[linux] 03/03: [arm64, x86] Replace securelevel patch set with lockdown patch set
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Apr 20 01:43:48 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch master
in repository linux.
commit 0e0b29ad5ab36d7268f8a50fb5a5c90cea4186c9
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Thu Apr 20 02:38:29 2017 +0100
[arm64,x86] Replace securelevel patch set with lockdown patch set
Matthew stopped maintaining the securelevel patch set, and David
Howells has taken it up under the new name 'lockdown'. This is
taken from:
https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git#efi-lock-down
commits ddb99e118e37f324a4be65a411bb60ae62795cf9..0240fa7c7c948b19d57c0163d57e55296277ff3c
Rebase the three patches not included there (cold boot mitigation,
arm64 SB integration, MTD RAM restrictions).
Update our kconfig for the renaming.
---
debian/changelog | 1 +
debian/config/arm64/config | 2 +-
debian/config/config | 2 +-
debian/config/kernelarch-x86/config | 2 +-
...dule-params-that-specify-hardware-paramet.patch | 117 ++++
...rdware-config-module-parameters-in-arch-x.patch | 51 ++
...rdware-config-module-parameters-in-driver.patch | 85 +++
...rdware-config-module-parameters-in-driver.patch | 51 ++
...rdware-config-module-parameters-in-driver.patch | 49 ++
...rdware-config-module-parameters-in-driver.patch | 48 ++
...rdware-config-module-parameters-in-driver.patch | 48 ++
...rdware-config-module-parameters-in-driver.patch | 124 ++++
...rdware-config-module-parameters-in-driver.patch | 157 +++++
...rdware-config-module-parameters-in-driver.patch | 61 ++
...rdware-config-module-parameters-in-driver.patch | 79 +++
...rdware-config-module-parameters-in-driver.patch | 88 +++
...rdware-config-module-parameters-in-driver.patch | 83 +++
...rdware-config-module-parameters-in-driver.patch | 45 ++
...rdware-config-module-parameters-in-driver.patch | 55 ++
...rdware-config-module-parameters-in-driver.patch | 47 ++
...rdware-config-module-parameters-in-driver.patch | 81 +++
...rdware-config-module-parameters-in-driver.patch | 87 +++
...rdware-config-module-parameters-in-driver.patch | 234 +++++++
...rdware-config-module-parameters-in-driver.patch | 111 ++++
...rdware-config-module-parameters-in-driver.patch | 125 ++++
...rdware-config-module-parameters-in-driver.patch | 112 ++++
...rdware-config-module-parameters-in-driver.patch | 50 ++
...rdware-config-module-parameters-in-driver.patch | 55 ++
...rdware-config-module-parameters-in-driver.patch | 48 ++
...rdware-config-module-parameters-in-driver.patch | 75 +++
...rdware-config-module-parameters-in-driver.patch | 131 ++++
...rdware-config-module-parameters-in-driver.patch | 53 ++
...rdware-config-module-parameters-in-driver.patch | 76 +++
...rdware-config-module-parameters-in-driver.patch | 61 ++
...rdware-config-module-parameters-in-driver.patch | 144 ++++
...rdware-config-module-parameters-in-driver.patch | 80 +++
...rdware-config-module-parameters-in-driver.patch | 111 ++++
...rdware-config-module-parameters-in-fs-pst.patch | 48 ++
...rdware-config-module-parameters-in-sound-.patch | 84 +++
...rdware-config-module-parameters-in-sound-.patch | 731 +++++++++++++++++++++
...rdware-config-module-parameters-in-sound-.patch | 320 +++++++++
...rdware-config-module-parameters-in-sound-.patch | 154 +++++
.../0039-efi-Add-EFI_SECURE_BOOT-bit.patch | 43 ++
...lity-to-lock-down-access-to-the-running-k.patch | 146 ++++
...wn-the-kernel-if-booted-in-secure-boot-mo.patch | 66 ++
...ule-signatures-if-the-kernel-is-locked-do.patch | 26 +
...v-mem-and-dev-kmem-when-the-kernel-is-loc.patch | 40 ++
...d-a-sysrq-option-to-exit-secure-boot-mode.patch | 249 +++++++
...le-at-runtime-if-the-kernel-is-locked-dow.patch | 36 +
...boot-flag-in-boot-params-across-kexec-re.patch} | 20 +-
...Disable-at-runtime-if-securelevel-has-bee.patch | 35 +
...te-Disable-when-the-kernel-is-locked-down.patch | 29 +
...sp-Disable-when-the-kernel-is-locked-down.patch | 29 +
...wn-BAR-access-when-the-kernel-is-locked-d.patch | 99 +++
...wn-IO-port-access-when-the-kernel-is-lock.patch | 55 ++
...t-MSR-access-when-the-kernel-is-locked-do.patch | 41 ++
...strict-debugfs-interface-when-the-kernel-.patch | 52 ++
...access-to-custom_method-when-the-kernel-i.patch | 30 +
...-acpi_rsdp-kernel-param-when-the-kernel-h.patch | 29 +
...e-ACPI-table-override-if-the-kernel-is-lo.patch | 38 ++
...-APEI-error-injection-if-the-kernel-is-l.patch} | 32 +-
...t-kernel-image-access-functions-when-the-.patch | 54 ++
.../0059-scsi-Lock-down-the-eata-driver.patch | 44 ++
...MCIA-CIS-storage-when-the-kernel-is-locke.patch | 30 +
.../all/lockdown/0061-Lock-down-TIOCSSERIAL.patch | 33 +
...odule-params-that-specify-hardware-parame.patch | 81 +++
...d-kernel-config-option-to-lock-down-when.patch} | 49 +-
.../enable-cold-boot-attack-mitigation.patch | 16 +-
...disable-slram-and-phram-when-locked-down.patch} | 28 +-
...e-acpi-table-override-if-securelevel-is-s.patch | 75 ---
...-acpi_rsdp-kernel-parameter-when-securele.patch | 34 -
...access-to-custom_method-if-securelevel-is.patch | 36 -
.../add-bsd-style-securelevel-support.patch | 208 ------
...to-automatically-set-securelevel-when-in-.patch | 85 ---
...strict-debugfs-interface-when-securelevel.patch | 57 --
...ule-signatures-when-securelevel-is-greate.patch | 24 -
...hibernate-disable-when-securelevel-is-set.patch | 36 -
...le-at-runtime-if-securelevel-has-been-set.patch | 36 -
...wn-bar-access-when-securelevel-is-enabled.patch | 109 ---
...v-mem-and-dev-kmem-when-securelevel-is-se.patch | 37 --
.../uswsusp-disable-when-securelevel-is-set.patch | 34 -
...wn-io-port-access-when-securelevel-is-ena.patch | 74 ---
...strict-msr-access-when-securelevel-is-set.patch | 46 --
debian/patches/series | 88 ++-
84 files changed, 5571 insertions(+), 1004 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index a2cf9e6..4743db4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,7 @@ linux (4.11~rc7-1~exp1) UNRELEASED; urgency=medium
[ Ben Hutchings ]
* aufs: Update support patchset to aufs4.x-rcN-20170410
+ * [arm64,x86] Replace securelevel patch set with lockdown patch set
-- Lukas Wunner <lukas at wunner.de> Sun, 16 Apr 2017 16:09:27 +0200
diff --git a/debian/config/arm64/config b/debian/config/arm64/config
index 2be794a..4b6592e 100644
--- a/debian/config/arm64/config
+++ b/debian/config/arm64/config
@@ -15,7 +15,7 @@ CONFIG_XEN=y
CONFIG_RANDOMIZE_BASE=y
CONFIG_RANDOMIZE_MODULE_REGION_FULL=y
CONFIG_ARM64_ACPI_PARKING_PROTOCOL=y
-CONFIG_EFI_SECURE_BOOT_SECURELEVEL=y
+CONFIG_EFI_SECURE_BOOT_LOCK_DOWN=y
CONFIG_COMPAT=y
##
diff --git a/debian/config/config b/debian/config/config
index 222ae25..b631c6f 100644
--- a/debian/config/config
+++ b/debian/config/config
@@ -6799,11 +6799,11 @@ CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
# CONFIG_SECURITY_PATH is not set
-CONFIG_SECURITY_SECURELEVEL=y
# CONFIG_INTEL_TXT is not set
CONFIG_LSM_MMAP_MIN_ADDR=32768
CONFIG_HARDENED_USERCOPY=y
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set
+CONFIG_LOCK_DOWN_KERNEL=y
## choice: Default security module
CONFIG_DEFAULT_SECURITY_DAC=y
## end choice
diff --git a/debian/config/kernelarch-x86/config b/debian/config/kernelarch-x86/config
index dd45ec8..e7ba0de 100644
--- a/debian/config/kernelarch-x86/config
+++ b/debian/config/kernelarch-x86/config
@@ -55,7 +55,7 @@ CONFIG_X86_SMAP=y
CONFIG_X86_INTEL_MPX=y
CONFIG_EFI=y
CONFIG_EFI_STUB=y
-CONFIG_EFI_SECURE_BOOT_SECURELEVEL=y
+CONFIG_EFI_SECURE_BOOT_LOCK_DOWN=y
CONFIG_SECCOMP=y
CONFIG_KEXEC=y
CONFIG_CRASH_DUMP=y
diff --git a/debian/patches/features/all/lockdown/0001-Annotate-module-params-that-specify-hardware-paramet.patch b/debian/patches/features/all/lockdown/0001-Annotate-module-params-that-specify-hardware-paramet.patch
new file mode 100644
index 0000000..3f2d4dd
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0001-Annotate-module-params-that-specify-hardware-paramet.patch
@@ -0,0 +1,117 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:21 +0100
+Subject: [01/62] Annotate module params that specify hardware parameters (eg.
