLATE is not set
 # CONFIG_IMA_TEMPLATE is not set
 # CONFIG_IMA_TRUSTED_KEYRING is not set
@@ -2905,6 +2910,7 @@ CONFIG_KARMA_PARTITION=y
 # CONFIG_KASAN is not set
 # CONFIG_KASAN_VMALLOC is not set
 # CONFIG_KCOV is not set
+# CONFIG_KCSAN is not set
 CONFIG_KDB_CONTINUE_CATASTROPHIC=0
 # CONFIG_KERNEL_BZIP2 is not set
 CONFIG_KERNEL_GZIP=y
@@ -4139,6 +4145,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
diff --git a/kernel-ppc64le-debug-fedora.config b/kernel-ppc64le-debug-fedora.config
index fc98f141d..f03e2cf2f 100644
--- a/kernel-ppc64le-debug-fedora.config
+++ b/kernel-ppc64le-debug-fedora.config
@@ -1534,7 +1534,10 @@ CONFIG_ETHERNET=y
 CONFIG_ETHOC=m
 CONFIG_ETHTOOL_NETLINK=y
 # CONFIG_EUROTECH_WDT is not set
-# CONFIG_EVM is not set
+# CONFIG_EVM_ADD_XATTRS is not set
+CONFIG_EVM_ATTR_FSUUID=y
+# CONFIG_EVM_LOAD_X509 is not set
+CONFIG_EVM=y
 CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
 CONFIG_EXFAT_FS=m
 # CONFIG_EXPERT is not set
@@ -2211,9 +2214,10 @@ CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
 CONFIG_IMA_APPRAISE_MODSIG=y
 CONFIG_IMA_APPRAISE=y
-# CONFIG_IMA_ARCH_POLICY is not set
+CONFIG_IMA_ARCH_POLICY=y
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
 # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
 CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 CONFIG_IMA_KEXEC=y
@@ -2223,6 +2227,7 @@ CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
 CONFIG_IMA_NG_TEMPLATE=y
 CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
 # CONFIG_IMA_SIG_TEMPLATE is not set
 # CONFIG_IMA_TEMPLATE is not set
 # CONFIG_IMA_TRUSTED_KEYRING is not set
@@ -3856,6 +3861,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
@@ -4327,6 +4333,8 @@ CONFIG_PPC_PSERIES=y
 CONFIG_PPC_RADIX_MMU_DEFAULT=y
 CONFIG_PPC_RADIX_MMU=y
 CONFIG_PPC_RTAS_FILTER=y
+CONFIG_PPC_SECURE_BOOT=y
+CONFIG_PPC_SECVAR_SYSFS=y
 CONFIG_PPC_SMLPAR=y
 CONFIG_PPC_SPLPAR=y
 CONFIG_PPC_SUBPAGE_PROT=y
diff --git a/kernel-ppc64le-debug-rhel.config b/kernel-ppc64le-debug-rhel.config
index b1f4b0eb9..f537e3e60 100644
--- a/kernel-ppc64le-debug-rhel.config
+++ b/kernel-ppc64le-debug-rhel.config
@@ -1383,7 +1383,7 @@ CONFIG_ETHTOOL_NETLINK=y
 CONFIG_EVENT_TRACING=y
 # CONFIG_EVM_ADD_XATTRS is not set
 CONFIG_EVM_ATTR_FSUUID=y
-# CONFIG_EVM_LOAD_X509 is not set
+CONFIG_EVM_LOAD_X509=y
 CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"
 CONFIG_EVM=y
 # CONFIG_EXFAT_FS is not set
@@ -2008,21 +2008,23 @@ CONFIG_IIO_CONSUMERS_PER_TRIGGER=2
 # CONFIG_IKHEADERS is not set
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
-# CONFIG_IMA_APPRAISE_MODSIG is not set
+CONFIG_IMA_APPRAISE_MODSIG=y
 # CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
 CONFIG_IMA_APPRAISE=y
-# CONFIG_IMA_ARCH_POLICY is not set
+CONFIG_IMA_ARCH_POLICY=y
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
 # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
 CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 # CONFIG_IMA_KEXEC is not set
 # CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
-# CONFIG_IMA_LOAD_X509 is not set
+CONFIG_IMA_LOAD_X509=y
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
 # CONFIG_IMA_NG_TEMPLATE is not set
-# CONFIG_IMA_READ_POLICY is not set
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
 CONFIG_IMA_SIG_TEMPLATE=y
 # CONFIG_IMA_TEMPLATE is not set
 CONFIG_IMA_TRUSTED_KEYRING=y
@@ -3491,6 +3493,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
@@ -3933,6 +3936,8 @@ CONFIG_PPC_PSERIES=y
