Upstream has made a keyring to the platform keys. The "KEYS: Allow
unrestricted boot-time addition of keys to secondary keyring" is
available upstream for the platform keyring.
The only issue is that module signatures aren't checked with the
platform keyring, so this introduces a patch to add that which has been
sent upstream. At least our carried-patch count hasn't gone up.
Use the latest version of the kernel lockdown patch set. This includes a
few configuration renames:
CONFIG_KEXEC_VERIFY_SIG became CONFIG_KEXEC_SIG and
CONFIG_KEXEC_SIG_FORCE was added. CONFIG_KEXEC_SIG_FORCE=n because the
"kexec_file: Restrict at runtime if the kernel is locked down" patch
enforces the signature requirement when the kernel is locked down.
CONFIG_LOCK_DOWN_MANDATORY got renamed to CONFIG_LOCK_DOWN_KERNEL_FORCE
and remains false as LOCK_DOWN_IN_EFI_SECURE_BOOT covers enabling it for
EFI Secure Boot users.
Finally, the SysRq patches got dropped for the present.
There are 23 Kconfig symbols referenced in the files used for
configuration generation and in the shipped .config files that were
dropped in upstream v5.1-rc1. The references to these symbols can be
safely removed.
These symbols are:
CONFIG_AD7152
CONFIG_DEFAULT_SECURITY_DAC
CONFIG_DEFAULT_SECURITY_SELINUX
CONFIG_EARLY_PRINTK_EFI
CONFIG_EXOFS_FS
CONFIG_EXT4_ENCRYPTION
CONFIG_F2FS_FS_ENCRYPTION
CONFIG_FB_XGI
CONFIG_MTD_MT81xx_NOR
CONFIG_NFT_CHAIN_NAT_IPV4
CONFIG_NFT_CHAIN_NAT_IPV6
CONFIG_NFT_MASQ_IPV4
CONFIG_NFT_MASQ_IPV6
CONFIG_NFT_REDIR_IPV4
CONFIG_NFT_REDIR_IPV6
CONFIG_SCSI_OSD_DEBUG
CONFIG_SCSI_OSD_DPRINT_SENSE
CONFIG_SCSI_OSD_INITIATOR
CONFIG_SCSI_OSD_ULD
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE
CONFIG_SND_AUDIO_GRAPH_SCU_CARD
CONFIG_SND_SIMPLE_SCU_CARD
CONFIG_UBIFS_FS_ENCRYPTION
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>