Linux v4.6-10203-g84787c572d40

- Enable CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE (rhbz 1339281) - Fixup SB patchset to work with upstream changes
2016-05-25 11:13:52 -04:00 · 2016-05-25 11:13:52 -04:00 · 42d2805cbe
commit 42d2805cbe
parent cfaea7dc72
23 changed files with 213 additions and 154 deletions
--- a/Add-EFI-signature-data-types.patch
+++ b/Add-EFI-signature-data-types.patch
@ -1,7 +1,7 @@
-From 6fb2a60e6bfb5ce2d3a4964e7b47ac5c7ecd6f82 Mon Sep 17 00:00:00 2001
+From 5216de8394ff599e41c8540c0572368c18c51459 Mon Sep 17 00:00:00 2001
 From: Dave Howells <dhowells@redhat.com>
 Date: Tue, 23 Oct 2012 09:30:54 -0400
-Subject: [PATCH] Add EFI signature data types
+Subject: [PATCH 4/9] Add EFI signature data types
 Add the data types that are used for containing hashes, keys and certificates
 for cryptographic verification.
@ -15,10 +15,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
 1 file changed, 20 insertions(+)
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index fb0734f..b80227a 100644
+index 8cb38cfcba74..8c274b4ea8e6 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -653,6 +653,12 @@ void efi_native_runtime_setup(void);
+@@ -647,6 +647,12 @@ void efi_native_runtime_setup(void);
 	EFI_GUID(0x4a67b082, 0x0a4c, 0x41cf, \
 		 0xb6, 0xc7, 0x44, 0x0b, 0x29, 0xbb, 0x8c, 0x4f)
@ -31,7 +31,7 @@ index fb0734f..b80227a 100644
 typedef struct {
 	efi_guid_t guid;
 	u64 table;
-@@ -885,6 +891,20 @@ typedef struct {
+@@ -879,6 +885,20 @@ typedef struct {
 	efi_memory_desc_t entry[0];
 } efi_memory_attributes_table_t;
--- a/Add-an-EFI-signature-blob-parser-and-key-loader.patch
+++ b/Add-an-EFI-signature-blob-parser-and-key-loader.patch
@ -1,7 +1,7 @@
-From 8cd53548ce7b88b08cc6345c8fca7d28d1f3a7f2 Mon Sep 17 00:00:00 2001
+From e36a2d65e25fdf42b50aa5dc17583d7bfd09c4c4 Mon Sep 17 00:00:00 2001
 From: Dave Howells <dhowells@redhat.com>
 Date: Tue, 23 Oct 2012 09:36:28 -0400
-Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader.
+Subject: [PATCH 5/9] Add an EFI signature blob parser and key loader.
 X.509 certificates are loaded into the specified keyring as asymmetric type
 keys.
@ -17,7 +17,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
 create mode 100644 crypto/asymmetric_keys/efi_parser.c
 diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
-index e28e912..94024e8 100644
+index e28e912000a7..94024e8aedaa 100644
 --- a/crypto/asymmetric_keys/Kconfig
 +++ b/crypto/asymmetric_keys/Kconfig
@@ -60,4 +60,12 @@ config SIGNED_PE_FILE_VERIFICATION
@ -34,7 +34,7 @@ index e28e912..94024e8 100644
 +
 endif # ASYMMETRIC_KEY_TYPE
 diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
-index 6516855..c099fe1 100644
+index 6516855bec18..c099fe15ed6d 100644
 --- a/crypto/asymmetric_keys/Makefile
 +++ b/crypto/asymmetric_keys/Makefile
@@ -10,6 +10,7 @@ asymmetric_keys-y := \
@ -47,7 +47,7 @@ index 6516855..c099fe1 100644
 # X.509 Certificate handling
 diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c
 new file mode 100644
-index 0000000..636feb1
+index 000000000000..636feb18b733
 --- /dev/null
 +++ b/crypto/asymmetric_keys/efi_parser.c
@@ -0,0 +1,108 @@
@ -160,10 +160,10 @@ index 0000000..636feb1
 +	return 0;
 +}
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index b80227a..18443e3 100644
+index 8c274b4ea8e6..ff1877145aa4 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -1050,6 +1050,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
+@@ -1044,6 +1044,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
 char * __init efi_md_typeattr_format(char *buf, size_t size,
 				     const efi_memory_desc_t *md);
--- a/Add-option-to-automatically-enforce-module-signature.patch
+++ b/Add-option-to-automatically-enforce-module-signature.patch
@ -1,7 +1,8 @@
-From 8802c7e62531b3867580068ee8b50415b966d22c Mon Sep 17 00:00:00 2001
+From 0000dc9edd5997cc49b8893a9d5407f89dfa1307 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 18:36:30 -0400
-Subject: [PATCH 10/20] Add option to automatically enforce module signatures when in Secure Boot mode
+Subject: [PATCH] Add option to automatically enforce module signatures when in
 Secure Boot mode
 UEFI Secure Boot provides a mechanism for ensuring that the firmware will
 only load signed bootloaders and kernels. Certain use cases may also
@ -11,16 +12,16 @@ that enforces this automatically when enabled.
 Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
 ---
 Documentation/x86/zero-page.txt       |  2 ++
- arch/x86/Kconfig                      | 10 ++++++
+ arch/x86/Kconfig                      | 11 ++++++
 arch/x86/boot/compressed/eboot.c      | 66 +++++++++++++++++++++++++++++++++++
 arch/x86/include/uapi/asm/bootparam.h |  3 +-
 arch/x86/kernel/setup.c               |  6 ++++
 include/linux/module.h                |  6 ++++
 kernel/module.c                       |  7 ++++
- 7 files changed, 99 insertions(+), 1 deletion(-)
+ 7 files changed, 100 insertions(+), 1 deletion(-)
 diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
-index 95a4d34..b8527c6 100644
+index 95a4d34af3fd..b8527c6b7646 100644
 --- a/Documentation/x86/zero-page.txt
 +++ b/Documentation/x86/zero-page.txt
@@ -31,6 +31,8 @@ Offset	Proto	Name		Meaning
@ -33,15 +34,16 @@ index 95a4d34..b8527c6 100644
 290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures
 2D0/A00	ALL	e820_map	E820 memory map table
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 2dc18605..a701d09 100644
+index 0a7b885964ba..29b8ba9ae713 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1785,6 +1785,16 @@ config EFI_MIXED
+@@ -1776,6 +1776,17 @@ config EFI_MIXED
 	   If unsure, say N.
 +config EFI_SECURE_BOOT_SIG_ENFORCE
-+        def_bool n
+	def_bool n
 +	depends on EFI
 +	prompt "Force module signing when UEFI Secure Boot is enabled"
 +	---help---
 +	  UEFI Secure Boot provides a mechanism for ensuring that the
@ -54,7 +56,7 @@ index 2dc18605..a701d09 100644
 	def_bool y
 	prompt "Enable seccomp to safely compute untrusted bytecode"
 diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 52fef60..6b8b9a7 100644
+index 52fef606bc54..6b8b9a775b46 100644
 --- a/arch/x86/boot/compressed/eboot.c
 +++ b/arch/x86/boot/compressed/eboot.c
@@ -12,6 +12,7 @@
@ -145,7 +147,7 @@ index 52fef60..6b8b9a7 100644
 	setup_efi_pci(boot_params);
 diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
-index 3292543..b61f853 100644
+index c18ce67495fa..2b3e5427097b 100644
 --- a/arch/x86/include/uapi/asm/bootparam.h
 +++ b/arch/x86/include/uapi/asm/bootparam.h
@@ -134,7 +134,8 @@ struct boot_params {
@ -159,10 +161,10 @@ index 3292543..b61f853 100644
 	 * The sentinel is set to a nonzero value (0xff) in header.S.
 	 *
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 2367ae0..1a78bf7 100644
+index c4e7b3991b60..bdb9881c7afd 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1146,6 +1146,12 @@ void __init setup_arch(char **cmdline_p)
+@@ -1152,6 +1152,12 @@ void __init setup_arch(char **cmdline_p)
 	io_delay_init();
@ -176,7 +178,7 @@ index 2367ae0..1a78bf7 100644
 	 * Parse the ACPI tables for possible boot-time SMP configuration.
 	 */
 diff --git a/include/linux/module.h b/include/linux/module.h
-index ab13009..e072b84 100644
+index 082298a09df1..38d0597f7615 100644
 --- a/include/linux/module.h
 +++ b/include/linux/module.h
@@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
@ -193,10 +195,10 @@ index ab13009..e072b84 100644
 extern int modules_disabled; /* for sysctl */
 diff --git a/kernel/module.c b/kernel/module.c
-index 392ac8c..676c578 100644
+index 3c384968f553..ea484f3a35b2 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -4081,6 +4081,13 @@ void module_layout(struct module *mod,
+@@ -4200,6 +4200,13 @@ void module_layout(struct module *mod,
 EXPORT_SYMBOL(module_layout);
 #endif
--- a/Add-sysrq-option-to-disable-secure-boot-mode.patch
+++ b/Add-sysrq-option-to-disable-secure-boot-mode.patch
@ -1,7 +1,7 @@
-From 16d2ba5d5bc46e67e6aa7a3d113fbcc18c217388 Mon Sep 17 00:00:00 2001
+From e27a9a98dcf3ff95568593026da065a72ad21b92 Mon Sep 17 00:00:00 2001
 From: Kyle McMartin <kyle@redhat.com>
 Date: Fri, 30 Aug 2013 09:28:51 -0400
-Subject: [PATCH 20/20] Add sysrq option to disable secure boot mode
+Subject: [PATCH 9/9] Add sysrq option to disable secure boot mode
 Bugzilla: N/A
 Upstream-status: Fedora mustard
@ -16,7 +16,7 @@ Upstream-status: Fedora mustard
 7 files changed, 64 insertions(+), 9 deletions(-)
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index f93826b8522c..41679b1aca83 100644
+index a666b6c29c77..7732c769937b 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
@@ -70,6 +70,11 @@
@ -31,7 +31,7 @@ index f93826b8522c..41679b1aca83 100644
 #include <video/edid.h>
 #include <asm/mtrr.h>
-@@ -1261,6 +1266,37 @@ void __init i386_reserve_resources(void)
+@@ -1286,6 +1291,37 @@ void __init i386_reserve_resources(void)
 #endif /* CONFIG_X86_32 */
@ -70,10 +70,10 @@ index f93826b8522c..41679b1aca83 100644
 	.notifier_call = dump_kernel_offset
 };
 diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
-index 345df9b03aed..dea6a6c4a39b 100644
+index abe1a927b332..f4126fcec10c 100644