+ ioport)
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=bf616d21f41174389c6d720ae21bf40f154474c8
+
+Provided an annotation for module parameters that specify hardware
+parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
+dma buffers and other types).
+
+This will enable such parameters to be locked down in the core parameter
+parser for secure boot support.
+
+I've also included annotations as to what sort of hardware configuration
+each module is dealing with for future use. Some of these are
+straightforward (ioport, iomem, irq, dma), but there are also:
+
+ (1) drivers that switch the semantics of a parameter between ioport and
+ iomem depending on a second parameter,
+
+ (2) drivers that appear to reserve a CPU memory buffer at a fixed address,
+
+ (3) other parameters, such as bus types and irq selection bitmasks.
+
+For the moment, the hardware configuration type isn't actually stored,
+though its validity is checked.
+
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ include/linux/moduleparam.h | 65 ++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 64 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h
+index 52666d90ca94..6be1949ebcdf 100644
+--- a/include/linux/moduleparam.h
++++ b/include/linux/moduleparam.h
+@@ -60,9 +60,11 @@ struct kernel_param_ops {
+ * Flags available for kernel_param
+ *
+ * UNSAFE - the parameter is dangerous and setting it will taint the kernel
++ * HWPARAM - Hardware param not permitted in lockdown mode
+ */
+ enum {
+- KERNEL_PARAM_FL_UNSAFE = (1 << 0)
++ KERNEL_PARAM_FL_UNSAFE = (1 << 0),
++ KERNEL_PARAM_FL_HWPARAM = (1 << 1),
+ };
+
+ struct kernel_param {
+@@ -451,6 +453,67 @@ extern int param_set_bint(const char *val, const struct kernel_param *kp);
+ perm, -1, 0); \
+ __MODULE_PARM_TYPE(name, "array of " #type)
+
++enum hwparam_type {
++ hwparam_ioport, /* Module parameter configures an I/O port */
++ hwparam_iomem, /* Module parameter configures an I/O mem address */
++ hwparam_ioport_or_iomem, /* Module parameter could be either, depending on other option */
++ hwparam_irq, /* Module parameter configures an I/O port */
++ hwparam_dma, /* Module parameter configures a DMA channel */
++ hwparam_dma_addr, /* Module parameter configures a DMA buffer address */
++ hwparam_other, /* Module parameter configures some other value */
++};
++
++/**
++ * module_param_hw_named - A parameter representing a hw parameters
++ * @name: a valid C identifier which is the parameter name.
++ * @value: the actual lvalue to alter.
++ * @type: the type of the parameter
++ * @hwtype: what the value represents (enum hwparam_type)
++ * @perm: visibility in sysfs.
++ *
++ * Usually it's a good idea to have variable names and user-exposed names the
++ * same, but that's harder if the variable must be non-static or is inside a
++ * structure. This allows exposure under a different name.
++ */
++#define module_param_hw_named(name, value, type, hwtype, perm) \
++ param_check_##type(name, &(value)); \
++ __module_param_call(MODULE_PARAM_PREFIX, name, \
++ ¶m_ops_##type, &value, \
++ perm, -1, \
++ KERNEL_PARAM_FL_HWPARAM | (hwparam_##hwtype & 0)); \
++ __MODULE_PARM_TYPE(name, #type)
++
++#define module_param_hw(name, type, hwtype, perm) \
++ module_param_hw_named(name, name, type, hwtype, perm)
++
++/**
++ * module_param_hw_array - A parameter representing an array of hw parameters
++ * @name: the name of the array variable
++ * @type: the type, as per module_param()
++ * @hwtype: what the value represents (enum hwparam_type)
++ * @nump: optional pointer filled in with the number written
++ * @perm: visibility in sysfs
++ *
++ * Input and output are as comma-separated values. Commas inside values
++ * don't work properly (eg. an array of charp).
++ *
++ * ARRAY_SIZE(@name) is used to determine the number of elements in the
++ * array, so the definition must be visible.
