From 4b5e4234be6539e237a2eaf36decf1b4b41fdc22 Mon Sep 17 00:00:00 2001
From: Jeremy Cline <jcline@redhat.com>
Date: Mon, 15 Apr 2019 11:10:59 -0400
Subject: Rebase the kernel lockdown patch set

Use the latest version of the kernel lockdown patch set. This includes a
few configuration renames:

CONFIG_KEXEC_VERIFY_SIG became CONFIG_KEXEC_SIG and
CONFIG_KEXEC_SIG_FORCE was added. CONFIG_KEXEC_SIG_FORCE=n because the
"kexec_file: Restrict at runtime if the kernel is locked down" patch
enforces the signature requirement when the kernel is locked down.

CONFIG_LOCK_DOWN_MANDATORY got renamed to CONFIG_LOCK_DOWN_KERNEL_FORCE
and remains false as LOCK_DOWN_IN_EFI_SECURE_BOOT covers enabling it for
EFI Secure Boot users.

Finally, the SysRq patches got dropped for the present.
---
 kernel-i686.config | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'kernel-i686.config')

diff --git a/kernel-i686.config b/kernel-i686.config
index ae761ca96..a06009607 100644
--- a/kernel-i686.config
+++ b/kernel-i686.config
@@ -2625,7 +2625,8 @@ CONFIG_KERNEL_GZIP=y
 # CONFIG_KERNEL_XZ is not set
 # CONFIG_KEXEC_FILE is not set
 # CONFIG_KEXEC_JUMP is not set
-CONFIG_KEXEC_VERIFY_SIG=y
+# CONFIG_KEXEC_SIG_FORCE is not set
+CONFIG_KEXEC_SIG=y
 CONFIG_KEXEC=y
 # CONFIG_KEYBOARD_ADC is not set
 # CONFIG_KEYBOARD_ADP5588 is not set
@@ -2808,8 +2809,8 @@ CONFIG_LOCALVERSION=""
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_LOCKD=m
 # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
 CONFIG_LOCK_DOWN_KERNEL=y
-# CONFIG_LOCK_DOWN_MANDATORY is not set
 CONFIG_LOCKD_V4=y
 # CONFIG_LOCK_STAT is not set
 # CONFIG_LOCK_TORTURE_TEST is not set
-- 
cgit