 CONFIG_PPC_RADIX_MMU_DEFAULT=y
 CONFIG_PPC_RADIX_MMU=y
 CONFIG_PPC_RTAS_FILTER=y
+CONFIG_PPC_SECURE_BOOT=y
+CONFIG_PPC_SECVAR_SYSFS=y
 CONFIG_PPC_SMLPAR=y
 CONFIG_PPC_SPLPAR=y
 CONFIG_PPC_SUBPAGE_PROT=y
diff --git a/kernel-ppc64le-fedora.config b/kernel-ppc64le-fedora.config
index 6dd56b961..9ce29ae12 100644
--- a/kernel-ppc64le-fedora.config
+++ b/kernel-ppc64le-fedora.config
@@ -1525,7 +1525,10 @@ CONFIG_ETHERNET=y
 CONFIG_ETHOC=m
 CONFIG_ETHTOOL_NETLINK=y
 # CONFIG_EUROTECH_WDT is not set
-# CONFIG_EVM is not set
+# CONFIG_EVM_ADD_XATTRS is not set
+CONFIG_EVM_ATTR_FSUUID=y
+# CONFIG_EVM_LOAD_X509 is not set
+CONFIG_EVM=y
 CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
 CONFIG_EXFAT_FS=m
 # CONFIG_EXPERT is not set
@@ -2194,9 +2197,10 @@ CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
 CONFIG_IMA_APPRAISE_MODSIG=y
 CONFIG_IMA_APPRAISE=y
-# CONFIG_IMA_ARCH_POLICY is not set
+CONFIG_IMA_ARCH_POLICY=y
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
 # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
 CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 CONFIG_IMA_KEXEC=y
@@ -2206,6 +2210,7 @@ CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
 CONFIG_IMA_NG_TEMPLATE=y
 CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
 # CONFIG_IMA_SIG_TEMPLATE is not set
 # CONFIG_IMA_TEMPLATE is not set
 # CONFIG_IMA_TRUSTED_KEYRING is not set
@@ -3836,6 +3841,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
@@ -4307,6 +4313,8 @@ CONFIG_PPC_PSERIES=y
 CONFIG_PPC_RADIX_MMU_DEFAULT=y
 CONFIG_PPC_RADIX_MMU=y
 CONFIG_PPC_RTAS_FILTER=y
+CONFIG_PPC_SECURE_BOOT=y
+CONFIG_PPC_SECVAR_SYSFS=y
 CONFIG_PPC_SMLPAR=y
 CONFIG_PPC_SPLPAR=y
 CONFIG_PPC_SUBPAGE_PROT=y
diff --git a/kernel-ppc64le-rhel.config b/kernel-ppc64le-rhel.config
index 30779f41c..1ec753c56 100644
--- a/kernel-ppc64le-rhel.config
+++ b/kernel-ppc64le-rhel.config
@@ -1375,7 +1375,7 @@ CONFIG_ETHTOOL_NETLINK=y
 CONFIG_EVENT_TRACING=y
 # CONFIG_EVM_ADD_XATTRS is not set
 CONFIG_EVM_ATTR_FSUUID=y
-# CONFIG_EVM_LOAD_X509 is not set
+CONFIG_EVM_LOAD_X509=y
 CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"
 CONFIG_EVM=y
 # CONFIG_EXFAT_FS is not set
@@ -1992,21 +1992,23 @@ CONFIG_IIO_CONSUMERS_PER_TRIGGER=2
 # CONFIG_IKHEADERS is not set
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
-# CONFIG_IMA_APPRAISE_MODSIG is not set
+CONFIG_IMA_APPRAISE_MODSIG=y
 # CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
 CONFIG_IMA_APPRAISE=y
-# CONFIG_IMA_ARCH_POLICY is not set
+CONFIG_IMA_ARCH_POLICY=y
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
 # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
 CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 # CONFIG_IMA_KEXEC is not set
 # CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
-# CONFIG_IMA_LOAD_X509 is not set
+CONFIG_IMA_LOAD_X509=y
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
 # CONFIG_IMA_NG_TEMPLATE is not set
-# CONFIG_IMA_READ_POLICY is not set
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
 CONFIG_IMA_SIG_TEMPLATE=y
 # CONFIG_IMA_TEMPLATE is not set
 CONFIG_IMA_TRUSTED_KEYRING=y
@@ -3475,6 +3477,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
@@ -3917,6 +3920,8 @@ CONFIG_PPC_PSERIES=y
 CONFIG_PPC_RADIX_MMU_DEFAULT=y
 CONFIG_PPC_RADIX_MMU=y
 CONFIG_PPC_RTAS_FILTER=y
+CONFIG_PPC_SECURE_BOOT=y
+CONFIG_PPC_SECVAR_SYSFS=y
 CONFIG_PPC_SMLPAR=y
 CONFIG_PPC_SPLPAR=y
 CONFIG_PPC_SUBPAGE_PROT=y