 --- a/drivers/input/misc/uinput.c
 +++ b/drivers/input/misc/uinput.c
-@@ -364,6 +364,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
+@@ -379,6 +379,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
 	if (!udev->dev)
 		return -ENOMEM;
@ -82,10 +82,10 @@ index 345df9b03aed..dea6a6c4a39b 100644
 	input_set_drvdata(udev->dev, udev);
 diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
-index 95b330a9ea98..dfa3e154a719 100644
+index e5139402e7f8..5ef2e04a03ad 100644
 --- a/drivers/tty/sysrq.c
 +++ b/drivers/tty/sysrq.c
-@@ -472,6 +472,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
+@@ -478,6 +478,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
 	/* x: May be registered on mips for TLB dump */
 	/* x: May be registered on ppc/powerpc for xmon */
 	/* x: May be registered on sparc64 for global PMU dump */
@ -93,7 +93,7 @@ index 95b330a9ea98..dfa3e154a719 100644
 	NULL,				/* x */
 	/* y: May be registered on sparc64 for global register dump */
 	NULL,				/* y */
-@@ -515,7 +516,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
+@@ -521,7 +522,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
                 sysrq_key_table[i] = op_p;
 }
@ -102,7 +102,7 @@ index 95b330a9ea98..dfa3e154a719 100644
 {
 	struct sysrq_key_op *op_p;
 	int orig_log_level;
-@@ -535,11 +536,15 @@ void __handle_sysrq(int key, bool check_mask)
+@@ -541,11 +542,15 @@ void __handle_sysrq(int key, bool check_mask)
         op_p = __sysrq_get_key_op(key);
         if (op_p) {
@ -119,7 +119,7 @@ index 95b330a9ea98..dfa3e154a719 100644
 			pr_cont("%s\n", op_p->action_msg);
 			console_loglevel = orig_log_level;
 			op_p->handler(key);
-@@ -571,7 +576,7 @@ void __handle_sysrq(int key, bool check_mask)
+@@ -577,7 +582,7 @@ void __handle_sysrq(int key, bool check_mask)
 void handle_sysrq(int key)
 {
 	if (sysrq_on())
@ -128,7 +128,7 @@ index 95b330a9ea98..dfa3e154a719 100644
 }
 EXPORT_SYMBOL(handle_sysrq);
-@@ -652,7 +657,7 @@ static void sysrq_do_reset(unsigned long _state)
+@@ -658,7 +663,7 @@ static void sysrq_do_reset(unsigned long _state)
 static void sysrq_handle_reset_request(struct sysrq_state *state)
 {
 	if (state->reset_requested)
@ -137,7 +137,7 @@ index 95b330a9ea98..dfa3e154a719 100644
 	if (sysrq_reset_downtime_ms)
 		mod_timer(&state->keyreset_timer,
-@@ -803,8 +808,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
+@@ -809,8 +814,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
 	default:
 		if (sysrq->active && value && value != 2) {
@ -149,7 +149,7 @@ index 95b330a9ea98..dfa3e154a719 100644
 		}
 		break;
 	}
-@@ -1084,7 +1091,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
+@@ -1094,7 +1101,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
 		if (get_user(c, buf))
 			return -EFAULT;
@ -159,7 +159,7 @@ index 95b330a9ea98..dfa3e154a719 100644
 	return count;
 diff --git a/include/linux/input.h b/include/linux/input.h
-index 82ce323b9986..9e534f228945 100644
+index 1e967694e9a5..2b56c6f9673c 100644
 --- a/include/linux/input.h
 +++ b/include/linux/input.h
@@ -42,6 +42,7 @@ struct input_value {
@ -216,7 +216,7 @@ index 387fa7d05c98..4b07e30b3279 100644
 int unregister_sysrq_key(int key, struct sysrq_key_op *op);
 struct sysrq_key_op *__sysrq_get_key_op(int key);
 diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
-index 4121345498e0..0ff3cef5df96 100644
+index 2a20c0dfdafc..3d17205dab77 100644
 --- a/kernel/debug/kdb/kdb_main.c
 +++ b/kernel/debug/kdb/kdb_main.c
@@ -1968,7 +1968,7 @@ static int kdb_sr(int argc, const char **argv)
@ -229,10 +229,10 @@ index 4121345498e0..0ff3cef5df96 100644
 	return 0;
 diff --git a/kernel/module.c b/kernel/module.c
-index 2b403ab0ef29..7818c110e95c 100644
+index ea484f3a35b2..84b00659b0ee 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -292,7 +292,7 @@ static void module_assert_mutex_or_preempt(void)
+@@ -269,7 +269,7 @@ static void module_assert_mutex_or_preempt(void)
 #endif
 }
@ -242,5 +242,5 @@ index 2b403ab0ef29..7818c110e95c 100644
 module_param(sig_enforce, bool_enable_only, 0644);
 #endif /* !CONFIG_MODULE_SIG_FORCE */
 -- 
-2.4.3
+2.5.5
--- a/KEYS-Add-a-system-blacklist-keyring.patch
+++ b/KEYS-Add-a-system-blacklist-keyring.patch
@ -1,7 +1,7 @@
-From f630ce576114bfede02d8a0bafa97e4d6f978a74 Mon Sep 17 00:00:00 2001
+From 096da19de900a115ee3610b666ecb7e55926623d Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 26 Oct 2012 12:36:24 -0400
-Subject: [PATCH 17/20] KEYS: Add a system blacklist keyring
+Subject: [PATCH 6/9] KEYS: Add a system blacklist keyring
 This adds an additional keyring that is used to store certificates that
 are blacklisted.  This keyring is searched first when loading signed modules
@ -10,52 +10,48 @@ useful in cases where third party certificates are used for module signing.
 Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
 ---
- certs/system_keyring.c        | 27 +++++++++++++++++++++++++++
+ certs/system_keyring.c        | 22 ++++++++++++++++++++++
 include/keys/system_keyring.h |  4 ++++
 init/Kconfig                  |  9 +++++++++
- 3 files changed, 40 insertions(+)
+ 3 files changed, 35 insertions(+)
 diff --git a/certs/system_keyring.c b/certs/system_keyring.c
-index 2570598b784d..53733822993f 100644
+index 50979d6dcecd..787eeead2f57 100644
 --- a/certs/system_keyring.c
 +++ b/certs/system_keyring.c
-@@ -20,6 +20,9 @@
+@@ -22,6 +22,9 @@ static struct key *builtin_trusted_keys;
- 
+ #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
- struct key *system_trusted_keyring;
+ static struct key *secondary_trusted_keys;
- EXPORT_SYMBOL_GPL(system_trusted_keyring);
+ #endif
 +#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
 +struct key *system_blacklist_keyring;
 +#endif
 extern __initconst const u8 system_certificate_list[];
 extern __initconst const unsigned long system_certificate_list_size;
-@@ -41,6 +44,20 @@ static __init int system_trusted_keyring_init(void)
+@@ -99,6 +102,16 @@ static __init int system_trusted_keyring_init(void)
- 		panic("Can't allocate system trusted keyring\n");
+ 	if (key_link(secondary_trusted_keys, builtin_trusted_keys) < 0)
- 
+ 		panic("Can't link trusted keyrings\n");
- 	set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags);
+ #endif
-+
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
 +	#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
 +	system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring",
-+				    KUIDT_INIT(0), KGIDT_INIT(0),
+			KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
-+				    current_cred(),
+			((KEY_POS_ALL & ~KEY_POS_SETATTR) |
-+				    (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+			 KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
-+				    KEY_USR_VIEW | KEY_USR_READ,
+			KEY_ALLOC_NOT_IN_QUOTA,
-+				    KEY_ALLOC_NOT_IN_QUOTA, NULL);
+			NULL, NULL);
 +	if (IS_ERR(system_blacklist_keyring))
 +		panic("Can't allocate system blacklist keyring\n");
 +
 +	set_bit(KEY_FLAG_TRUSTED_ONLY, &system_blacklist_keyring->flags);
 +#endif
-+
+ 
 	return 0;
 }
- 
+@@ -214,6 +227,15 @@ int verify_pkcs7_signature(const void *data, size_t len,
-@@ -138,6 +155,16 @@ int system_verify_data(const void *data, unsigned long len,
+ 		trusted_keys = builtin_trusted_keys;
- 	if (ret < 0)
+ #endif
- 		goto error;
+ 	}
 +#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
-+	ret = pkcs7_validate_trust(pkcs7, system_blacklist_keyring, &trusted);
+	ret = pkcs7_validate_trust(pkcs7, system_blacklist_keyring);
 +	if (!ret) {
 +		/* module is signed with a cert in the blacklist.  reject */
 +		pr_err("Module key is in the blacklist\n");
@ -63,30 +59,29 @@ index 2570598b784d..53733822993f 100644
 +		goto error;
 +	}
 +#endif
-+
+ 	ret = pkcs7_validate_trust(pkcs7, trusted_keys);
- 	ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted);
+ 	if (ret < 0) {
- 	if (ret < 0)
+ 		if (ret == -ENOKEY)
 		goto error;
 diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
-index b20cd885c1fd..51d8ddc60e0f 100644
+index fbd4647767e9..5bc291a3d261 100644
 --- a/include/keys/system_keyring.h
 +++ b/include/keys/system_keyring.h
-@@ -35,6 +35,10 @@ extern int system_verify_data(const void *data, unsigned long len,
+@@ -33,6 +33,10 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
- 			      enum key_being_used_for usage);
+ #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
 #endif
 +#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
 +extern struct key *system_blacklist_keyring;
 +#endif
 +
- #ifdef CONFIG_IMA_MOK_KEYRING
+ #ifdef CONFIG_IMA_BLACKLIST_KEYRING
 extern struct key *ima_mok_keyring;
 extern struct key *ima_blacklist_keyring;
 diff --git a/init/Kconfig b/init/Kconfig
-index 02da9f1fd9df..782d26f02885 100644
+index a9c4aefd5436..e5449d5aeff9 100644
 --- a/init/Kconfig
 +++ b/init/Kconfig
-@@ -1783,6 +1783,15 @@ config SYSTEM_DATA_VERIFICATION
+@@ -1829,6 +1829,15 @@ config SYSTEM_DATA_VERIFICATION
 	  module verification, kexec image verification and firmware blob
 	  verification.
@ -103,5 +98,5 @@ index 02da9f1fd9df..782d26f02885 100644
 	bool "Profiling support"
 	help
 -- 
-2.4.3
+2.5.5
--- a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
+++ b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
@ -1,4 +1,4 @@
-From 2246a781c8dbb1207a0b0abbfae201f998c3954b Mon Sep 17 00:00:00 2001
+From ba2b209daf984514229626803472e0b055832345 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 26 Oct 2012 12:42:16 -0400
 Subject: [PATCH] MODSIGN: Import certificates from UEFI Secure Boot
@ -18,18 +18,56 @@ signed with those from loading.
 Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
 ---
- include/linux/efi.h   |  6 ++++
+ certs/system_keyring.c        | 13 ++++++
- init/Kconfig          |  9 +++++
+ include/keys/system_keyring.h |  1 +
- kernel/Makefile       |  3 ++
+ include/linux/efi.h           |  6 +++
- kernel/modsign_uefi.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++
+ init/Kconfig                  |  9 ++++
- 4 files changed, 110 insertions(+)
+ kernel/Makefile               |  3 ++
 kernel/modsign_uefi.c         | 99 +++++++++++++++++++++++++++++++++++++++++++
 6 files changed, 131 insertions(+)
 create mode 100644 kernel/modsign_uefi.c
 diff --git a/certs/system_keyring.c b/certs/system_keyring.c
 index 787eeead2f57..4d9123ed5c07 100644
 --- a/certs/system_keyring.c
 +++ b/certs/system_keyring.c
@@ -30,6 +30,19 @@ extern __initconst const u8 system_certificate_list[];
 extern __initconst const unsigned long system_certificate_list_size;
 /**
 + * get_system_keyring - Return a pointer to the system keyring
 + *
 + */
 +struct key *get_system_keyring(void)
 +{
 +	struct key *system_keyring = NULL;
 +
 +	system_keyring = builtin_trusted_keys;
 +	return system_keyring;
 +}
 +EXPORT_SYMBOL_GPL(get_system_keyring);
 +
 +/**
  * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA
  *
  * Restrict the addition of keys into a keyring based on the key-to-be-added
 diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
 index 5bc291a3d261..56ff5715ab67 100644
 --- a/include/keys/system_keyring.h
 +++ b/include/keys/system_keyring.h
@@ -36,6 +36,7 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
 #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
 extern struct key *system_blacklist_keyring;
 #endif
 +extern struct key *get_system_keyring(void);
 #ifdef CONFIG_IMA_BLACKLIST_KEYRING
 extern struct key *ima_blacklist_keyring;
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 85ef051ac6fb..a042b2ece788 100644
+index ff1877145aa4..2483de19c719 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -600,6 +600,12 @@ typedef struct {
+@@ -658,6 +658,12 @@ typedef struct {
 	u64 table;
 } efi_config_table_64_t;
@ -43,10 +81,10 @@ index 85ef051ac6fb..a042b2ece788 100644
 	efi_guid_t guid;
 	u32 table;
 diff --git a/init/Kconfig b/init/Kconfig
-index 02da9f1fd9df..90c73a0564b1 100644
+index e5449d5aeff9..5408c96f6604 100644
 --- a/init/Kconfig
 +++ b/init/Kconfig
-@@ -1924,6 +1924,15 @@ config MODULE_SIG_ALL
+@@ -1979,6 +1979,15 @@ config MODULE_SIG_ALL
 comment "Do not forget to sign required modules with scripts/sign-file"
 	depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
@ -63,10 +101,10 @@ index 02da9f1fd9df..90c73a0564b1 100644
 	prompt "Which hash algorithm should modules be signed with?"
 	depends on MODULE_SIG
 diff --git a/kernel/Makefile b/kernel/Makefile
-index d4988410b410..55e886239e7e 100644
+index e2ec54e2b952..8dab549985d8 100644
 --- a/kernel/Makefile
 +++ b/kernel/Makefile
-@@ -47,6 +47,7 @@ endif
+@@ -57,6 +57,7 @@ endif
 obj-$(CONFIG_UID16) += uid16.o
 obj-$(CONFIG_MODULES) += module.o
 obj-$(CONFIG_MODULE_SIG) += module_signing.o
@ -74,7 +112,7 @@ index d4988410b410..55e886239e7e 100644
 obj-$(CONFIG_KALLSYMS) += kallsyms.o
 obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
 obj-$(CONFIG_KEXEC_CORE) += kexec_core.o
-@@ -103,6 +104,8 @@ obj-$(CONFIG_TORTURE_TEST) += torture.o
+@@ -113,6 +114,8 @@ obj-$(CONFIG_MEMBARRIER) += membarrier.o
 obj-$(CONFIG_HAS_IOMEM) += memremap.o
@ -85,10 +123,10 @@ index d4988410b410..55e886239e7e 100644
 # config_data.h contains the same information as ikconfig.h but gzipped.
 diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
 new file mode 100644
-index 000000000000..94b0eb38a284
+index 000000000000..fe4a6f2bf10a
 --- /dev/null
 +++ b/kernel/modsign_uefi.c
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,99 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/cred.h>
@ -139,11 +177,18 @@ index 000000000000..94b0eb38a284
 +	void *db = NULL, *dbx = NULL, *mok = NULL;
 +	unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
 +	int rc = 0;
 +	struct key *keyring = NULL;
 +
 +	/* Check if SB is enabled and just return if not */
 +	if (!efi_enabled(EFI_SECURE_BOOT))
 +		return 0;
 +
 +	keyring = get_system_keyring();
 +	if (!keyring) {
 +		pr_err("MODSIGN: Couldn't get system keyring\n");
 +		return -EINVAL;
 +	}
 +
