kernel-6.17.0-0.rc2.250820gb19a97d57c15.26

* Wed Aug 20 2025 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.17.0-0.rc2.b19a97d57c15.26] - soc: qcom: mdt_loader: Deal with zero e_shentsize (Bjorn Andersson) - arm64: dts: qcom: x1e80100-lenovo-yoga-slim7x: add Bluetooth support (Jens Glathe) - ALSA HDA driver configuration split for 6.17 upstream (Jaroslav Kysela) - redhat/configs: clang_lto: disable CONFIG_FORTIFY_KUNIT_TEST (Scott Weaver) Resolves: Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
2025-08-20 11:05:36 -06:00 · 2025-08-20 11:05:36 -06:00 · b74476233b
commit b74476233b
parent 029097fc92
45 changed files with 193 additions and 55 deletions
--- a/Makefile.rhelver
+++ b/Makefile.rhelver
@ -12,7 +12,7 @@ RHEL_MINOR = 99
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 24
+RHEL_RELEASE = 26

 #
 # RHEL_REBASE_NUM
--- a/Patchlist.changelog
+++ b/Patchlist.changelog
@ -1,8 +1,14 @@
-https://gitlab.com/cki-project/kernel-ark/-/commit/cec6cbc1a506efe565066345ac574c29cd9e7be5
- cec6cbc1a506efe565066345ac574c29cd9e7be5 soc: qcom: mdt_loader: Deal with zero e_shentsize
+https://gitlab.com/cki-project/kernel-ark/-/commit/6ce7f3d337ff688524b07fd8bb513d3ac53ec55b
+ 6ce7f3d337ff688524b07fd8bb513d3ac53ec55b soc: qcom: mdt_loader: Deal with zero e_shentsize

-https://gitlab.com/cki-project/kernel-ark/-/commit/9195b930ab47424216e8dc6f66d70e3d3416ab40
- 9195b930ab47424216e8dc6f66d70e3d3416ab40 arm64: dts: qcom: x1e80100-lenovo-yoga-slim7x: add Bluetooth support
+https://gitlab.com/cki-project/kernel-ark/-/commit/a1a6d6d725f896d9afc223c4a11ddb039837f36c
+ a1a6d6d725f896d9afc223c4a11ddb039837f36c arm64: dts: qcom: x1e80100-lenovo-yoga-slim7x: add Bluetooth support
+
+https://gitlab.com/cki-project/kernel-ark/-/commit/b9bf2d814fccb1676c09d2d85d965321be542783
+ b9bf2d814fccb1676c09d2d85d965321be542783 arm64: add early lockdown for secure boot
+
+https://gitlab.com/cki-project/kernel-ark/-/commit/550458130508a1fe16525ac39f1fd76278a49871
+ 550458130508a1fe16525ac39f1fd76278a49871 efi: pass secure boot mode to kernel proper