diff --git a/kernel-s390x-debug-fedora.config b/kernel-s390x-debug-fedora.config
index ed6503f70..df59198a4 100644
--- a/kernel-s390x-debug-fedora.config
+++ b/kernel-s390x-debug-fedora.config
@@ -1541,7 +1541,10 @@ CONFIG_ETHERNET=y
 # CONFIG_ETHOC is not set
 CONFIG_ETHTOOL_NETLINK=y
 # CONFIG_EUROTECH_WDT is not set
-# CONFIG_EVM is not set
+# CONFIG_EVM_ADD_XATTRS is not set
+CONFIG_EVM_ATTR_FSUUID=y
+# CONFIG_EVM_LOAD_X509 is not set
+CONFIG_EVM=y
 CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
 CONFIG_EXFAT_FS=m
 # CONFIG_EXPERT is not set
@@ -2193,6 +2196,7 @@ CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
 # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
 CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 CONFIG_IMA_KEXEC=y
@@ -3827,6 +3831,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
diff --git a/kernel-s390x-debug-rhel.config b/kernel-s390x-debug-rhel.config
index bc255f141..98ce22e74 100644
--- a/kernel-s390x-debug-rhel.config
+++ b/kernel-s390x-debug-rhel.config
@@ -1374,7 +1374,7 @@ CONFIG_ENABLE_MUST_CHECK=y
 # CONFIG_ENABLE_WARN_DEPRECATED is not set
 # CONFIG_ENA_ETHERNET is not set
 CONFIG_ENCLOSURE_SERVICES=m
-CONFIG_ENCRYPTED_KEYS=m
+CONFIG_ENCRYPTED_KEYS=y
 CONFIG_ENERGY_MODEL=y
 CONFIG_ENIC=m
 CONFIG_EPIC100=m
@@ -1387,7 +1387,10 @@ CONFIG_ETHTOOL_NETLINK=y
 # CONFIG_EUROTECH_WDT is not set
 CONFIG_EVENT_TRACING=y
 # CONFIG_EVM_ADD_XATTRS is not set
-# CONFIG_EVM is not set
+CONFIG_EVM_ATTR_FSUUID=y
+CONFIG_EVM_LOAD_X509=y
+CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"
+CONFIG_EVM=y
 # CONFIG_EXFAT_FS is not set
 # CONFIG_EXPERT is not set
 CONFIG_EXPOLINE_AUTO=y
@@ -1985,25 +1988,28 @@ CONFIG_IIO_CONSUMERS_PER_TRIGGER=2
 # CONFIG_IIO_TRIGGERED_EVENT is not set
 # CONFIG_IKCONFIG is not set
 # CONFIG_IKHEADERS is not set
-# CONFIG_IMA_APPRAISE_BOOTPARAM is not set
-# CONFIG_IMA_APPRAISE is not set
-# CONFIG_IMA_APPRAISE_MODSIG is not set
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+CONFIG_IMA_APPRAISE_MODSIG=y
+# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
+CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 # CONFIG_IMA_KEXEC is not set
 # CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
-# CONFIG_IMA_LOAD_X509 is not set
+CONFIG_IMA_LOAD_X509=y
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
-CONFIG_IMA_NG_TEMPLATE=y
-# CONFIG_IMA_READ_POLICY is not set
-# CONFIG_IMA_SIG_TEMPLATE is not set
+# CONFIG_IMA_NG_TEMPLATE is not set
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_SIG_TEMPLATE=y
 # CONFIG_IMA_TEMPLATE is not set
 CONFIG_IMA_TRUSTED_KEYRING=y
 # CONFIG_IMA_WRITE_POLICY is not set
+CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
 CONFIG_IMA=y
 # CONFIG_IMG_ASCII_LCD is not set
 # CONFIG_IMX_SC_WDT is not set
@@ -3462,6 +3468,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
diff --git a/kernel-s390x-fedora.config b/kernel-s390x-fedora.config
index 1e45957c9..eb3a26784 100644
--- a/kernel-s390x-fedora.config
+++ b/kernel-s390x-fedora.config
@@ -1532,7 +1532,10 @@ CONFIG_ETHERNET=y
 # CONFIG_ETHOC is not set
 CONFIG_ETHTOOL_NETLINK=y
 # CONFIG_EUROTECH_WDT is not set
-# CONFIG_EVM is not set
+# CONFIG_EVM_ADD_XATTRS is not set
+CONFIG_EVM_ATTR_FSUUID=y
+# CONFIG_EVM_LOAD_X509 is not set
+CONFIG_EVM=y
 CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
 CONFIG_EXFAT_FS=m
 # CONFIG_EXPERT is not set
@@ -2176,6 +2179,7 @@ CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
 # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
 CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 CONFIG_IMA_KEXEC=y
@@ -3807,6 +3811,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
diff --git a/kernel-s390x-rhel.config b/kernel-s390x-rhel.config
index 943f22eac..8db3fab5e 100644
--- a/kernel-s390x-rhel.config
+++ b/kernel-s390x-rhel.config
@@ -1366,7 +1366,7 @@ CONFIG_ENABLE_MUST_CHECK=y
 # CONFIG_ENABLE_WARN_DEPRECATED is not set
 # CONFIG_ENA_ETHERNET is not set
 CONFIG_ENCLOSURE_SERVICES=m
-CONFIG_ENCRYPTED_KEYS=m
+CONFIG_ENCRYPTED_KEYS=y
 CONFIG_ENERGY_MODEL=y
 CONFIG_ENIC=m
 CONFIG_EPIC100=m
@@ -1379,7 +1379,10 @@ CONFIG_ETHTOOL_NETLINK=y
 # CONFIG_EUROTECH_WDT is not set
 CONFIG_EVENT_TRACING=y
 # CONFIG_EVM_ADD_XATTRS is not set
-# CONFIG_EVM is not set
+CONFIG_EVM_ATTR_FSUUID=y
+CONFIG_EVM_LOAD_X509=y
+CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"
+CONFIG_EVM=y
 # CONFIG_EXFAT_FS is not set
 # CONFIG_EXPERT is not set
 CONFIG_EXPOLINE_AUTO=y
@@ -1969,25 +1972,28 @@ CONFIG_IIO_CONSUMERS_PER_TRIGGER=2
 # CONFIG_IIO_TRIGGERED_EVENT is not set
 # CONFIG_IKCONFIG is not set
 # CONFIG_IKHEADERS is not set
-# CONFIG_IMA_APPRAISE_BOOTPARAM is not set
-# CONFIG_IMA_APPRAISE is not set
-# CONFIG_IMA_APPRAISE_MODSIG is not set
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+CONFIG_IMA_APPRAISE_MODSIG=y
+# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
+CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 # CONFIG_IMA_KEXEC is not set
 # CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
-# CONFIG_IMA_LOAD_X509 is not set
+CONFIG_IMA_LOAD_X509=y
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
-CONFIG_IMA_NG_TEMPLATE=y
-# CONFIG_IMA_READ_POLICY is not set
-# CONFIG_IMA_SIG_TEMPLATE is not set
+# CONFIG_IMA_NG_TEMPLATE is not set
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_SIG_TEMPLATE=y
 # CONFIG_IMA_TEMPLATE is not set
 CONFIG_IMA_TRUSTED_KEYRING=y
 # CONFIG_IMA_WRITE_POLICY is not set
+CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
 CONFIG_IMA=y
 # CONFIG_IMG_ASCII_LCD is not set
 # CONFIG_IMX_SC_WDT is not set
@@ -3446,6 +3452,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
diff --git a/kernel-s390x-zfcpdump-rhel.config b/kernel-s390x-zfcpdump-rhel.config
index b0fd378fa..c155387f8 100644
--- a/kernel-s390x-zfcpdump-rhel.config
+++ b/kernel-s390x-zfcpdump-rhel.config
@@ -1377,7 +1377,7 @@ CONFIG_ENABLE_MUST_CHECK=y
 # CONFIG_ENABLE_WARN_DEPRECATED is not set
 # CONFIG_ENA_ETHERNET is not set
 CONFIG_ENCLOSURE_SERVICES=y
-CONFIG_ENCRYPTED_KEYS=m
+CONFIG_ENCRYPTED_KEYS=y
 CONFIG_ENERGY_MODEL=y
 CONFIG_ENIC=m
 CONFIG_EPIC100=m
@@ -1390,7 +1390,10 @@ CONFIG_ETHTOOL_NETLINK=y
 # CONFIG_EUROTECH_WDT is not set
 CONFIG_EVENT_TRACING=y
 # CONFIG_EVM_ADD_XATTRS is not set
-# CONFIG_EVM is not set
+CONFIG_EVM_ATTR_FSUUID=y
+CONFIG_EVM_LOAD_X509=y
+CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"
+CONFIG_EVM=y
 # CONFIG_EXFAT_FS is not set
 # CONFIG_EXPERT is not set
 CONFIG_EXPOLINE_AUTO=y
@@ -1984,25 +1987,28 @@ CONFIG_IIO_CONSUMERS_PER_TRIGGER=2
 # CONFIG_IIO_TRIGGERED_EVENT is not set
 # CONFIG_IKCONFIG is not set
 # CONFIG_IKHEADERS is not set
-# CONFIG_IMA_APPRAISE_BOOTPARAM is not set
-# CONFIG_IMA_APPRAISE is not set
-# CONFIG_IMA_APPRAISE_MODSIG is not set
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+CONFIG_IMA_APPRAISE_MODSIG=y
+# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
+CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 # CONFIG_IMA_KEXEC is not set
 # CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
-# CONFIG_IMA_LOAD_X509 is not set
+CONFIG_IMA_LOAD_X509=y
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
-CONFIG_IMA_NG_TEMPLATE=y
-# CONFIG_IMA_READ_POLICY is not set
-# CONFIG_IMA_SIG_TEMPLATE is not set
+# CONFIG_IMA_NG_TEMPLATE is not set
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_SIG_TEMPLATE=y
 # CONFIG_IMA_TEMPLATE is not set
 CONFIG_IMA_TRUSTED_KEYRING=y
 # CONFIG_IMA_WRITE_POLICY is not set
+CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
 CONFIG_IMA=y
 # CONFIG_IMG_ASCII_LCD is not set
 # CONFIG_IMX_SC_WDT is not set
@@ -3469,6 +3475,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
diff --git a/kernel-x86_64-debug-fedora.config b/kernel-x86_64-debug-fedora.config
index faa9b8f67..32299ddfc 100644
--- a/kernel-x86_64-debug-fedora.config
+++ b/kernel-x86_64-debug-fedora.config
@@ -1715,7 +1715,10 @@ CONFIG_ETHERNET=y
 CONFIG_ETHOC=m
 CONFIG_ETHTOOL_NETLINK=y
 # CONFIG_EUROTECH_WDT is not set
-# CONFIG_EVM is not set
+# CONFIG_EVM_ADD_XATTRS is not set
+CONFIG_EVM_ATTR_FSUUID=y
+# CONFIG_EVM_LOAD_X509 is not set
+CONFIG_EVM=y
 CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
 CONFIG_EXFAT_FS=m
 # CONFIG_EXPERT is not set
@@ -2448,9 +2451,10 @@ CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
 CONFIG_IMA_APPRAISE_MODSIG=y
 CONFIG_IMA_APPRAISE=y
-# CONFIG_IMA_ARCH_POLICY is not set
+CONFIG_IMA_ARCH_POLICY=y
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
 # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
 CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 CONFIG_IMA_KEXEC=y
@@ -2460,6 +2464,7 @@ CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
 CONFIG_IMA_NG_TEMPLATE=y
 CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
 # CONFIG_IMA_SIG_TEMPLATE is not set
 # CONFIG_IMA_TEMPLATE is not set
 # CONFIG_IMA_TRUSTED_KEYRING is not set
@@ -2972,6 +2977,7 @@ CONFIG_KARMA_PARTITION=y
 # CONFIG_KASAN is not set
 CONFIG_KASAN_VMALLOC=y
 # CONFIG_KCOV is not set
+# CONFIG_KCSAN is not set
 CONFIG_KDB_CONTINUE_CATASTROPHIC=0
 CONFIG_KDB_DEFAULT_ENABLE=0x0
 CONFIG_KDB_KEYBOARD=y
@@ -3048,7 +3054,6 @@ CONFIG_KS0108_PORT=0x378
 # CONFIG_KS8842 is not set
 # CONFIG_KS8851 is not set
 # CONFIG_KS8851_MLL is not set
-# CONFIG_KCSAN is not set
 CONFIG_KSM=y
 CONFIG_KSZ884X_PCI=m
 # CONFIG_KUNIT is not set
@@ -4199,6 +4204,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
diff --git a/kernel-x86_64-debug-rhel.config b/kernel-x86_64-debug-rhel.config
index 1ec3ea3d1..34311e715 100644
--- a/kernel-x86_64-debug-rhel.config
+++ b/kernel-x86_64-debug-rhel.config
@@ -1492,7 +1492,8 @@ CONFIG_ETHTOOL_NETLINK=y
 CONFIG_EVENT_TRACING=y
 # CONFIG_EVM_ADD_XATTRS is not set
 CONFIG_EVM_ATTR_FSUUID=y
-# CONFIG_EVM_LOAD_X509 is not set
+CONFIG_EVM_LOAD_X509=y
+CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"
 CONFIG_EVM=y
 # CONFIG_EXFAT_FS is not set
 # CONFIG_EXPERT is not set
@@ -2145,24 +2146,28 @@ CONFIG_IIO=m
 # CONFIG_IKHEADERS is not set
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
-# CONFIG_IMA_APPRAISE_MODSIG is not set
+CONFIG_IMA_APPRAISE_MODSIG=y
+# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
 CONFIG_IMA_APPRAISE=y
-# CONFIG_IMA_ARCH_POLICY is not set
+CONFIG_IMA_ARCH_POLICY=y
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 # CONFIG_IMA_KEXEC is not set
 # CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
-# CONFIG_IMA_LOAD_X509 is not set