 +	/* Get db, MokListRT, and dbx.  They might not exist, so it isn't
 +	 * an error if we can't get them.
 +	 */
@ -151,7 +196,7 @@ index 000000000000..94b0eb38a284
 +	if (!db) {
 +		pr_err("MODSIGN: Couldn't get UEFI db list\n");
 +	} else {
-+		rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
+		rc = parse_efi_signature_list(db, dbsize, keyring);
 +		if (rc)
 +			pr_err("Couldn't parse db signatures: %d\n", rc);
 +		kfree(db);
@ -161,7 +206,7 @@ index 000000000000..94b0eb38a284
 +	if (!mok) {
 +		pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
 +	} else {
-+		rc = parse_efi_signature_list(mok, moksize, system_trusted_keyring);
+		rc = parse_efi_signature_list(mok, moksize, keyring);
 +		if (rc)
 +			pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
 +		kfree(mok);
@ -182,5 +227,5 @@ index 000000000000..94b0eb38a284
 +}
 +late_initcall(load_uefi_certs);
 -- 
-2.4.3
+2.5.5
--- a/MODSIGN-Support-not-importing-certs-from-db.patch
+++ b/MODSIGN-Support-not-importing-certs-from-db.patch
@ -1,7 +1,7 @@
-From d7c9efa4ab647d6ccb617f2504e79a398d56f7d4 Mon Sep 17 00:00:00 2001
+From 7ce860189df19a38176c1510f4e5615bf35495c1 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Thu, 3 Oct 2013 10:14:23 -0400
-Subject: [PATCH 19/20] MODSIGN: Support not importing certs from db
+Subject: [PATCH 2/2] MODSIGN: Support not importing certs from db
 If a user tells shim to not use the certs/hashes in the UEFI db variable
 for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
 1 file changed, 31 insertions(+), 9 deletions(-)
 diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
-index 94b0eb38a284..ae28b974d49a 100644
+index 03f601a0052c..321c79a3b282 100644
 --- a/kernel/modsign_uefi.c
 +++ b/kernel/modsign_uefi.c
@@ -8,6 +8,23 @@
@ -41,16 +41,18 @@ index 94b0eb38a284..ae28b974d49a 100644
 static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
 {
 	efi_status_t status;
-@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void)
+@@ -47,7 +64,7 @@ static int __init load_uefi_certs(void)
 	efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
 	void *db = NULL, *dbx = NULL, *mok = NULL;
 	unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
 -	int rc = 0;
 +	int ignore_db, rc = 0;
 	struct key *keyring = NULL;
 	/* Check if SB is enabled and just return if not */
- 	if (!efi_enabled(EFI_SECURE_BOOT))
+@@ -60,17 +77,22 @@ static int __init load_uefi_certs(void)
- 		return 0;
+ 		return -EINVAL;
 	}
 +	/* See if the user has setup Ignore DB mode */
 +	ignore_db = check_ignore_db();
@ -62,7 +64,7 @@ index 94b0eb38a284..ae28b974d49a 100644
 -	if (!db) {
 -		pr_err("MODSIGN: Couldn't get UEFI db list\n");
 -	} else {
-		rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
+-		rc = parse_efi_signature_list(db, dbsize, keyring);
 -		if (rc)
 -			pr_err("Couldn't parse db signatures: %d\n", rc);
 -		kfree(db);
@ -71,7 +73,7 @@ index 94b0eb38a284..ae28b974d49a 100644
 +		if (!db) {
 +			pr_err("MODSIGN: Couldn't get UEFI db list\n");
 +		} else {
-+			rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
+			rc = parse_efi_signature_list(db, dbsize, keyring);
 +			if (rc)
 +				pr_err("Couldn't parse db signatures: %d\n", rc);
 +			kfree(db);
@ -80,5 +82,5 @@ index 94b0eb38a284..ae28b974d49a 100644
 	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
 -- 
-2.4.3
+2.5.5
--- a/1
+++ b/1
@ -116,6 +116,7 @@ CONFIG_ROCKCHIP_SARADC=m
 CONFIG_ROCKCHIP_IOMMU=y
 CONFIG_ROCKCHIP_THERMAL=m
 CONFIG_DRM_ROCKCHIP=m
 CONFIG_ROCKCHIP_ANALOGIX_DP=m
 CONFIG_ROCKCHIP_DW_HDMI=m
 CONFIG_ROCKCHIP_DW_MIPI_DSI=y
 CONFIG_ROCKCHIP_INNO_HDMI=m
--- a/2
+++ b/2
@ -159,6 +159,8 @@ CONFIG_PHY_HI6220_USB=m
 CONFIG_COMMON_RESET_HI6220=m
 CONFIG_HI6220_MBOX=m
 # CONFIG_RESET_HISI is not set
 CONFIG_DRM_HISI_KIRIN=m
 CONFIG_HISI_KIRIN_DW_DSI=m
 # Tegra
 CONFIG_ARCH_TEGRA_132_SOC=y
--- a/3
+++ b/3
@ -318,6 +318,8 @@ CONFIG_PHY_QCOM_IPQ806X_SATA=m
 CONFIG_DWMAC_IPQ806X=m
 CONFIG_CRYPTO_DEV_QCE=m
 CONFIG_DRM_MSM=m
 # CONFIG_DRM_MSM_REGISTER_LOGGING is not set 
 CONFIG_DRM_MSM_HDMI_HDCP=y
 CONFIG_USB_EHCI_MSM=m
 CONFIG_MFD_PM8XXX=m
 CONFIG_KEYBOARD_PMIC8XXX=m
@ -325,7 +327,6 @@ CONFIG_INPUT_PM8XXX_VIBRATOR=m
 CONFIG_INPUT_PMIC8XXX_PWRKEY=m
 CONFIG_INPUT_PM8941_PWRKEY=m
 CONFIG_RTC_DRV_PM8XXX=m
 # CONFIG_DRM_MSM_REGISTER_LOGGING is not set 
 CONFIG_QCOM_WDT=m
 CONFIG_MFD_SPMI_PMIC=m
 CONFIG_SPMI=m
--- a/1
+++ b/1
@ -206,6 +206,7 @@ CONFIG_MACH_SUN8I=y
 CONFIG_SUNXI_SRAM=y