 https://gitlab.com/cki-project/kernel-ark/-/commit/0299a0729cfba8d982f9484fefe4aeac1abc7aa3
 0299a0729cfba8d982f9484fefe4aeac1abc7aa3 selftests/bpf: Remove ksyms_weak_lskel test
--- a/kernel-aarch64-16k-debug-fedora.config
+++ b/kernel-aarch64-16k-debug-fedora.config
@ -2609,7 +2609,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 CONFIG_EFI_PGT_DUMP=y
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_TEST=m
--- a/kernel-aarch64-16k-fedora.config
+++ b/kernel-aarch64-16k-fedora.config
@ -2600,7 +2600,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_TEST=m
--- a/kernel-aarch64-64k-debug-rhel.config
+++ b/kernel-aarch64-64k-debug-rhel.config
@ -2022,7 +2022,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 # CONFIG_EFI_TEST is not set
--- a/kernel-aarch64-64k-rhel.config
+++ b/kernel-aarch64-64k-rhel.config
@ -2014,7 +2014,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 # CONFIG_EFI_TEST is not set
--- a/kernel-aarch64-debug-fedora.config
+++ b/kernel-aarch64-debug-fedora.config
@ -2609,7 +2609,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 CONFIG_EFI_PGT_DUMP=y
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_TEST=m
--- a/kernel-aarch64-debug-rhel.config
+++ b/kernel-aarch64-debug-rhel.config
@ -2020,7 +2020,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 # CONFIG_EFI_TEST is not set
--- a/kernel-aarch64-fedora.config
+++ b/kernel-aarch64-fedora.config
@ -2600,7 +2600,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_TEST=m
--- a/kernel-aarch64-rhel.config
+++ b/kernel-aarch64-rhel.config
@ -2012,7 +2012,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 # CONFIG_EFI_TEST is not set
--- a/kernel-aarch64-rt-64k-debug-fedora.config
+++ b/kernel-aarch64-rt-64k-debug-fedora.config
@ -2615,7 +2615,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 CONFIG_EFI_PGT_DUMP=y
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_TEST=m
--- a/kernel-aarch64-rt-64k-debug-rhel.config
+++ b/kernel-aarch64-rt-64k-debug-rhel.config
@ -2062,7 +2062,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 # CONFIG_EFI_TEST is not set
--- a/kernel-aarch64-rt-64k-fedora.config
+++ b/kernel-aarch64-rt-64k-fedora.config
@ -2606,7 +2606,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_TEST=m
--- a/kernel-aarch64-rt-64k-rhel.config
+++ b/kernel-aarch64-rt-64k-rhel.config
@ -2054,7 +2054,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 # CONFIG_EFI_TEST is not set
--- a/kernel-aarch64-rt-debug-fedora.config
+++ b/kernel-aarch64-rt-debug-fedora.config
@ -2612,7 +2612,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 CONFIG_EFI_PGT_DUMP=y
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_TEST=m
--- a/kernel-aarch64-rt-debug-rhel.config
+++ b/kernel-aarch64-rt-debug-rhel.config
@ -2059,7 +2059,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 # CONFIG_EFI_TEST is not set
--- a/kernel-aarch64-rt-fedora.config
+++ b/kernel-aarch64-rt-fedora.config
@ -2603,7 +2603,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_TEST=m
--- a/kernel-aarch64-rt-rhel.config
+++ b/kernel-aarch64-rt-rhel.config
@ -2051,7 +2051,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 # CONFIG_EFI_TEST is not set
--- a/kernel-ppc64le-debug-fedora.config
+++ b/kernel-ppc64le-debug-fedora.config
@ -1968,7 +1968,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 CONFIG_EFI_PGT_DUMP=y
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_TEST=m
--- a/kernel-ppc64le-debug-rhel.config
+++ b/kernel-ppc64le-debug-rhel.config
@ -1723,7 +1723,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 # CONFIG_EFI_TEST is not set
--- a/kernel-ppc64le-fedora.config
+++ b/kernel-ppc64le-fedora.config
@ -1958,7 +1958,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_TEST=m
--- a/kernel-ppc64le-rhel.config
+++ b/kernel-ppc64le-rhel.config
@ -1715,7 +1715,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 # CONFIG_EFI_TEST is not set
--- a/kernel-riscv64-debug-fedora.config
+++ b/kernel-riscv64-debug-fedora.config
@ -2004,7 +2004,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 CONFIG_EFI_PGT_DUMP=y
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_TEST=m
--- a/kernel-riscv64-debug-rhel.config
+++ b/kernel-riscv64-debug-rhel.config
@ -1720,7 +1720,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 # CONFIG_EFI_TEST is not set
--- a/kernel-riscv64-fedora.config
+++ b/kernel-riscv64-fedora.config
@ -1994,7 +1994,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_TEST=m
--- a/kernel-riscv64-rhel.config
+++ b/kernel-riscv64-rhel.config
@ -1712,7 +1712,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 # CONFIG_EFI_TEST is not set
--- a/kernel-riscv64-rt-debug-fedora.config
+++ b/kernel-riscv64-rt-debug-fedora.config
@ -2007,7 +2007,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 CONFIG_EFI_PGT_DUMP=y
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_TEST=m
--- a/kernel-riscv64-rt-fedora.config
+++ b/kernel-riscv64-rt-fedora.config
@ -1997,7 +1997,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_TEST=m
--- a/kernel-s390x-debug-fedora.config
+++ b/kernel-s390x-debug-fedora.config
@ -1974,7 +1974,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 CONFIG_EFI_PGT_DUMP=y
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_TEST=m
--- a/kernel-s390x-debug-rhel.config
+++ b/kernel-s390x-debug-rhel.config
@ -1729,7 +1729,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 # CONFIG_EFI_TEST is not set
--- a/kernel-s390x-fedora.config
+++ b/kernel-s390x-fedora.config
@ -1964,7 +1964,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_TEST=m
--- a/kernel-s390x-rhel.config
+++ b/kernel-s390x-rhel.config
@ -1721,7 +1721,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 # CONFIG_EFI_TEST is not set
--- a/kernel-s390x-zfcpdump-rhel.config
+++ b/kernel-s390x-zfcpdump-rhel.config
@ -1722,7 +1722,7 @@ CONFIG_EFI_HANDOVER_PROTOCOL=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
 # CONFIG_EFI_TEST is not set
--- a/kernel-x86_64-debug-fedora.config
+++ b/kernel-x86_64-debug-fedora.config
@ -2176,7 +2176,7 @@ CONFIG_EFI_PARTITION=y
 CONFIG_EFI_PGT_DUMP=y
 CONFIG_EFI_RCI2_TABLE=y
 CONFIG_EFI_RUNTIME_MAP=y
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SECRET=m
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
--- a/kernel-x86_64-debug-rhel.config
+++ b/kernel-x86_64-debug-rhel.config
@ -1880,7 +1880,7 @@ CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 CONFIG_EFI_RCI2_TABLE=y
 CONFIG_EFI_RUNTIME_MAP=y
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SECRET=m
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
--- a/kernel-x86_64-fedora.config
+++ b/kernel-x86_64-fedora.config
@ -2166,7 +2166,7 @@ CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 CONFIG_EFI_RCI2_TABLE=y
 CONFIG_EFI_RUNTIME_MAP=y
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SECRET=m
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
--- a/kernel-x86_64-rhel.config
+++ b/kernel-x86_64-rhel.config
@ -1872,7 +1872,7 @@ CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 CONFIG_EFI_RCI2_TABLE=y
 CONFIG_EFI_RUNTIME_MAP=y
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SECRET=m
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
--- a/kernel-x86_64-rt-debug-fedora.config
+++ b/kernel-x86_64-rt-debug-fedora.config
@ -2179,7 +2179,7 @@ CONFIG_EFI_PARTITION=y
 CONFIG_EFI_PGT_DUMP=y
 CONFIG_EFI_RCI2_TABLE=y
 CONFIG_EFI_RUNTIME_MAP=y
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SECRET=m
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
--- a/kernel-x86_64-rt-debug-rhel.config
+++ b/kernel-x86_64-rt-debug-rhel.config
@ -1919,7 +1919,7 @@ CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 CONFIG_EFI_RCI2_TABLE=y
 CONFIG_EFI_RUNTIME_MAP=y
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SECRET=m
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
--- a/kernel-x86_64-rt-fedora.config
+++ b/kernel-x86_64-rt-fedora.config
@ -2169,7 +2169,7 @@ CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 CONFIG_EFI_RCI2_TABLE=y
 CONFIG_EFI_RUNTIME_MAP=y
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SECRET=m
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
--- a/kernel-x86_64-rt-rhel.config
+++ b/kernel-x86_64-rt-rhel.config
@ -1911,7 +1911,7 @@ CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 CONFIG_EFI_RCI2_TABLE=y
 CONFIG_EFI_RUNTIME_MAP=y
-CONFIG_EFI_SBAT_FILE="kernel.sbat"
+CONFIG_EFI_SBAT_FILE=""
 CONFIG_EFI_SECRET=m
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_STUB=y
--- a/kernel.changelog
+++ b/kernel.changelog
@ -1,10 +1,23 @@
-* Mon Aug 18 2025 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.17.0-0.rc2.24]
+* Wed Aug 20 2025 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.17.0-0.rc2.b19a97d57c15.26]
 - soc: qcom: mdt_loader: Deal with zero e_shentsize (Bjorn Andersson)
 - arm64: dts: qcom: x1e80100-lenovo-yoga-slim7x: add Bluetooth support (Jens Glathe)
 - ALSA HDA driver configuration split for 6.17 upstream (Jaroslav Kysela)
 - redhat/configs: clang_lto: disable CONFIG_FORTIFY_KUNIT_TEST (Scott Weaver)
 Resolves: 