+CONFIG_IMA_LOAD_X509=y
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
-CONFIG_IMA_NG_TEMPLATE=y
-# CONFIG_IMA_READ_POLICY is not set
-# CONFIG_IMA_SIG_TEMPLATE is not set
+# CONFIG_IMA_NG_TEMPLATE is not set
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
+CONFIG_IMA_SIG_TEMPLATE=y
 # CONFIG_IMA_TEMPLATE is not set
 CONFIG_IMA_TRUSTED_KEYRING=y
 # CONFIG_IMA_WRITE_POLICY is not set
+CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
 CONFIG_IMA=y
 # CONFIG_IMG_ASCII_LCD is not set
 # CONFIG_IMX_SC_WDT is not set
@@ -2607,6 +2612,7 @@ CONFIG_KASAN_INLINE=y
 CONFIG_KASAN_VMALLOC=y
 CONFIG_KASAN=y
 # CONFIG_KCOV is not set
+# CONFIG_KCSAN is not set
 CONFIG_KDB_CONTINUE_CATASTROPHIC=0
 CONFIG_KDB_DEFAULT_ENABLE=0x0
 CONFIG_KDB_KEYBOARD=y
@@ -3667,6 +3673,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
diff --git a/kernel-x86_64-fedora.config b/kernel-x86_64-fedora.config
index 66d486651..904a9f0a9 100644
--- a/kernel-x86_64-fedora.config
+++ b/kernel-x86_64-fedora.config
@@ -1706,7 +1706,10 @@ CONFIG_ETHERNET=y
 CONFIG_ETHOC=m
 CONFIG_ETHTOOL_NETLINK=y
 # CONFIG_EUROTECH_WDT is not set
-# CONFIG_EVM is not set
+# CONFIG_EVM_ADD_XATTRS is not set
+CONFIG_EVM_ATTR_FSUUID=y
+# CONFIG_EVM_LOAD_X509 is not set
+CONFIG_EVM=y
 CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
 CONFIG_EXFAT_FS=m
 # CONFIG_EXPERT is not set
@@ -2431,9 +2434,10 @@ CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
 CONFIG_IMA_APPRAISE_MODSIG=y
 CONFIG_IMA_APPRAISE=y
-# CONFIG_IMA_ARCH_POLICY is not set
+CONFIG_IMA_ARCH_POLICY=y
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
 # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
 CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 CONFIG_IMA_KEXEC=y
@@ -2443,6 +2447,7 @@ CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
 CONFIG_IMA_NG_TEMPLATE=y
 CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
 # CONFIG_IMA_SIG_TEMPLATE is not set
 # CONFIG_IMA_TEMPLATE is not set
 # CONFIG_IMA_TRUSTED_KEYRING is not set
@@ -2955,6 +2960,7 @@ CONFIG_KARMA_PARTITION=y
 # CONFIG_KASAN is not set
 # CONFIG_KASAN_VMALLOC is not set
 # CONFIG_KCOV is not set
+# CONFIG_KCSAN is not set
 CONFIG_KDB_CONTINUE_CATASTROPHIC=0
 # CONFIG_KERNEL_BZIP2 is not set
 # CONFIG_KERNEL_GZIP is not set
@@ -3029,7 +3035,6 @@ CONFIG_KS0108_PORT=0x378
 # CONFIG_KS8842 is not set
 # CONFIG_KS8851 is not set
 # CONFIG_KS8851_MLL is not set
-# CONFIG_KCSAN is not set
 CONFIG_KSM=y
 CONFIG_KSZ884X_PCI=m
 # CONFIG_KUNIT is not set
@@ -4180,6 +4185,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
diff --git a/kernel-x86_64-rhel.config b/kernel-x86_64-rhel.config
index 31e2b4d88..90d473456 100644
--- a/kernel-x86_64-rhel.config
+++ b/kernel-x86_64-rhel.config
@@ -1484,7 +1484,8 @@ CONFIG_ETHTOOL_NETLINK=y
 CONFIG_EVENT_TRACING=y
 # CONFIG_EVM_ADD_XATTRS is not set
 CONFIG_EVM_ATTR_FSUUID=y
-# CONFIG_EVM_LOAD_X509 is not set
+CONFIG_EVM_LOAD_X509=y
+CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"
 CONFIG_EVM=y
 # CONFIG_EXFAT_FS is not set
 # CONFIG_EXPERT is not set
@@ -2129,24 +2130,28 @@ CONFIG_IIO=m
 # CONFIG_IKHEADERS is not set
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
-# CONFIG_IMA_APPRAISE_MODSIG is not set
+CONFIG_IMA_APPRAISE_MODSIG=y
+# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
 CONFIG_IMA_APPRAISE=y
-# CONFIG_IMA_ARCH_POLICY is not set
+CONFIG_IMA_ARCH_POLICY=y
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 # CONFIG_IMA_KEXEC is not set
 # CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
-# CONFIG_IMA_LOAD_X509 is not set
+CONFIG_IMA_LOAD_X509=y
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
-CONFIG_IMA_NG_TEMPLATE=y
-# CONFIG_IMA_READ_POLICY is not set
-# CONFIG_IMA_SIG_TEMPLATE is not set
+# CONFIG_IMA_NG_TEMPLATE is not set
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
+CONFIG_IMA_SIG_TEMPLATE=y
 # CONFIG_IMA_TEMPLATE is not set
 CONFIG_IMA_TRUSTED_KEYRING=y
 # CONFIG_IMA_WRITE_POLICY is not set
+CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
 CONFIG_IMA=y
 # CONFIG_IMG_ASCII_LCD is not set
 # CONFIG_IMX_SC_WDT is not set
@@ -2590,6 +2595,7 @@ CONFIG_KARMA_PARTITION=y
 # CONFIG_KASAN_OUTLINE is not set
 # CONFIG_KASAN_VMALLOC is not set
 # CONFIG_KCOV is not set
+# CONFIG_KCSAN is not set
 CONFIG_KDB_CONTINUE_CATASTROPHIC=0
 CONFIG_KDB_DEFAULT_ENABLE=0x0
 CONFIG_KDB_KEYBOARD=y
@@ -3650,6 +3656,7 @@ CONFIG_NFS_V3=m
 CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
 # CONFIG_NFS_V4_1_MIGRATION is not set
 CONFIG_NFS_V4_1=y
+# CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFS_V4_2=y
 CONFIG_NFS_V4=m
 CONFIG_NF_TABLES_ARP=y
diff --git a/kernel.spec b/kernel.spec
index 6ea2fd48d..1b69f8639 100755
--- a/kernel.spec
+++ b/kernel.spec
@@ -56,7 +56,7 @@ Summary: The Linux kernel
 # For a stable, released kernel, released_kernel should be 1.
 %global released_kernel 0
 
-%global distro_build 0.rc7.20201209gita68a0262abda.95
+%global distro_build 0.rc7.20201211git33dc9614dc20.97
 
 %if 0%{?fedora}
 %define secure_boot_arch x86_64
@@ -97,13 +97,13 @@ Summary: The Linux kernel
 %endif
 
 %define rpmversion 5.10.0
-%define pkgrelease 0.rc7.20201209gita68a0262abda.95
+%define pkgrelease 0.rc7.20201211git33dc9614dc20.97
 
 # This is needed to do merge window version magic
 %define patchlevel 10
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 0.rc7.20201209gita68a0262abda.95%{?buildid}%{?dist}
+%define specrelease 0.rc7.20201211git33dc9614dc20.97%{?buildid}%{?dist}
 
 %define pkg_release %{specrelease}
 
@@ -590,7 +590,7 @@ BuildRequires: asciidoc
 # exact git commit you can run
 #
 # xzcat -qq ${TARBALL} | git get-tar-commit-id
-Source0: linux-20201209gita68a0262abda.tar.xz
+Source0: linux-20201211git33dc9614dc20.tar.xz
 
 Source1: Makefile.rhelver
 
@@ -1235,8 +1235,8 @@ ApplyOptionalPatch()
   fi
 }
 
-%setup -q -n kernel-20201209gita68a0262abda -c
-mv linux-20201209gita68a0262abda linux-%{KVERREL}
+%setup -q -n kernel-20201211git33dc9614dc20 -c
+mv linux-20201211git33dc9614dc20 linux-%{KVERREL}
 
 cd linux-%{KVERREL}
 cp -a %{SOURCE1} .
@@ -2725,8 +2725,7 @@ fi
 #
 #
 %changelog
-* Wed Dec 09 2020 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.10.0-0.rc7.20201209gita68a0262abda.95]
-- Temporarily backout parallel xz script ("Justin M. Forbes")
+* Fri Dec 11 2020 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.10.0-0.rc7.20201211git33dc9614dc20.97]
 - Remove cp instruction already handled in instruction below. ("Paulo E. Castro")
 - Add all the dependencies gleaned from running `make prepare` on a bloated devel kernel. ("Paulo E. Castro")
 - Add tools to path mangling script. ("Paulo E. Castro")
@@ -2752,10 +2751,32 @@ fi
 - run_kabi-dw.sh: Fix syntax flagged by shellcheck (Ben Crocker)
 - mod-blacklist.sh: Fix syntax flagged by shellcheck (Ben Crocker)
 - scripts/configdiff.sh: Fix syntax flagged by shellcheck (Ben Crocker)
-- self-test/0001-shellcheck.bats: check for shellcheck (Ben Crocker)
-- self-test/1001-rpmlint.bats, 1003-rpminspect.bats (Ben Crocker)
-- Makefile, Makefile.common, egit.sh, 1005-dist-dump-variables.bats (Ben Crocker)
-- Add GIT macro to Makefile and Makefile.common: (Ben Crocker)
+