++ */
++#define module_param_hw_array(name, type, hwtype, nump, perm) \
++ param_check_##type(name, &(name)[0]); \
++ static const struct kparam_array __param_arr_##name \
++ = { .max = ARRAY_SIZE(name), .num = nump, \
++ .ops = ¶m_ops_##type, \
++ .elemsize = sizeof(name[0]), .elem = name }; \
++ __module_param_call(MODULE_PARAM_PREFIX, name, \
++ ¶m_array_ops, \
++ .arr = &__param_arr_##name, \
++ perm, -1, \
++ KERNEL_PARAM_FL_HWPARAM | (hwparam_##hwtype & 0)); \
++ __MODULE_PARM_TYPE(name, "array of " #type)
++
++
+ extern const struct kernel_param_ops param_array_ops;
+
+ extern const struct kernel_param_ops param_ops_string;
diff --git a/debian/patches/features/all/lockdown/0002-Annotate-hardware-config-module-parameters-in-arch-x.patch b/debian/patches/features/all/lockdown/0002-Annotate-hardware-config-module-parameters-in-arch-x.patch
new file mode 100644
index 0000000..6b5bf43
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0002-Annotate-hardware-config-module-parameters-in-arch-x.patch
@@ -0,0 +1,51 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:21 +0100
+Subject: [02/62] Annotate hardware config module parameters in arch/x86/mm/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=89a35b5df5de26b9eaed0791580cea872232d563
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in arch/x86/mm/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Steven Rostedt <rostedt at goodmis.org>
+cc: Ingo Molnar <mingo at kernel.org>
+cc: Thomas Gleixner <tglx at linutronix.de>
+cc: "H. Peter Anvin" <hpa at zytor.com>
+cc: x86 at kernel.org
+cc: linux-kernel at vger.kernel.org
+cc: nouveau at lists.freedesktop.org
+---
+ arch/x86/mm/testmmiotrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c
+index 38868adf07ea..f6ae6830b341 100644
+--- a/arch/x86/mm/testmmiotrace.c
++++ b/arch/x86/mm/testmmiotrace.c
+@@ -9,7 +9,7 @@
+ #include <linux/mmiotrace.h>
+
+ static unsigned long mmio_address;
+-module_param(mmio_address, ulong, 0);
++module_param_hw(mmio_address, ulong, iomem, 0);
+ MODULE_PARM_DESC(mmio_address, " Start address of the mapping of 16 kB "
+ "(or 8 MB if read_far is non-zero).");
+
diff --git a/debian/patches/features/all/lockdown/0003-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0003-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..d140171
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0003-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,85 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:21 +0100
+Subject: [03/62] Annotate hardware config module parameters in
+ drivers/char/ipmi/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a72157f0fe047bc3dd4a4111c5db764b03269122
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/char/ipmi/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+Reviewed-by: Corey Minyard <cminyard at mvista.com>
+cc: openipmi-developer at lists.sourceforge.net
+---
+ drivers/char/ipmi/ipmi_si_intf.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c
+index 2a7c425ddfa7..e2f34eb59998 100644
+--- a/drivers/char/ipmi/ipmi_si_intf.c
++++ b/drivers/char/ipmi/ipmi_si_intf.c
+@@ -1375,39 +1375,39 @@ MODULE_PARM_DESC(type, "Defines the type of each interface, each"
+ " interface separated by commas. The types are 'kcs',"
+ " 'smic', and 'bt'. For example si_type=kcs,bt will set"
+ " the first interface to kcs and the second to bt");
+-module_param_array(addrs, ulong, &num_addrs, 0);
++module_param_hw_array(addrs, ulong, iomem, &num_addrs, 0);
+ MODULE_PARM_DESC(addrs, "Sets the memory address of each interface, the"
+ " addresses separated by commas. Only use if an interface"
+ " is in memory. Otherwise, set it to zero or leave"
+ " it blank.");
+-module_param_array(ports, uint, &num_ports, 0);
++module_param_hw_array(ports, uint, ioport, &num_ports, 0);
+ MODULE_PARM_DESC(ports, "Sets the port address of each interface, the"
+ " addresses separated by commas. Only use if an interface"
+ " is a port. Otherwise, set it to zero or leave"
+ " it blank.");
+-module_param_array(irqs, int, &num_irqs, 0);
++module_param_hw_array(irqs, int, irq, &num_irqs, 0);
+ MODULE_PARM_DESC(irqs, "Sets the interrupt of each interface, the"
+ " addresses separated by commas. Only use if an interface"
+ " has an interrupt. Otherwise, set it to zero or leave"
+ " it blank.");
+-module_param_array(regspacings, int, &num_regspacings, 0);
++module_param_hw_array(regspacings, int, other, &num_regspacings, 0);
+ MODULE_PARM_DESC(regspacings, "The number of bytes between the start address"
+ " and each successive register used by the interface. For"
+ " instance, if the start address is 0xca2 and the spacing"
+ " is 2, then the second address is at 0xca4. Defaults"
+ " to 1.");
+-module_param_array(regsizes, int, &num_regsizes, 0);
++module_param_hw_array(regsizes, int, other, &num_regsizes, 0);
+ MODULE_PARM_DESC(regsizes, "The size of the specific IPMI register in bytes."
+ " This should generally be 1, 2, 4, or 8 for an 8-bit,"
+ " 16-bit, 32-bit, or 64-bit register. Use this if you"
+ " the 8-bit IPMI register has to be read from a larger"
+ " register.");
+-module_param_array(regshifts, int, &num_regshifts, 0);
++module_param_hw_array(regshifts, int, other, &num_regshifts, 0);
+ MODULE_PARM_DESC(regshifts, "The amount to shift the data read from the."
+ " IPMI register, in bits. For instance, if the data"
+ " is read from a 32-bit word and the IPMI data is in"
+ " bit 8-15, then the shift would be 8");
+-module_param_array(slave_addrs, int, &num_slave_addrs, 0);
++module_param_hw_array(slave_addrs, int, other, &num_slave_addrs, 0);
+ MODULE_PARM_DESC(slave_addrs, "Set the default IPMB slave address for"
+ " the controller. Normally this is 0x20, but can be"
+ " overridden by this parm. This is an array indexed"
diff --git a/debian/patches/features/all/lockdown/0004-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0004-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..286fbb9
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0004-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,51 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:21 +0100
+Subject: [04/62] Annotate hardware config module parameters in
+ drivers/char/mwave/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=70f233e85b60cb259279e451313dce6cbc84d041
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/char/mwave/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ drivers/char/mwave/mwavedd.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/char/mwave/mwavedd.c b/drivers/char/mwave/mwavedd.c
+index 3a3ff2eb6cba..b5e3103c1175 100644
+--- a/drivers/char/mwave/mwavedd.c
++++ b/drivers/char/mwave/mwavedd.c
+@@ -80,10 +80,10 @@ int mwave_3780i_io = 0;
+ int mwave_uart_irq = 0;
+ int mwave_uart_io = 0;
+ module_param(mwave_debug, int, 0);
+-module_param(mwave_3780i_irq, int, 0);
+-module_param(mwave_3780i_io, int, 0);
+-module_param(mwave_uart_irq, int, 0);
+-module_param(mwave_uart_io, int, 0);
++module_param_hw(mwave_3780i_irq, int, irq, 0);
++module_param_hw(mwave_3780i_io, int, ioport, 0);
++module_param_hw(mwave_uart_irq, int, irq, 0);
++module_param_hw(mwave_uart_io, int, ioport, 0);
+
+ static int mwave_open(struct inode *inode, struct file *file);
+ static int mwave_close(struct inode *inode, struct file *file);
diff --git a/debian/patches/features/all/lockdown/0005-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0005-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..ab60a71
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0005-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,49 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:22 +0100
+Subject: [05/62] Annotate hardware config module parameters in drivers/char/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=3a5a43a8e71e6c0f03ba07d7125faccc8c851d65
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/char/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Arnd Bergmann <arnd at arndb.de>
+cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/char/applicom.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/char/applicom.c b/drivers/char/applicom.c
+index e770ad977472..b67263d6e34b 100644
+--- a/drivers/char/applicom.c
++++ b/drivers/char/applicom.c
+@@ -94,9 +94,9 @@ static struct applicom_board {
+ static unsigned int irq = 0; /* interrupt number IRQ */
+ static unsigned long mem = 0; /* physical segment of board */
+
+-module_param(irq, uint, 0);
++module_param_hw(irq, uint, irq, 0);
+ MODULE_PARM_DESC(irq, "IRQ of the Applicom board");
+-module_param(mem, ulong, 0);
++module_param_hw(mem, ulong, iomem, 0);
+ MODULE_PARM_DESC(mem, "Shared Memory Address of Applicom board");
+
+ static unsigned int numboards; /* number of installed boards */
diff --git a/debian/patches/features/all/lockdown/0006-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0006-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..0e07654
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0006-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,48 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:22 +0100
+Subject: [06/62] Annotate hardware config module parameters in
+ drivers/clocksource/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=8a3dad31f7c45c744a27dd6c7587efc2330bafd7
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/clocksource/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Daniel Lezcano <daniel.lezcano at linaro.org>
+cc: Thomas Gleixner <tglx at linutronix.de>
+cc: linux-kernel at vger.kernel.org
+---
+ drivers/clocksource/cs5535-clockevt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clocksource/cs5535-clockevt.c b/drivers/clocksource/cs5535-clockevt.c
+index 9a7e37cf56b0..a1df588343f2 100644
+--- a/drivers/clocksource/cs5535-clockevt.c
++++ b/drivers/clocksource/cs5535-clockevt.c
+@@ -22,7 +22,7 @@
+ #define DRV_NAME "cs5535-clockevt"
+
+ static int timer_irq;
+-module_param_named(irq, timer_irq, int, 0644);
++module_param_hw_named(irq, timer_irq, int, irq, 0644);
+ MODULE_PARM_DESC(irq, "Which IRQ to use for the clock source MFGPT ticks.");
+
+ /*
diff --git a/debian/patches/features/all/lockdown/0007-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0007-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..29df967
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0007-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,48 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:22 +0100
+Subject: [07/62] Annotate hardware config module parameters in
+ drivers/cpufreq/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=889dc5a750fe6ec7088dcb77a23f1a5745d3fd2a
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/cpufreq/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+Acked-by: "Rafael J. Wysocki" <rjw at rjwysocki.net>
+cc: Viresh Kumar <viresh.kumar at linaro.org>
+cc: linux-pm at vger.kernel.org
+---
+ drivers/cpufreq/speedstep-smi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/cpufreq/speedstep-smi.c b/drivers/cpufreq/speedstep-smi.c
+index 770a9ae1999a..37b30071c220 100644
+--- a/drivers/cpufreq/speedstep-smi.c
++++ b/drivers/cpufreq/speedstep-smi.c
+@@ -378,7 +378,7 @@ static void __exit speedstep_exit(void)
+ cpufreq_unregister_driver(&speedstep_driver);
+ }
+
+-module_param(smi_port, int, 0444);
++module_param_hw(smi_port, int, ioport, 0444);
+ module_param(smi_cmd, int, 0444);
+ module_param(smi_sig, uint, 0444);
+
diff --git a/debian/patches/features/all/lockdown/0008-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0008-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..04001c8
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0008-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,124 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:22 +0100
+Subject: [08/62] Annotate hardware config module parameters in drivers/gpio/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=fc57a891601a964e9c80c1ea9a0bfa40da3764db
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/gpio/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+Acked-by: William Breathitt Gray <vilhelm.gray at gmail.com>
+Acked-by: Linus Walleij <linus.walleij at linaro.org>
+cc: Alexandre Courbot <gnurou at gmail.com>
+cc: linux-gpio at vger.kernel.org
+---
+ drivers/gpio/gpio-104-dio-48e.c | 4 ++--
+ drivers/gpio/gpio-104-idi-48.c | 4 ++--
+ drivers/gpio/gpio-104-idio-16.c | 4 ++--
+ drivers/gpio/gpio-gpio-mm.c | 2 +-
+ drivers/gpio/gpio-ws16c48.c | 4 ++--
+ 5 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/gpio/gpio-104-dio-48e.c b/drivers/gpio/gpio-104-dio-48e.c
+index 17bd2ab4ebe2..dfa1a298e4f6 100644
+--- a/drivers/gpio/gpio-104-dio-48e.c
++++ b/drivers/gpio/gpio-104-dio-48e.c
+@@ -33,11 +33,11 @@
+
+ static unsigned int base[MAX_NUM_DIO48E];
+ static unsigned int num_dio48e;
+-module_param_array(base, uint, &num_dio48e, 0);
++module_param_hw_array(base, uint, ioport, &num_dio48e, 0);
+ MODULE_PARM_DESC(base, "ACCES 104-DIO-48E base addresses");
+
+ static unsigned int irq[MAX_NUM_DIO48E];
+-module_param_array(irq, uint, NULL, 0);
++module_param_hw_array(irq, uint, irq, NULL, 0);
+ MODULE_PARM_DESC(irq, "ACCES 104-DIO-48E interrupt line numbers");
+
+ /**
+diff --git a/drivers/gpio/gpio-104-idi-48.c b/drivers/gpio/gpio-104-idi-48.c
+index 568375a7ebc2..c369b2083876 100644
+--- a/drivers/gpio/gpio-104-idi-48.c
++++ b/drivers/gpio/gpio-104-idi-48.c
+@@ -33,11 +33,11 @@
+
+ static unsigned int base[MAX_NUM_IDI_48];
+ static unsigned int num_idi_48;
+-module_param_array(base, uint, &num_idi_48, 0);
++module_param_hw_array(base, uint, ioport, &num_idi_48, 0);
+ MODULE_PARM_DESC(base, "ACCES 104-IDI-48 base addresses");
+
+ static unsigned int irq[MAX_NUM_IDI_48];
+-module_param_array(irq, uint, NULL, 0);
++module_param_hw_array(irq, uint, irq, NULL, 0);
+ MODULE_PARM_DESC(irq, "ACCES 104-IDI-48 interrupt line numbers");
+
+ /**
+diff --git a/drivers/gpio/gpio-104-idio-16.c b/drivers/gpio/gpio-104-idio-16.c
+index 7053cf736648..5949123986f2 100644
+--- a/drivers/gpio/gpio-104-idio-16.c
++++ b/drivers/gpio/gpio-104-idio-16.c
+@@ -33,11 +33,11 @@
+
+ static unsigned int base[MAX_NUM_IDIO_16];
+ static unsigned int num_idio_16;
+-module_param_array(base, uint, &num_idio_16, 0);
++module_param_hw_array(base, uint, ioport, &num_idio_16, 0);
+ MODULE_PARM_DESC(base, "ACCES 104-IDIO-16 base addresses");
+
+ static unsigned int irq[MAX_NUM_IDIO_16];
+-module_param_array(irq, uint, NULL, 0);
++module_param_hw_array(irq, uint, irq, NULL, 0);
+ MODULE_PARM_DESC(irq, "ACCES 104-IDIO-16 interrupt line numbers");
+
+ /**
+diff --git a/drivers/gpio/gpio-gpio-mm.c b/drivers/gpio/gpio-gpio-mm.c
+index fa4baa2543db..11ade5b288f8 100644
+--- a/drivers/gpio/gpio-gpio-mm.c
++++ b/drivers/gpio/gpio-gpio-mm.c
+@@ -31,7 +31,7 @@
+
+ static unsigned int base[MAX_NUM_GPIOMM];
+ static unsigned int num_gpiomm;
+-module_param_array(base, uint, &num_gpiomm, 0);
++module_param_hw_array(base, uint, ioport, &num_gpiomm, 0);
+ MODULE_PARM_DESC(base, "Diamond Systems GPIO-MM base addresses");
+
+ /**
+diff --git a/drivers/gpio/gpio-ws16c48.c b/drivers/gpio/gpio-ws16c48.c
+index 901b5ccb032d..f8a4f91f36c7 100644
+--- a/drivers/gpio/gpio-ws16c48.c
++++ b/drivers/gpio/gpio-ws16c48.c
+@@ -30,11 +30,11 @@
+
+ static unsigned int base[MAX_NUM_WS16C48];
+ static unsigned int num_ws16c48;
+-module_param_array(base, uint, &num_ws16c48, 0);
++module_param_hw_array(base, uint, ioport, &num_ws16c48, 0);
+ MODULE_PARM_DESC(base, "WinSystems WS16C48 base addresses");
+
+ static unsigned int irq[MAX_NUM_WS16C48];
+-module_param_array(irq, uint, NULL, 0);
++module_param_hw_array(irq, uint, irq, NULL, 0);
+ MODULE_PARM_DESC(irq, "WinSystems WS16C48 interrupt line numbers");
+
+ /**
diff --git a/debian/patches/features/all/lockdown/0009-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0009-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..871e4c9