+* Wed Aug 20 2025 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.17.0-0.rc2.b19a97d57c15.25]
+- redhat/Makefile: add dist-spec (Scott Weaver)
+- redhat: Switch to implicit enablement of CONFIG_EFI_SBAT_FILE (Vitaly Kuznetsov)
+- Linux v6.17.0-0.rc2.b19a97d57c15
+Resolves: 
+
+* Tue Aug 19 2025 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.17.0-0.rc2.be48bcf004f9.24]
+- redhat/configs: Enable early lockdown for Arm (Mark Salter) [RHEL-1927]
+- arm64: add early lockdown for secure boot (Mark Salter) [RHEL-1927]
+- efi: pass secure boot mode to kernel proper (Mark Salter) [RHEL-1927]
+- Linux v6.17.0-0.rc2.be48bcf004f9
+Resolves: RHEL-1927
+
 * Mon Aug 18 2025 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.17.0-0.rc2.23]
 - Linux v6.17.0-0.rc2
 Resolves: 
--- a/kernel.spec
+++ b/kernel.spec
@ -176,13 +176,13 @@ Summary: The Linux kernel
 %define specrpmversion 6.17.0
 %define specversion 6.17.0
 %define patchversion 6.17
-%define pkgrelease 0.rc2.24
+%define pkgrelease 0.rc2.250820gb19a97d57c15.26
 %define kversion 6
-%define tarfile_release 6.17-rc2
+%define tarfile_release 6.17-rc2-53-gb19a97d57c15
 # This is needed to do merge window version magic
 %define patchlevel 17
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 0.rc2.24%{?buildid}%{?dist}
+%define specrelease 0.rc2.250820gb19a97d57c15.26%{?buildid}%{?dist}
 # This defines the kabi tarball version
 %define kabiversion 6.17.0