+* Fri Dec 11 2020 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.10.0-0.rc7.20201211git33dc9614dc20.96]
+- redhat: explicitly disable CONFIG_IMA_APPRAISE_SIGNED_INIT (Bruno Meneguele)
+- redhat: enable CONFIG_EVM_LOAD_X509 on ARK (Bruno Meneguele)
+- redhat: enable CONFIG_EVM_ATTR_FSUUID on ARK (Bruno Meneguele)
+- redhat: enable CONFIG_EVM in all arches and flavors (Bruno Meneguele)
+- redhat: enable CONFIG_IMA_LOAD_X509 on ARK (Bruno Meneguele)
+- redhat: set CONFIG_IMA_DEFAULT_HASH to SHA256 (Bruno Meneguele)
+- redhat: enable CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT (Bruno Meneguele)
+- redhat: enable CONFIG_IMA_READ_POLICY on ARK (Bruno Meneguele)
+- redhat: set default IMA template for all ARK arches (Bruno Meneguele)
+- redhat: enable CONFIG_IMA_DEFAULT_HASH_SHA256 for all flavors (Bruno Meneguele)
+- redhat: disable CONFIG_IMA_DEFAULT_HASH_SHA1 (Bruno Meneguele)
+- redhat: enable CONFIG_IMA_ARCH_POLICY for ppc and x86 (Bruno Meneguele)
+- redhat: enable CONFIG_IMA_APPRAISE_MODSIG (Bruno Meneguele)
+- redhat: enable CONFIG_IMA_APPRAISE_BOOTPARAM (Bruno Meneguele)
+- redhat: enable CONFIG_IMA_APPRAISE (Bruno Meneguele)
+- redhat: enable CONFIG_INTEGRITY for aarch64 (Bruno Meneguele)
+- Temporarily backout parallel xz script ("Justin M. Forbes")
+- New configs in drivers/mfd (Fedora Kernel Team)
+- New configs in drivers/mfd ("CKI@GitLab")
+- New configs in drivers/firmware (Fedora Kernel Team)
+
+* Thu Dec 10 2020 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.10.0-0.rc7.20201210gita2f5ea9e314b.95]
+- kernel: Update some missing KASAN/KCSAN options (Jeremy Linton)
+- kernel: Enable coresight on aarch64 (Jeremy Linton)
 
 * Wed Dec 09 2020 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.10.0-0.rc7.20201209gita68a0262abda.94]
 - Update CONFIG_INET6_ESPINTCP (Justin Forbes)
diff --git a/patch-5.10.0-redhat.patch b/patch-5.10.0-redhat.patch
index a71a191bf..35420ab6f 100644
--- a/patch-5.10.0-redhat.patch
+++ b/patch-5.10.0-redhat.patch
@@ -2628,7 +2628,7 @@ index ab7eea01ab42..fff7c5f737fc 100644
 
  int rmi_register_transport_device(struct rmi_transport_dev *xport);
 diff --git a/include/linux/security.h b/include/linux/security.h
-index bc2725491560..079bea163ba1 100644
+index 39642626a707..17d55164b892 100644
 --- a/include/linux/security.h
 +++ b/include/linux/security.h
 @@ -456,6 +456,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
diff --git a/sources b/sources
index 2a8ea1226..79e4f835a 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-20201209gita68a0262abda.tar.xz) = 7a47f8587a51db41dcbbb1f0db89744df69cdd7518a447c4674b3e1c14cd4bd171c48784b80eb16f0cb6b0cbfea92439daced287f10203c4763e5f2a0cef9824
-SHA512 (kernel-abi-whitelists-5.10.0-0.rc7.20201209gita68a0262abda.95.tar.bz2) = a6a4ac99cb5ecb69d0a193e27eb04e06647f216cde6f993e8683a33f52387e1549612f93607bf5be6a54eab88966dd0a36cbd871d3ac7ef050513cd37ea9878f
-SHA512 (kernel-kabi-dw-5.10.0-0.rc7.20201209gita68a0262abda.95.tar.bz2) = f05e0ffedbe6945f6297019eb790042d0e6e70adae0fbe663c7e8b3a36c5db9c8d37de2ec326732960127a197979f70f568f8273b31cc8916b01fd6dcf35553e
+SHA512 (linux-20201211git33dc9614dc20.tar.xz) = 8ba0768cb918ff27ae82ee4c9631e23cc21c23815d2c9d9c7e162cb0970842efb40c5692b4c2da4ac0c7784143a970201c3e7298fbf1dd688b50b2e6f7ef2387
+SHA512 (kernel-abi-whitelists-5.10.0-0.rc7.20201211git33dc9614dc20.97.tar.bz2) = 81318457d22867a416cfa744f5a04c859af0a79c7046f66dcc7a1f4b74deb5a64e1e7b2ef1b80ecd72f8377123ba57d9878228efa5caf8b191d98b1d4bb8d11b
+SHA512 (kernel-kabi-dw-5.10.0-0.rc7.20201211git33dc9614dc20.97.tar.bz2) = 03f00c562085c0e6d6b3d8cd350e45bcb3301215572029520136af00a2c776dc8fe5354a6af9243cc4dbd414c39dd8ee93855dade3878eb49e8fa2fef57f310e
-- 
cgit