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0009-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,157 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:23 +0100
+Subject: [09/62] Annotate hardware config module parameters in drivers/i2c/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=e03e00c1c3dc3178b092971000390bbc1cbcea6c
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/i2c/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Wolfram Sang <wsa at the-dreams.de>
+cc: Jean Delvare <jdelvare at suse.com>
+cc: linux-i2c at vger.kernel.org
+---
+ drivers/i2c/busses/i2c-ali15x3.c | 2 +-
+ drivers/i2c/busses/i2c-elektor.c | 6 +++---
+ drivers/i2c/busses/i2c-parport-light.c | 4 ++--
+ drivers/i2c/busses/i2c-pca-isa.c | 4 ++--
+ drivers/i2c/busses/i2c-piix4.c | 2 +-
+ drivers/i2c/busses/i2c-sis5595.c | 2 +-
+ drivers/i2c/busses/i2c-viapro.c | 2 +-
+ drivers/i2c/busses/scx200_acb.c | 2 +-
+ 8 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-ali15x3.c b/drivers/i2c/busses/i2c-ali15x3.c
+index 45c5c4883022..6e6bf46bcb52 100644
+--- a/drivers/i2c/busses/i2c-ali15x3.c
++++ b/drivers/i2c/busses/i2c-ali15x3.c
+@@ -119,7 +119,7 @@
+ /* If force_addr is set to anything different from 0, we forcibly enable
+ the device at the given address. */
+ static u16 force_addr;
+-module_param(force_addr, ushort, 0);
++module_param_hw(force_addr, ushort, ioport, 0);
+ MODULE_PARM_DESC(force_addr,
+ "Initialize the base address of the i2c controller");
+
+diff --git a/drivers/i2c/busses/i2c-elektor.c b/drivers/i2c/busses/i2c-elektor.c
+index 8af62fb3fe41..5416003e0605 100644
+--- a/drivers/i2c/busses/i2c-elektor.c
++++ b/drivers/i2c/busses/i2c-elektor.c
+@@ -323,9 +323,9 @@ MODULE_AUTHOR("Hans Berglund <hb at spacetec.no>");
+ MODULE_DESCRIPTION("I2C-Bus adapter routines for PCF8584 ISA bus adapter");
+ MODULE_LICENSE("GPL");
+
+-module_param(base, int, 0);
+-module_param(irq, int, 0);
++module_param_hw(base, int, ioport_or_iomem, 0);
++module_param_hw(irq, int, irq, 0);
+ module_param(clock, int, 0);
+ module_param(own, int, 0);
+-module_param(mmapped, int, 0);
++module_param_hw(mmapped, int, other, 0);
+ module_isa_driver(i2c_elektor_driver, 1);
+diff --git a/drivers/i2c/busses/i2c-parport-light.c b/drivers/i2c/busses/i2c-parport-light.c
+index 1bcdd10b68b9..faa8fb8f2b8f 100644
+--- a/drivers/i2c/busses/i2c-parport-light.c
++++ b/drivers/i2c/busses/i2c-parport-light.c
+@@ -38,11 +38,11 @@
+ static struct platform_device *pdev;
+
+ static u16 base;
+-module_param(base, ushort, 0);
++module_param_hw(base, ushort, ioport, 0);
+ MODULE_PARM_DESC(base, "Base I/O address");
+
+ static int irq;
+-module_param(irq, int, 0);
++module_param_hw(irq, int, irq, 0);
+ MODULE_PARM_DESC(irq, "IRQ (optional)");
+
+ /* ----- Low-level parallel port access ----------------------------------- */
+diff --git a/drivers/i2c/busses/i2c-pca-isa.c b/drivers/i2c/busses/i2c-pca-isa.c
+index ba88f17f636c..946ac646de2a 100644
+--- a/drivers/i2c/busses/i2c-pca-isa.c
++++ b/drivers/i2c/busses/i2c-pca-isa.c
+@@ -197,9 +197,9 @@ MODULE_AUTHOR("Ian Campbell <icampbell at arcom.com>");
+ MODULE_DESCRIPTION("ISA base PCA9564/PCA9665 driver");
+ MODULE_LICENSE("GPL");
+
+-module_param(base, ulong, 0);
++module_param_hw(base, ulong, ioport, 0);
+ MODULE_PARM_DESC(base, "I/O base address");
+-module_param(irq, int, 0);
++module_param_hw(irq, int, irq, 0);
+ MODULE_PARM_DESC(irq, "IRQ");
+ module_param(clock, int, 0);
+ MODULE_PARM_DESC(clock, "Clock rate in hertz.\n\t\t"
+diff --git a/drivers/i2c/busses/i2c-piix4.c b/drivers/i2c/busses/i2c-piix4.c
+index c21ca7bf2efe..0ecdb47a23ab 100644
+--- a/drivers/i2c/busses/i2c-piix4.c
++++ b/drivers/i2c/busses/i2c-piix4.c
+@@ -106,7 +106,7 @@ MODULE_PARM_DESC(force, "Forcibly enable the PIIX4. DANGEROUS!");
+ /* If force_addr is set to anything different from 0, we forcibly enable
+ the PIIX4 at the given address. VERY DANGEROUS! */
+ static int force_addr;
+-module_param (force_addr, int, 0);
++module_param_hw(force_addr, int, ioport, 0);
+ MODULE_PARM_DESC(force_addr,
+ "Forcibly enable the PIIX4 at the given address. "
+ "EXTREMELY DANGEROUS!");
+diff --git a/drivers/i2c/busses/i2c-sis5595.c b/drivers/i2c/busses/i2c-sis5595.c
+index 7d58a40faf2d..d543a9867ba4 100644
+--- a/drivers/i2c/busses/i2c-sis5595.c
++++ b/drivers/i2c/busses/i2c-sis5595.c
+@@ -119,7 +119,7 @@ static int blacklist[] = {
+ /* If force_addr is set to anything different from 0, we forcibly enable
+ the device at the given address. */
+ static u16 force_addr;
+-module_param(force_addr, ushort, 0);
++module_param_hw(force_addr, ushort, ioport, 0);
+ MODULE_PARM_DESC(force_addr, "Initialize the base address of the i2c controller");
+
+ static struct pci_driver sis5595_driver;
+diff --git a/drivers/i2c/busses/i2c-viapro.c b/drivers/i2c/busses/i2c-viapro.c
+index 0ee2646f3b00..0dc45e12bb1d 100644
+--- a/drivers/i2c/busses/i2c-viapro.c
++++ b/drivers/i2c/busses/i2c-viapro.c
+@@ -94,7 +94,7 @@ MODULE_PARM_DESC(force, "Forcibly enable the SMBus. DANGEROUS!");
+ /* If force_addr is set to anything different from 0, we forcibly enable
+ the VT596 at the given address. VERY DANGEROUS! */
+ static u16 force_addr;
+-module_param(force_addr, ushort, 0);
++module_param_hw(force_addr, ushort, ioport, 0);
+ MODULE_PARM_DESC(force_addr,
+ "Forcibly enable the SMBus at the given address. "
+ "EXTREMELY DANGEROUS!");
+diff --git a/drivers/i2c/busses/scx200_acb.c b/drivers/i2c/busses/scx200_acb.c
+index 0a7e410b6195..e0923bee8d1f 100644
+--- a/drivers/i2c/busses/scx200_acb.c
++++ b/drivers/i2c/busses/scx200_acb.c
+@@ -42,7 +42,7 @@ MODULE_LICENSE("GPL");
+
+ #define MAX_DEVICES 4
+ static int base[MAX_DEVICES] = { 0x820, 0x840 };
+-module_param_array(base, int, NULL, 0);
++module_param_hw_array(base, int, ioport, NULL, 0);
+ MODULE_PARM_DESC(base, "Base addresses for the ACCESS.bus controllers");
+
+ #define POLL_TIMEOUT (HZ/5)
diff --git a/debian/patches/features/all/lockdown/0010-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0010-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..930e5f1
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0010-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,61 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:23 +0100
+Subject: [10/62] Annotate hardware config module parameters in drivers/iio/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=104ad466c252fa90cc84d4dd4e0aa5074c43f47e
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/iio/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+Acked-by: William Breathitt Gray <vilhelm.gray at gmail.com>
+Acked-by: Jonathan Cameron <jic23 at kernel.org>
+cc: linux-iio at vger.kernel.org
+---
+ drivers/iio/adc/stx104.c | 2 +-
+ drivers/iio/dac/cio-dac.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/adc/stx104.c b/drivers/iio/adc/stx104.c
+index be2de48844bc..7dd396f88f6b 100644
+--- a/drivers/iio/adc/stx104.c
++++ b/drivers/iio/adc/stx104.c
+@@ -49,7 +49,7 @@
+
+ static unsigned int base[max_num_isa_dev(STX104_EXTENT)];
+ static unsigned int num_stx104;
+-module_param_array(base, uint, &num_stx104, 0);
++module_param_hw_array(base, uint, ioport, &num_stx104, 0);
+ MODULE_PARM_DESC(base, "Apex Embedded Systems STX104 base addresses");
+
+ /**
+diff --git a/drivers/iio/dac/cio-dac.c b/drivers/iio/dac/cio-dac.c
+index 5a743e2a779d..dac086129edf 100644
+--- a/drivers/iio/dac/cio-dac.c
++++ b/drivers/iio/dac/cio-dac.c
+@@ -39,7 +39,7 @@
+
+ static unsigned int base[max_num_isa_dev(CIO_DAC_EXTENT)];
+ static unsigned int num_cio_dac;
+-module_param_array(base, uint, &num_cio_dac, 0);
++module_param_hw_array(base, uint, ioport, &num_cio_dac, 0);
+ MODULE_PARM_DESC(base, "Measurement Computing CIO-DAC base addresses");
+
+ /**
diff --git a/debian/patches/features/all/lockdown/0011-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0011-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..a848503