@ -2143,6 +2143,7 @@ cat imaca.pem >> ../certs/rhel.pem

 for i in *.config; do
  sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS=""@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i
+  sed -i 's@CONFIG_EFI_SBAT_FILE=""@CONFIG_EFI_SBAT_FILE="kernel.sbat"@' $i
 done
 %endif

@ -4382,12 +4383,23 @@ fi\
 #
 #
 %changelog
-* Mon Aug 18 2025 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.17.0-0.rc2.24]
+* Wed Aug 20 2025 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.17.0-0.rc2.b19a97d57c15.26]
 - soc: qcom: mdt_loader: Deal with zero e_shentsize (Bjorn Andersson)
 - arm64: dts: qcom: x1e80100-lenovo-yoga-slim7x: add Bluetooth support (Jens Glathe)
 - ALSA HDA driver configuration split for 6.17 upstream (Jaroslav Kysela)
 - redhat/configs: clang_lto: disable CONFIG_FORTIFY_KUNIT_TEST (Scott Weaver)

+* Wed Aug 20 2025 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.17.0-0.rc2.b19a97d57c15.25]
+- redhat/Makefile: add dist-spec (Scott Weaver)
+- redhat: Switch to implicit enablement of CONFIG_EFI_SBAT_FILE (Vitaly Kuznetsov)
+- Linux v6.17.0-0.rc2.b19a97d57c15
+
+* Tue Aug 19 2025 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.17.0-0.rc2.be48bcf004f9.24]
+- redhat/configs: Enable early lockdown for Arm (Mark Salter) [RHEL-1927]
+- arm64: add early lockdown for secure boot (Mark Salter) [RHEL-1927]
+- efi: pass secure boot mode to kernel proper (Mark Salter) [RHEL-1927]
+- Linux v6.17.0-0.rc2.be48bcf004f9
+
 * Mon Aug 18 2025 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.17.0-0.rc2.23]
 - Linux v6.17.0-0.rc2

