Upstream has made a keyring to the platform keys. The "KEYS: Allow
unrestricted boot-time addition of keys to secondary keyring" is
available upstream for the platform keyring.
The only issue is that module signatures aren't checked with the
platform keyring, so this introduces a patch to add that which has been
sent upstream. At least our carried-patch count hasn't gone up.
Use the latest version of the kernel lockdown patch set. This includes a
few configuration renames:
CONFIG_KEXEC_VERIFY_SIG became CONFIG_KEXEC_SIG and
CONFIG_KEXEC_SIG_FORCE was added. CONFIG_KEXEC_SIG_FORCE=n because the
"kexec_file: Restrict at runtime if the kernel is locked down" patch
enforces the signature requirement when the kernel is locked down.
CONFIG_LOCK_DOWN_MANDATORY got renamed to CONFIG_LOCK_DOWN_KERNEL_FORCE
and remains false as LOCK_DOWN_IN_EFI_SECURE_BOOT covers enabling it for
EFI Secure Boot users.
Finally, the SysRq patches got dropped for the present.
OSTree is a far, far more sophisticated wrapper around the `link()`
system call than the `hardlink` package - it supports using
as a mechanism for transactional offline updates, fetching over
HTTP with GPG signatures and deltas, etc. rpm-ostree uses it
for everything.
Having the `kernel-devel` package run `hardlink` just adds
latency to `rpm-ostree compose tree` unnecessarily.
There are 23 Kconfig symbols referenced in the files used for
configuration generation and in the shipped .config files that were
dropped in upstream v5.1-rc1. The references to these symbols can be
safely removed.
These symbols are:
CONFIG_AD7152
CONFIG_DEFAULT_SECURITY_DAC
CONFIG_DEFAULT_SECURITY_SELINUX
CONFIG_EARLY_PRINTK_EFI
CONFIG_EXOFS_FS
CONFIG_EXT4_ENCRYPTION
CONFIG_F2FS_FS_ENCRYPTION
CONFIG_FB_XGI
CONFIG_MTD_MT81xx_NOR
CONFIG_NFT_CHAIN_NAT_IPV4
CONFIG_NFT_CHAIN_NAT_IPV6
CONFIG_NFT_MASQ_IPV4
CONFIG_NFT_MASQ_IPV6
CONFIG_NFT_REDIR_IPV4
CONFIG_NFT_REDIR_IPV6
CONFIG_SCSI_OSD_DEBUG
CONFIG_SCSI_OSD_DPRINT_SENSE
CONFIG_SCSI_OSD_INITIATOR
CONFIG_SCSI_OSD_ULD
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE
CONFIG_SND_AUDIO_GRAPH_SCU_CARD
CONFIG_SND_SIMPLE_SCU_CARD
CONFIG_UBIFS_FS_ENCRYPTION
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>