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0011-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,79 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:23 +0100
+Subject: [11/62] Annotate hardware config module parameters in drivers/input/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=5b90489efd9bb9b2b9e68b2b4e803985fa890cb8
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/input/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+Acked-by: Dmitry Torokhov <dmitry.torokhov at gmail.com>
+cc: linux-input at vger.kernel.org
+---
+ drivers/input/mouse/inport.c | 2 +-
+ drivers/input/mouse/logibm.c | 2 +-
+ drivers/input/touchscreen/mk712.c | 4 ++--
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/input/mouse/inport.c b/drivers/input/mouse/inport.c
+index 3827a22362de..9ce71dfa0de1 100644
+--- a/drivers/input/mouse/inport.c
++++ b/drivers/input/mouse/inport.c
+@@ -78,7 +78,7 @@ MODULE_LICENSE("GPL");
+ #define INPORT_IRQ 5
+
+ static int inport_irq = INPORT_IRQ;
+-module_param_named(irq, inport_irq, uint, 0);
++module_param_hw_named(irq, inport_irq, uint, irq, 0);
+ MODULE_PARM_DESC(irq, "IRQ number (5=default)");
+
+ static struct input_dev *inport_dev;
+diff --git a/drivers/input/mouse/logibm.c b/drivers/input/mouse/logibm.c
+index e2413113df22..6f165e053f4d 100644
+--- a/drivers/input/mouse/logibm.c
++++ b/drivers/input/mouse/logibm.c
+@@ -69,7 +69,7 @@ MODULE_LICENSE("GPL");
+ #define LOGIBM_IRQ 5
+
+ static int logibm_irq = LOGIBM_IRQ;
+-module_param_named(irq, logibm_irq, uint, 0);
++module_param_hw_named(irq, logibm_irq, uint, irq, 0);
+ MODULE_PARM_DESC(irq, "IRQ number (5=default)");
+
+ static struct input_dev *logibm_dev;
+diff --git a/drivers/input/touchscreen/mk712.c b/drivers/input/touchscreen/mk712.c
+index 36e57deacd03..bd5352824f77 100644
+--- a/drivers/input/touchscreen/mk712.c
++++ b/drivers/input/touchscreen/mk712.c
+@@ -50,11 +50,11 @@ MODULE_DESCRIPTION("ICS MicroClock MK712 TouchScreen driver");
+ MODULE_LICENSE("GPL");
+
+ static unsigned int mk712_io = 0x260; /* Also 0x200, 0x208, 0x300 */
+-module_param_named(io, mk712_io, uint, 0);
++module_param_hw_named(io, mk712_io, uint, ioport, 0);
+ MODULE_PARM_DESC(io, "I/O base address of MK712 touchscreen controller");
+
+ static unsigned int mk712_irq = 10; /* Also 12, 14, 15 */
+-module_param_named(irq, mk712_irq, uint, 0);
++module_param_hw_named(irq, mk712_irq, uint, irq, 0);
+ MODULE_PARM_DESC(irq, "IRQ of MK712 touchscreen controller");
+
+ /* eight 8-bit registers */
diff --git a/debian/patches/features/all/lockdown/0012-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0012-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..368a3f5
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0012-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,88 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:24 +0100
+Subject: [12/62] Annotate hardware config module parameters in drivers/isdn/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=7968519108dc80b5da2fe7a8e6aa27c296586c25
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/isdn/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Karsten Keil <isdn at linux-pingi.de>
+cc: netdev at vger.kernel.org
+---
+ drivers/isdn/hardware/avm/b1isa.c | 4 ++--
+ drivers/isdn/hardware/avm/t1isa.c | 4 ++--
+ drivers/isdn/hisax/config.c | 10 +++++-----
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/isdn/hardware/avm/b1isa.c b/drivers/isdn/hardware/avm/b1isa.c
+index 31ef8130a87f..54e871a47387 100644
+--- a/drivers/isdn/hardware/avm/b1isa.c
++++ b/drivers/isdn/hardware/avm/b1isa.c
+@@ -169,8 +169,8 @@ static struct pci_dev isa_dev[MAX_CARDS];
+ static int io[MAX_CARDS];
+ static int irq[MAX_CARDS];
+
+-module_param_array(io, int, NULL, 0);
+-module_param_array(irq, int, NULL, 0);
++module_param_hw_array(io, int, ioport, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
+ MODULE_PARM_DESC(io, "I/O base address(es)");
+ MODULE_PARM_DESC(irq, "IRQ number(s) (assigned)");
+
+diff --git a/drivers/isdn/hardware/avm/t1isa.c b/drivers/isdn/hardware/avm/t1isa.c
+index 72ef18853951..9516203c735f 100644
+--- a/drivers/isdn/hardware/avm/t1isa.c
++++ b/drivers/isdn/hardware/avm/t1isa.c
+@@ -516,8 +516,8 @@ static int io[MAX_CARDS];
+ static int irq[MAX_CARDS];
+ static int cardnr[MAX_CARDS];
+
+-module_param_array(io, int, NULL, 0);
+-module_param_array(irq, int, NULL, 0);
++module_param_hw_array(io, int, ioport, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
+ module_param_array(cardnr, int, NULL, 0);
+ MODULE_PARM_DESC(io, "I/O base address(es)");
+ MODULE_PARM_DESC(irq, "IRQ number(s) (assigned)");
+diff --git a/drivers/isdn/hisax/config.c b/drivers/isdn/hisax/config.c
+index 2d12c6ceeb89..c7d68675b028 100644
+--- a/drivers/isdn/hisax/config.c
++++ b/drivers/isdn/hisax/config.c
+@@ -350,13 +350,13 @@ MODULE_AUTHOR("Karsten Keil");
+ MODULE_LICENSE("GPL");
+ module_param_array(type, int, NULL, 0);
+ module_param_array(protocol, int, NULL, 0);
+-module_param_array(io, int, NULL, 0);
+-module_param_array(irq, int, NULL, 0);
+-module_param_array(mem, int, NULL, 0);
++module_param_hw_array(io, int, ioport, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
++module_param_hw_array(mem, int, iomem, NULL, 0);
+ module_param(id, charp, 0);
+ #ifdef IO0_IO1
+-module_param_array(io0, int, NULL, 0);
+-module_param_array(io1, int, NULL, 0);
++module_param_hw_array(io0, int, ioport, NULL, 0);
++module_param_hw_array(io1, int, ioport, NULL, 0);
+ #endif
+ #endif /* MODULE */
+
diff --git a/debian/patches/features/all/lockdown/0013-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0013-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..ab8c5e7
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0013-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,83 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:24 +0100
+Subject: [13/62] Annotate hardware config module parameters in drivers/media/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=9e256c58933510b128a6f00691f751ef55ea1fd2
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/media/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Mauro Carvalho Chehab <mchehab at kernel.org>
+cc: mjpeg-users at lists.sourceforge.net
+cc: linux-media at vger.kernel.org
+---
+ drivers/media/pci/zoran/zoran_card.c | 2 +-
+ drivers/media/rc/serial_ir.c | 10 +++++-----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/pci/zoran/zoran_card.c b/drivers/media/pci/zoran/zoran_card.c
+index 5266755add63..4680f001653a 100644
+--- a/drivers/media/pci/zoran/zoran_card.c
++++ b/drivers/media/pci/zoran/zoran_card.c
+@@ -69,7 +69,7 @@ MODULE_PARM_DESC(card, "Card type");
+ */
+
+ static unsigned long vidmem; /* default = 0 - Video memory base address */
+-module_param(vidmem, ulong, 0444);
++module_param_hw(vidmem, ulong, iomem, 0444);
+ MODULE_PARM_DESC(vidmem, "Default video memory base address");
+
+ /*
+diff --git a/drivers/media/rc/serial_ir.c b/drivers/media/rc/serial_ir.c
+index 41b54e40176c..40d305842a9b 100644
+--- a/drivers/media/rc/serial_ir.c
++++ b/drivers/media/rc/serial_ir.c
+@@ -833,11 +833,11 @@ MODULE_LICENSE("GPL");
+ module_param(type, int, 0444);
+ MODULE_PARM_DESC(type, "Hardware type (0 = home-brew, 1 = IRdeo, 2 = IRdeo Remote, 3 = AnimaX, 4 = IgorPlug");
+
+-module_param(io, int, 0444);
++module_param_hw(io, int, ioport, 0444);
+ MODULE_PARM_DESC(io, "I/O address base (0x3f8 or 0x2f8)");
+
+ /* some architectures (e.g. intel xscale) have memory mapped registers */
+-module_param(iommap, bool, 0444);
++module_param_hw(iommap, bool, other, 0444);
+ MODULE_PARM_DESC(iommap, "physical base for memory mapped I/O (0 = no memory mapped io)");
+
+ /*
+@@ -845,13 +845,13 @@ MODULE_PARM_DESC(iommap, "physical base for memory mapped I/O (0 = no memory map
+ * on 32bit word boundaries.