 CONFIG_DMA_SUN4I=m
 CONFIG_DMA_SUN6I=m
 CONFIG_DRM_SUN4I=m
 CONFIG_SUNXI_WATCHDOG=m
 CONFIG_NET_VENDOR_ALLWINNER=y
 CONFIG_RTC_DRV_SUNXI=m
--- a/4
+++ b/4
@ -598,6 +598,7 @@ CONFIG_ATA_BMDMA=y
 CONFIG_ATA_VERBOSE_ERROR=y
 CONFIG_ATA_SFF=y
 CONFIG_ATA_PIIX=y
 # CONFIG_SATA_DWC is not set
 # CONFIG_SATA_HIGHBANK is not set
 CONFIG_ATA_ACPI=y
 CONFIG_BLK_DEV_SX8=m
@ -3346,6 +3347,8 @@ CONFIG_VGA_ARB_MAX_GPUS=16
 CONFIG_DRM=m
 CONFIG_DRM_ANALOGIX_ANX78XX=m
 # CONFIG_DRM_ARCPGU is not set
 CONFIG_DRM_DP_AUX_CHARDEV=y
 CONFIG_DRM_FBDEV_EMULATION=y
 CONFIG_DRM_LOAD_EDID_FIRMWARE=y
@ -3359,6 +3362,7 @@ CONFIG_DRM_AMDGPU=m
 CONFIG_DRM_AMD_ACP=y
 # CONFIG_DRM_AMDGPU_CIK is not set
 CONFIG_DRM_AMDGPU_USERPTR=y
 # CONFIG_DRM_AMDGPU_GART_DEBUGFS is not set
 CONFIG_DRM_AMD_POWERPLAY=y
 # CONFIG_DRM_I810 is not set
 # CONFIG_DRM_MGA is not set
--- a/2
+++ b/2
@ -56,7 +56,7 @@ CONFIG_PPC_64K_PAGES=y
 CONFIG_PPC_SUBPAGE_PROT=y
 CONFIG_SCHED_SMT=y
 CONFIG_MEMORY_HOTPLUG=y
-# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
+CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y
 CONFIG_MEMORY_HOTREMOVE=y
 CONFIG_PPC64_SUPPORTS_MEMORY_FAILURE=y
--- a/2
+++ b/2
@ -183,7 +183,7 @@ CONFIG_VIRTIO_CONSOLE=y
 CONFIG_MEMORY_HOTPLUG=y
 CONFIG_MEMORY_HOTREMOVE=y
-# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
+CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y
 CONFIG_CHSC_SCH=m
 # drivers/isdn/hardware/mISDN/hfcmulti.c:5255:2: error: #error "not running on big endian machines now"
--- a/1
+++ b/1
@ -361,7 +361,6 @@ CONFIG_DMI_SYSFS=y
 CONFIG_ISCSI_IBFT_FIND=y
 CONFIG_ISCSI_IBFT=m
 CONFIG_DMADEVICES=y
 CONFIG_INTEL_IOATDMA=m
 CONFIG_INTEL_IDMA64=m
--- a/6
+++ b/6
@ -117,7 +117,7 @@ CONFIG_SPARSEMEM_EXTREME=y
 CONFIG_SPARSEMEM_VMEMMAP=y
 # CONFIG_MOVABLE_NODE is not set
 CONFIG_MEMORY_HOTPLUG=y
-# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
+CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y
 # CONFIG_ARCH_MEMORY_PROBE is not set
 CONFIG_MEMORY_HOTREMOVE=y
 # CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set 
@ -223,8 +223,12 @@ CONFIG_CMA_AREAS=7
 CONFIG_ZONE_DMA=y
 CONFIG_ZONE_DEVICE=y
 CONFIG_NVDIMM_PFN=y
 CONFIG_NVDIMM_DAX=y
 CONFIG_ND_PFN=m
 CONFIG_DEV_DAX=m
 CONFIG_DEV_DAX_PMEM=m
 # Staging
 CONFIG_STAGING_RDMA=y
 CONFIG_INFINIBAND_HFI1=m
--- a/drm-i915-hush-check-crtc-state.patch
+++ b/drm-i915-hush-check-crtc-state.patch
@ -1,4 +1,4 @@
-From 02f47b49ab1cdbe62ceb71b658e2c469799ae368 Mon Sep 17 00:00:00 2001
+From 5550f20b5f9becb485fb3a67bf0193025d40bc6f Mon Sep 17 00:00:00 2001
 From: Adam Jackson <ajax@redhat.com>
 Date: Wed, 13 Nov 2013 10:17:24 -0500
 Subject: [PATCH] drm/i915: hush check crtc state
@ -15,18 +15,18 @@ Upstream-status: http://lists.freedesktop.org/archives/intel-gfx/2013-November/0
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index ca9278be49f7..308ac0539a87 100644
+index 46f9be3ad5a2..ad2e62e4cdba 100644
 --- a/drivers/gpu/drm/i915/intel_display.c
 +++ b/drivers/gpu/drm/i915/intel_display.c
-@@ -12688,7 +12688,7 @@ check_crtc_state(struct drm_device *dev, struct drm_atomic_state *old_state)
+@@ -12970,7 +12970,7 @@ verify_crtc_state(struct drm_crtc *crtc,
- 		sw_config = to_intel_crtc_state(crtc->state);
+ 	sw_config = to_intel_crtc_state(crtc->state);
- 		if (!intel_pipe_config_compare(dev, sw_config,
+ 	if (!intel_pipe_config_compare(dev, sw_config,
- 					       pipe_config, false)) {
+ 				       pipe_config, false)) {
-			I915_STATE_WARN(1, "pipe state doesn't match!\n");
+-		I915_STATE_WARN(1, "pipe state doesn't match!\n");
-+			DRM_DEBUG_KMS("pipe state doesn't match!\n");
+		DRM_DEBUG_KMS("pipe state doesn't match!\n");
- 			intel_dump_pipe_config(intel_crtc, pipe_config,
+ 		intel_dump_pipe_config(intel_crtc, pipe_config,
- 					       "[hw state]");
+ 				       "[hw state]");
- 			intel_dump_pipe_config(intel_crtc, sw_config,
+ 		intel_dump_pipe_config(intel_crtc, sw_config,
 -- 
-2.4.3
+2.5.5
--- a/efi-Add-EFI_SECURE_BOOT-bit.patch
+++ b/efi-Add-EFI_SECURE_BOOT-bit.patch
@ -1,7 +1,7 @@
-From c01ff700ea4192ae04b306fef725d62189550236 Mon Sep 17 00:00:00 2001
+From 04e65e01058ed6357b932e64b19e4bf762f04970 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:33:03 -0400
-Subject: [PATCH 13/20] efi: Add EFI_SECURE_BOOT bit
+Subject: [PATCH 2/9] efi: Add EFI_SECURE_BOOT bit
 UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
 for use with efi_enabled.