--- a/patch-6.17-redhat.patch
+++ b/patch-6.17-redhat.patch
@ -6,6 +6,7 @@
 arch/arm/Kconfig                                   |   4 +-
 arch/arm64/Kconfig                                 |   2 +-
 .../boot/dts/qcom/x1e80100-lenovo-yoga-slim7x.dts  | 143 ++++++
+ arch/arm64/kernel/setup.c                          |  27 +
 arch/s390/include/asm/ipl.h                        |   1 +
 arch/s390/kernel/ipl.c                             |   5 +
 arch/s390/kernel/setup.c                           |   4 +
@ -27,6 +28,8 @@
 drivers/char/random.c                              | 126 ++++-
 drivers/firmware/efi/Makefile                      |   1 +
 drivers/firmware/efi/efi.c                         | 124 +++--
+ drivers/firmware/efi/libstub/fdt.c                 |   5 +
+ drivers/firmware/efi/libstub/secureboot.c          |  14 +-
 drivers/firmware/efi/secureboot.c                  |  38 ++
 drivers/hid/hid-rmi.c                              |  66 ---
 drivers/hwtracing/coresight/coresight-etm4x-core.c |  19 +
@ -79,7 +82,7 @@
 security/lockdown/lockdown.c                       |  11 +
 tools/testing/selftests/bpf/Makefile               |   2 +-
 tools/testing/selftests/bpf/prog_tests/ksyms_btf.c |  31 --
- 81 files changed, 2871 insertions(+), 244 deletions(-)
+ 84 files changed, 2913 insertions(+), 248 deletions(-)

 diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
 index 747a55abf494..75f583e28d1d 100644
@ -467,6 +470,58 @@ index dad0f11e8e85..d02f8d4f7baf 100644
 };
 
 &uart21 {
+diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c
+index 77c7926a4df6..1727fc3f6a77 100644
+--- a/arch/arm64/kernel/setup.c
+++ b/arch/arm64/kernel/setup.c
+@@ -32,6 +32,8 @@
+ #include <linux/sched/task.h>
+ #include <linux/scs.h>
+ #include <linux/mm.h>
+#include <linux/security.h>
+#include <linux/libfdt.h>
+ 
+ #include <asm/acpi.h>
+ #include <asm/fixmap.h>
+@@ -207,6 +209,24 @@ static void __init setup_machine_fdt(phys_addr_t dt_phys)
+ 	dump_stack_set_arch_desc("%s (DT)", name);
+ }
+ 
+static void __init init_secureboot_mode(void)
+{
+	void *fdt = initial_boot_params;
+	u64 chosen;
+	const __be32 *prop;
+	int len;
+
+	chosen = fdt_path_offset(fdt, "/chosen");
+	if (chosen < 0)
+		return;
+
+	prop = fdt_getprop(fdt, chosen, "secure-boot-mode", &len);
+	if (!prop || len != sizeof(u32))
+		return;
+
+	efi_set_secure_boot((enum efi_secureboot_mode)fdt32_to_cpu(*prop));
+}
+
+ static void __init request_standard_resources(void)
+ {
+ 	struct memblock_region *region;
+@@ -327,6 +347,13 @@ void __init __no_sanitize_address setup_arch(char **cmdline_p)
+ 			pr_warn(FW_BUG "Kernel image misaligned at boot, please fix your bootloader!");
+ 		WARN_TAINT(mmu_enabled_at_boot, TAINT_FIRMWARE_WORKAROUND,
+ 			   FW_BUG "Booted with MMU enabled!");
+	} else {
+		init_secureboot_mode();
+
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
+		if (efi_enabled(EFI_SECURE_BOOT))
+			security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
+#endif
+ 	}
+ 
+ 	arm64_memblock_init();
 diff --git a/arch/s390/include/asm/ipl.h b/arch/s390/include/asm/ipl.h
 index b0d00032479d..afb9544fb007 100644
 --- a/arch/s390/include/asm/ipl.h
@ -1631,6 +1686,58 @@ index 1ce428e2ac8a..12a79ddc2543 100644
 }
 EXPORT_SYMBOL_GPL(efi_status_to_err);
 
+diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c
+index 6a337f1f8787..89244e0d9fa8 100644
+--- a/drivers/firmware/efi/libstub/fdt.c
+++ b/drivers/firmware/efi/libstub/fdt.c
+@@ -132,6 +132,11 @@ static efi_status_t update_fdt(void *orig_fdt, unsigned long orig_fdt_size,
+ 		}
+ 	}
+ 
+	fdt_val32 = cpu_to_fdt32((u32)efi_get_secureboot());
+	status = fdt_setprop_var(fdt, node, "secure-boot-mode", fdt_val32);
+	if (status)
+		goto fdt_set_fail;
+
+ 	/* Shrink the FDT back to its minimum size: */
+ 	fdt_pack(fdt);
+ 
+diff --git a/drivers/firmware/efi/libstub/secureboot.c b/drivers/firmware/efi/libstub/secureboot.c
+index 516f4f0069bd..380354755108 100644
+--- a/drivers/firmware/efi/libstub/secureboot.c
+++ b/drivers/firmware/efi/libstub/secureboot.c
+@@ -29,10 +29,13 @@ enum efi_secureboot_mode efi_get_secureboot(void)
+ {
+ 	u32 attr;
+ 	unsigned long size;
+-	enum efi_secureboot_mode mode;
+	static enum efi_secureboot_mode mode;
+ 	efi_status_t status;
+ 	u8 moksbstate;
+ 
+	if (mode != efi_secureboot_mode_unset)
+		return mode;
+
+ 	mode = efi_get_secureboot_mode(get_var);
+ 	if (mode == efi_secureboot_mode_unknown) {
+ 		efi_err("Could not determine UEFI Secure Boot status.\n");
+@@ -53,10 +56,13 @@ enum efi_secureboot_mode efi_get_secureboot(void)
+ 	/* If it fails, we don't care why. Default to secure */
+ 	if (status != EFI_SUCCESS)
+ 		goto secure_boot_enabled;
+-	if (!(attr & EFI_VARIABLE_NON_VOLATILE) && moksbstate == 1)
+-		return efi_secureboot_mode_disabled;
+	if (!(attr & EFI_VARIABLE_NON_VOLATILE) && moksbstate == 1) {
+		mode = efi_secureboot_mode_disabled;
+		return mode;
+	}
+ 
+ secure_boot_enabled:
+ 	efi_info("UEFI Secure Boot is enabled.\n");
+-	return efi_secureboot_mode_enabled;
+	mode = efi_secureboot_mode_enabled;
+	return mode;
+ }
 diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
 new file mode 100644
 index 000000000000..de0a3714a5d4
@ -2459,10 +2566,10 @@ index 1b529ace4db0..30c2e0186463 100644
 }
 
 diff --git a/fs/ext4/super.c b/fs/ext4/super.c
-index c7d39da7e733..bc9d490ca73e 100644
+index 699c15db28a8..50a5e317ddea 100644
 --- a/fs/ext4/super.c
 +++ b/fs/ext4/super.c
-@@ -5635,6 +5635,17 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
+@@ -5639,6 +5639,17 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
 	atomic_set(&sbi->s_warning_count, 0);
 	atomic_set(&sbi->s_msg_count, 0);
 
--- a/6
+++ b/6
@ -1,3 +1,3 @@
-SHA512 (linux-6.17-rc2.tar.xz) = b0572a05b65637ea9bbbe44edc4db14980a9fcce72af9a128ba6b4e3a9864322c269490bb5ec81fe1ed3294cb7486e6cba9b4ac64369761189b6f2300946822f
-SHA512 (kernel-abi-stablelists-6.17.0.tar.xz) = 4431f5278fc00c9b8c780f5214ba835b8f5b1337093cfeaf556def0d97d0386310cf86d67cec5126bef76663354d44558e3c9a960f811d047fce0f3106c5fc34
-SHA512 (kernel-kabi-dw-6.17.0.tar.xz) = 8bd42f83722e024d983015dbb35eb273c4dfc981a452bead08abdbce02f56d137d37eb176ac2a62b7410865bef482b95dd9681bd52a62071d0dde0cd3b4bf9db
+SHA512 (linux-6.17-rc2-53-gb19a97d57c15.tar.xz) = 57f122d99ff297d5c8d7a5641aa70c79039846912fe2575bb4e7db7306e008304e549c1cd245d6b2e00edb26428f21fb739af1cb64f2a47a63065f465671ffc4
+SHA512 (kernel-abi-stablelists-6.17.0.tar.xz) = 86a7ec259c23f929eaa0900b68dc16f0f84ebee375dfa04680e5ef3101b4c6a92e681ef311ebcfe14df436811e878a46e783d157352514e55abac42e4ffb2b3c
+SHA512 (kernel-kabi-dw-6.17.0.tar.xz) = 921f6027c73f757955f496cf6e062ae583c3fb2d5dd6d6e3d0c62fb96bb988ffa8b3624c08129163efe2977025cba81d874317de0c8130a6b403992b2d52a20a