+ * See linux-kernel/drivers/tty/serial/8250/8250.c serial_in()/out()
+ */
+-module_param(ioshift, int, 0444);
++module_param_hw(ioshift, int, other, 0444);
+ MODULE_PARM_DESC(ioshift, "shift I/O register offset (0 = no shift)");
+
+-module_param(irq, int, 0444);
++module_param_hw(irq, int, irq, 0444);
+ MODULE_PARM_DESC(irq, "Interrupt (4 or 3)");
+
+-module_param(share_irq, bool, 0444);
++module_param_hw(share_irq, bool, other, 0444);
+ MODULE_PARM_DESC(share_irq, "Share interrupts (0 = off, 1 = on)");
+
+ module_param(sense, int, 0444);
diff --git a/debian/patches/features/all/lockdown/0014-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0014-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..84d3f41
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0014-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,45 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:24 +0100
+Subject: [14/62] Annotate hardware config module parameters in drivers/misc/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=78c42a679f4795421aa74c469bbce417f9eed08d
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/misc/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Arnd Bergmann <arnd at arndb.de>
+cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/misc/dummy-irq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/misc/dummy-irq.c b/drivers/misc/dummy-irq.c
+index acbbe0390be4..76a1015d5783 100644
+--- a/drivers/misc/dummy-irq.c
++++ b/drivers/misc/dummy-irq.c
+@@ -59,6 +59,6 @@ module_exit(dummy_irq_exit);
+
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Jiri Kosina");
+-module_param(irq, uint, 0444);
++module_param_hw(irq, uint, irq, 0444);
+ MODULE_PARM_DESC(irq, "The IRQ to register for");
+ MODULE_DESCRIPTION("Dummy IRQ handler driver");
diff --git a/debian/patches/features/all/lockdown/0015-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0015-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..d7c9637
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0015-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,55 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:25 +0100
+Subject: [15/62] Annotate hardware config module parameters in
+ drivers/mmc/host/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=eddcdc1bef4e3fa95de7f670e0aeaca85e2ab9af
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/mmc/host/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Pierre Ossman <pierre at ossman.eu>
+cc: Ulf Hansson <ulf.hansson at linaro.org>
+cc: linux-mmc at vger.kernel.org
+---
+ drivers/mmc/host/wbsd.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mmc/host/wbsd.c b/drivers/mmc/host/wbsd.c
+index bd04e8bae010..e15a9733fcfd 100644
+--- a/drivers/mmc/host/wbsd.c
++++ b/drivers/mmc/host/wbsd.c
+@@ -2001,11 +2001,11 @@ static void __exit wbsd_drv_exit(void)
+ module_init(wbsd_drv_init);
+ module_exit(wbsd_drv_exit);
+ #ifdef CONFIG_PNP
+-module_param_named(nopnp, param_nopnp, uint, 0444);
++module_param_hw_named(nopnp, param_nopnp, uint, other, 0444);
+ #endif
+-module_param_named(io, param_io, uint, 0444);
+-module_param_named(irq, param_irq, uint, 0444);
+-module_param_named(dma, param_dma, int, 0444);
++module_param_hw_named(io, param_io, uint, ioport, 0444);
++module_param_hw_named(irq, param_irq, uint, irq, 0444);
++module_param_hw_named(dma, param_dma, int, dma, 0444);
+
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Pierre Ossman <pierre at ossman.eu>");
diff --git a/debian/patches/features/all/lockdown/0016-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0016-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..b4e8cee
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0016-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,47 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:25 +0100
+Subject: [16/62] Annotate hardware config module parameters in
+ drivers/net/appletalk/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=78e66f194ab1de8df4088761add8e9e747d8e9c3
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/net/appletalk/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Arnaldo Carvalho de Melo <acme at ghostprotocols.net>
+cc: netdev at vger.kernel.org
+[bwh: Drop changes to cops driver, which we removed]
+---
+--- a/drivers/net/appletalk/ltpc.c
++++ b/drivers/net/appletalk/ltpc.c
+@@ -1231,9 +1231,9 @@ static struct net_device *dev_ltpc;
+
+ MODULE_LICENSE("GPL");
+ module_param(debug, int, 0);
+-module_param(io, int, 0);
+-module_param(irq, int, 0);
+-module_param(dma, int, 0);
++module_param_hw(io, int, ioport, 0);
++module_param_hw(irq, int, irq, 0);
++module_param_hw(dma, int, dma, 0);
+
+
+ static int __init ltpc_module_init(void)
diff --git a/debian/patches/features/all/lockdown/0017-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0017-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..9909a84
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0017-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,81 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:25 +0100
+Subject: [17/62] Annotate hardware config module parameters in
+ drivers/net/arcnet/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=7606cd506c88e6f9a0f001c57fb1bd9d4d648db8
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/net/arcnet/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Michael Grzeschik <m.grzeschik at pengutronix.de>
+cc: netdev at vger.kernel.org
+---
+ drivers/net/arcnet/com20020-isa.c | 4 ++--
+ drivers/net/arcnet/com90io.c | 4 ++--
+ drivers/net/arcnet/com90xx.c | 4 ++--
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/arcnet/com20020-isa.c b/drivers/net/arcnet/com20020-isa.c
+index b9e9931353b2..38fa60ddaf2e 100644
+--- a/drivers/net/arcnet/com20020-isa.c
++++ b/drivers/net/arcnet/com20020-isa.c
+@@ -129,8 +129,8 @@ static int clockp = 0;
+ static int clockm = 0;
+
+ module_param(node, int, 0);
+-module_param(io, int, 0);
+-module_param(irq, int, 0);
++module_param_hw(io, int, ioport, 0);
++module_param_hw(irq, int, irq, 0);
+ module_param_string(device, device, sizeof(device), 0);
+ module_param(timeout, int, 0);
+ module_param(backplane, int, 0);
+diff --git a/drivers/net/arcnet/com90io.c b/drivers/net/arcnet/com90io.c
+index b57863df5bf5..4e56aaf2b984 100644
+--- a/drivers/net/arcnet/com90io.c
++++ b/drivers/net/arcnet/com90io.c
+@@ -347,8 +347,8 @@ static int io; /* use the insmod io= irq= shmem= options */
+ static int irq;
+ static char device[9]; /* use eg. device=arc1 to change name */
+
+-module_param(io, int, 0);
+-module_param(irq, int, 0);
++module_param_hw(io, int, ioport, 0);
++module_param_hw(irq, int, irq, 0);
+ module_param_string(device, device, sizeof(device), 0);