@ -13,10 +13,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
 2 files changed, 3 insertions(+)
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index f3b804f..a401ff8 100644
+index bdb9881c7afd..a666b6c29c77 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1145,7 +1145,9 @@ void __init setup_arch(char **cmdline_p)
+@@ -1154,7 +1154,9 @@ void __init setup_arch(char **cmdline_p)
 #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
 	if (boot_params.secure_boot) {
@ -27,10 +27,10 @@ index f3b804f..a401ff8 100644
 #endif
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 569b5a8..4dc970e 100644
+index c2db3ca22217..8cb38cfcba74 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -980,6 +980,7 @@ extern int __init efi_setup_pcdp_console(char *);
+@@ -1062,6 +1062,7 @@ extern int __init efi_setup_pcdp_console(char *);
 #define EFI_ARCH_1		7	/* First arch-specific bit */
 #define EFI_DBG			8	/* Print additional debug info at runtime */
 #define EFI_NX_PE_DATA		9	/* Can runtime data regions be mapped non-executable? */
@ -39,5 +39,5 @@ index 569b5a8..4dc970e 100644
 #ifdef CONFIG_EFI
 /*
 -- 
-2.5.0
+2.5.5
--- a/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
+++ b/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
@ -1,7 +1,7 @@
-From 9ef94251448aa463c5937ee8e8e27d6fd9529509 Mon Sep 17 00:00:00 2001
+From 0a5c52b9eb4918fb2bee43bacc3521b574334cff Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 5 Feb 2013 19:25:05 -0500
-Subject: [PATCH 11/20] efi: Disable secure boot if shim is in insecure mode
+Subject: [PATCH 1/9] efi: Disable secure boot if shim is in insecure mode
 A user can manually tell the shim boot loader to disable validation of
 images it loads.  When a user does this, it creates a UEFI variable called
@ -15,10 +15,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
 1 file changed, 19 insertions(+), 1 deletion(-)
 diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index b4de3faa3f29..5cc2ef570390 100644
+index 6b8b9a775b46..b3a5364d31c6 100644
 --- a/arch/x86/boot/compressed/eboot.c
 +++ b/arch/x86/boot/compressed/eboot.c
-@@ -830,8 +830,9 @@ out:
+@@ -574,8 +574,9 @@ free_handle:
 static int get_secure_boot(void)
 {
@ -29,7 +29,7 @@ index b4de3faa3f29..5cc2ef570390 100644
 	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
 	efi_status_t status;
-@@ -855,6 +856,23 @@ static int get_secure_boot(void)
+@@ -599,6 +600,23 @@ static int get_secure_boot(void)
 	if (setup == 1)
 		return 0;
@ -54,5 +54,5 @@ index b4de3faa3f29..5cc2ef570390 100644
 }
 -- 
-2.4.3
+2.5.5
--- a/2
+++ b/2
@ -1 +1 @@
-7639dad93a5564579987abded4ec05e3db13659d
+84787c572d402644dca4874aba73324d9f8e3948
--- a/hibernate-Disable-in-a-signed-modules-environment.patch
+++ b/hibernate-Disable-in-a-signed-modules-environment.patch
@ -1,7 +1,7 @@
-From 51abecb00c48941cc3db19701cc73e65082924bb Mon Sep 17 00:00:00 2001
+From e07815cf02eadb245fa60359133b122f9ffe9045 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 20 Jun 2014 08:53:24 -0400
-Subject: [PATCH 14/20] hibernate: Disable in a signed modules environment
+Subject: [PATCH 3/9] hibernate: Disable in a signed modules environment
 There is currently no way to verify the resume image when returning
 from hibernate.  This might compromise the signed modules trust model,
@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
-index 690f78f210f2..037303a1cba9 100644
+index fca9254280ee..ffd8644078b2 100644
 --- a/kernel/power/hibernate.c
 +++ b/kernel/power/hibernate.c
@@ -29,6 +29,7 @@
@ -35,5 +35,5 @@ index 690f78f210f2..037303a1cba9 100644
 /**
 -- 
-2.4.3
+2.5.5
--- a/kernel.spec
+++ b/kernel.spec
@ -69,7 +69,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 0
 # The git snapshot level
-%define gitrev 6
+%define gitrev 7
 # Set rpm version accordingly
 %define rpmversion 4.%{upstream_sublevel}.0
 %endif
@ -553,8 +553,6 @@ Patch482: Add-option-to-automatically-enforce-module-signature.patch
 Patch483: efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
 Patch484: efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
 Patch485: efi-Add-EFI_SECURE_BOOT-bit.patch
 Patch486: hibernate-Disable-in-a-signed-modules-environment.patch
@ -566,7 +564,7 @@ Patch488: Add-an-EFI-signature-blob-parser-and-key-loader.patch
 # This doesn't apply. It seems like it could be replaced by
 # https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5ac7eace2d00eab5ae0e9fdee63e38aee6001f7c
 # which has an explicit line about blacklisting
-# Patch489: KEYS-Add-a-system-blacklist-keyring.patch
+Patch489: KEYS-Add-a-system-blacklist-keyring.patch
 Patch490: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
@ -2135,6 +2133,11 @@ fi
 #
 # 
 %changelog
 * Tue May 24 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.7.0-0.rc0.git7.1
 - Linux v4.6-10203-g84787c572d40
 - Enable CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE (rhbz 1339281)
 - Fixup SB patchset to work with upstream changes
 * Mon May 23 2016 Laura Abbott <labbott@redhat.com> - 4.7.0-0.rc0.git6.1
 - Linux v4.6-8907-g7639dad
 - trace, f2fs, btrfs, rtc, mailbox, akpm, staging, driver core, char, usb,
--- a/2
+++ b/2
@ -1,3 +1,3 @@
 d2927020e24a76da4ab482a8bc3e9ef3  linux-4.6.tar.xz
 fd23b14b9d474c3dfacb6e8ee82d3a51  perf-man-4.6.tar.gz
-4c4f2eb647eef6e04a1dbb843e4fd72d  patch-4.6-git6.xz
+3dd9be4fbde8316efd366f735a30d1f1  patch-4.6-git7.xz
`@ -1 +1 @@`
	`7639dad93a5564579987abded4ec05e3db13659d`	`84787c572d402644dca4874aba73324d9f8e3948`