From 4b5e4234be6539e237a2eaf36decf1b4b41fdc22 Mon Sep 17 00:00:00 2001
From: Jeremy Cline <jcline@redhat.com>
Date: Mon, 15 Apr 2019 11:10:59 -0400
Subject: Rebase the kernel lockdown patch set

Use the latest version of the kernel lockdown patch set. This includes a
few configuration renames:

CONFIG_KEXEC_VERIFY_SIG became CONFIG_KEXEC_SIG and
CONFIG_KEXEC_SIG_FORCE was added. CONFIG_KEXEC_SIG_FORCE=n because the
"kexec_file: Restrict at runtime if the kernel is locked down" patch
enforces the signature requirement when the kernel is locked down.

CONFIG_LOCK_DOWN_MANDATORY got renamed to CONFIG_LOCK_DOWN_KERNEL_FORCE
and remains false as LOCK_DOWN_IN_EFI_SECURE_BOOT covers enabling it for
EFI Secure Boot users.

Finally, the SysRq patches got dropped for the present.
---
 configs/fedora/generic/x86/CONFIG_KEXEC_SIG              | 1 +
 configs/fedora/generic/x86/CONFIG_KEXEC_SIG_FORCE        | 1 +
 configs/fedora/generic/x86/CONFIG_KEXEC_VERIFY_SIG       | 1 -
 configs/fedora/generic/x86/CONFIG_LOCK_DOWN_KERNEL_FORCE | 1 +
 configs/fedora/generic/x86/CONFIG_LOCK_DOWN_MANDATORY    | 1 -
 5 files changed, 3 insertions(+), 2 deletions(-)
 create mode 100644 configs/fedora/generic/x86/CONFIG_KEXEC_SIG
 create mode 100644 configs/fedora/generic/x86/CONFIG_KEXEC_SIG_FORCE
 delete mode 100644 configs/fedora/generic/x86/CONFIG_KEXEC_VERIFY_SIG
 create mode 100644 configs/fedora/generic/x86/CONFIG_LOCK_DOWN_KERNEL_FORCE
 delete mode 100644 configs/fedora/generic/x86/CONFIG_LOCK_DOWN_MANDATORY

(limited to 'configs')

diff --git a/configs/fedora/generic/x86/CONFIG_KEXEC_SIG b/configs/fedora/generic/x86/CONFIG_KEXEC_SIG
new file mode 100644
index 000000000..67b688658
--- /dev/null
+++ b/configs/fedora/generic/x86/CONFIG_KEXEC_SIG
@@ -0,0 +1 @@
+CONFIG_KEXEC_SIG=y
diff --git a/configs/fedora/generic/x86/CONFIG_KEXEC_SIG_FORCE b/configs/fedora/generic/x86/CONFIG_KEXEC_SIG_FORCE
new file mode 100644
index 000000000..21d707af1
--- /dev/null
+++ b/configs/fedora/generic/x86/CONFIG_KEXEC_SIG_FORCE
@@ -0,0 +1 @@
+# CONFIG_KEXEC_SIG_FORCE is not set
diff --git a/configs/fedora/generic/x86/CONFIG_KEXEC_VERIFY_SIG b/configs/fedora/generic/x86/CONFIG_KEXEC_VERIFY_SIG
deleted file mode 100644
index 5f39f1993..000000000
--- a/configs/fedora/generic/x86/CONFIG_KEXEC_VERIFY_SIG
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_KEXEC_VERIFY_SIG=y
diff --git a/configs/fedora/generic/x86/CONFIG_LOCK_DOWN_KERNEL_FORCE b/configs/fedora/generic/x86/CONFIG_LOCK_DOWN_KERNEL_FORCE
new file mode 100644
index 000000000..b6a333ecd
--- /dev/null
+++ b/configs/fedora/generic/x86/CONFIG_LOCK_DOWN_KERNEL_FORCE
@@ -0,0 +1 @@
+# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
diff --git a/configs/fedora/generic/x86/CONFIG_LOCK_DOWN_MANDATORY b/configs/fedora/generic/x86/CONFIG_LOCK_DOWN_MANDATORY
deleted file mode 100644
index 75d9b3549..000000000
--- a/configs/fedora/generic/x86/CONFIG_LOCK_DOWN_MANDATORY
+++ /dev/null
@@ -1 +0,0 @@
-# CONFIG_LOCK_DOWN_MANDATORY is not set
-- 
cgit