+ MODULE_LICENSE("GPL");
+
+diff --git a/drivers/net/arcnet/com90xx.c b/drivers/net/arcnet/com90xx.c
+index 81f90c4703ae..ca4a57c30bf8 100644
+--- a/drivers/net/arcnet/com90xx.c
++++ b/drivers/net/arcnet/com90xx.c
+@@ -88,8 +88,8 @@ static int irq;
+ static int shmem;
+ static char device[9]; /* use eg. device=arc1 to change name */
+
+-module_param(io, int, 0);
+-module_param(irq, int, 0);
++module_param_hw(io, int, ioport, 0);
++module_param_hw(irq, int, irq, 0);
+ module_param(shmem, int, 0);
+ module_param_string(device, device, sizeof(device), 0);
+
diff --git a/debian/patches/features/all/lockdown/0018-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0018-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..b854537
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0018-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,87 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:25 +0100
+Subject: [18/62] Annotate hardware config module parameters in
+ drivers/net/can/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=062a92aff0917dc6c418648979564e1632924f2e
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/net/can/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+Acked-by: Marc Kleine-Budde <mkl at pengutronix.de>
+cc: Wolfgang Grandegger <wg at grandegger.com>
+cc: linux-can at vger.kernel.org
+cc: netdev at vger.kernel.org
+---
+ drivers/net/can/cc770/cc770_isa.c | 8 ++++----
+ drivers/net/can/sja1000/sja1000_isa.c | 8 ++++----
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/can/cc770/cc770_isa.c b/drivers/net/can/cc770/cc770_isa.c
+index e0d15711e9ac..3a30fd3b4498 100644
+--- a/drivers/net/can/cc770/cc770_isa.c
++++ b/drivers/net/can/cc770/cc770_isa.c
+@@ -82,16 +82,16 @@ static u8 cor[MAXDEV] = {[0 ... (MAXDEV - 1)] = 0xff};
+ static u8 bcr[MAXDEV] = {[0 ... (MAXDEV - 1)] = 0xff};
+ static int indirect[MAXDEV] = {[0 ... (MAXDEV - 1)] = -1};
+
+-module_param_array(port, ulong, NULL, S_IRUGO);
++module_param_hw_array(port, ulong, ioport, NULL, S_IRUGO);
+ MODULE_PARM_DESC(port, "I/O port number");
+
+-module_param_array(mem, ulong, NULL, S_IRUGO);
++module_param_hw_array(mem, ulong, iomem, NULL, S_IRUGO);
+ MODULE_PARM_DESC(mem, "I/O memory address");
+
+-module_param_array(indirect, int, NULL, S_IRUGO);
++module_param_hw_array(indirect, int, ioport, NULL, S_IRUGO);
+ MODULE_PARM_DESC(indirect, "Indirect access via address and data port");
+
+-module_param_array(irq, int, NULL, S_IRUGO);
++module_param_hw_array(irq, int, irq, NULL, S_IRUGO);
+ MODULE_PARM_DESC(irq, "IRQ number");
+
+ module_param_array(clk, int, NULL, S_IRUGO);
+diff --git a/drivers/net/can/sja1000/sja1000_isa.c b/drivers/net/can/sja1000/sja1000_isa.c
+index e97e6d35b300..a89c1e92554d 100644
+--- a/drivers/net/can/sja1000/sja1000_isa.c
++++ b/drivers/net/can/sja1000/sja1000_isa.c
+@@ -48,16 +48,16 @@ static unsigned char ocr[MAXDEV] = {[0 ... (MAXDEV - 1)] = 0xff};
+ static int indirect[MAXDEV] = {[0 ... (MAXDEV - 1)] = -1};
+ static spinlock_t indirect_lock[MAXDEV]; /* lock for indirect access mode */
+
+-module_param_array(port, ulong, NULL, S_IRUGO);
++module_param_hw_array(port, ulong, ioport, NULL, S_IRUGO);
+ MODULE_PARM_DESC(port, "I/O port number");
+
+-module_param_array(mem, ulong, NULL, S_IRUGO);
++module_param_hw_array(mem, ulong, iomem, NULL, S_IRUGO);
+ MODULE_PARM_DESC(mem, "I/O memory address");
+
+-module_param_array(indirect, int, NULL, S_IRUGO);
++module_param_hw_array(indirect, int, ioport, NULL, S_IRUGO);
+ MODULE_PARM_DESC(indirect, "Indirect access via address and data port");
+
+-module_param_array(irq, int, NULL, S_IRUGO);
++module_param_hw_array(irq, int, irq, NULL, S_IRUGO);
+ MODULE_PARM_DESC(irq, "IRQ number");
+
+ module_param_array(clk, int, NULL, S_IRUGO);
diff --git a/debian/patches/features/all/lockdown/0019-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0019-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..20f4f3b
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0019-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,234 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:26 +0100
+Subject: [19/62] Annotate hardware config module parameters in
+ drivers/net/ethernet/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=36f7a604f8c2b0564722e84b903d6de6c2644f85
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/net/ethernet/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Steffen Klassert <klassert at mathematik.tu-chemnitz.de>
+cc: Jaroslav Kysela <perex at perex.cz>
+cc: netdev at vger.kernel.org
+cc: linux-parisc at vger.kernel.org
+---
+ drivers/net/ethernet/3com/3c509.c | 2 +-
+ drivers/net/ethernet/3com/3c59x.c | 4 ++--
+ drivers/net/ethernet/8390/ne.c | 4 ++--
+ drivers/net/ethernet/8390/smc-ultra.c | 4 ++--
+ drivers/net/ethernet/8390/wd.c | 8 ++++----
+ drivers/net/ethernet/amd/lance.c | 6 +++---
+ drivers/net/ethernet/amd/ni65.c | 6 +++---
+ drivers/net/ethernet/cirrus/cs89x0.c | 6 +++---
+ drivers/net/ethernet/dec/tulip/de4x5.c | 2 +-
+ drivers/net/ethernet/hp/hp100.c | 2 +-
+ drivers/net/ethernet/realtek/atp.c | 4 ++--
+ drivers/net/ethernet/smsc/smc9194.c | 4 ++--
+ 12 files changed, 26 insertions(+), 26 deletions(-)
+
+diff --git a/drivers/net/ethernet/3com/3c509.c b/drivers/net/ethernet/3com/3c509.c
+index c7f9f2c77da7..db8592d412ab 100644
+--- a/drivers/net/ethernet/3com/3c509.c
++++ b/drivers/net/ethernet/3com/3c509.c
+@@ -1371,7 +1371,7 @@ el3_resume(struct device *pdev)
+ #endif /* CONFIG_PM */
+
+ module_param(debug,int, 0);
+-module_param_array(irq, int, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
+ module_param(max_interrupt_work, int, 0);
+ MODULE_PARM_DESC(debug, "debug level (0-6)");
+ MODULE_PARM_DESC(irq, "IRQ number(s) (assigned)");
+diff --git a/drivers/net/ethernet/3com/3c59x.c b/drivers/net/ethernet/3com/3c59x.c
+index 40196f41768a..e41245a54f8b 100644
+--- a/drivers/net/ethernet/3com/3c59x.c
++++ b/drivers/net/ethernet/3com/3c59x.c
+@@ -813,8 +813,8 @@ module_param(global_enable_wol, int, 0);
+ module_param_array(enable_wol, int, NULL, 0);
+ module_param(rx_copybreak, int, 0);
+ module_param(max_interrupt_work, int, 0);
+-module_param(compaq_ioaddr, int, 0);
+-module_param(compaq_irq, int, 0);
++module_param_hw(compaq_ioaddr, int, ioport, 0);
++module_param_hw(compaq_irq, int, irq, 0);
+ module_param(compaq_device_id, int, 0);
+ module_param(watchdog, int, 0);
+ module_param(global_use_mmio, int, 0);
+diff --git a/drivers/net/ethernet/8390/ne.c b/drivers/net/ethernet/8390/ne.c
+index c063b410a163..66f47987e2a2 100644
+--- a/drivers/net/ethernet/8390/ne.c
++++ b/drivers/net/ethernet/8390/ne.c
+@@ -74,8 +74,8 @@ static int bad[MAX_NE_CARDS];
+ static u32 ne_msg_enable;
+
+ #ifdef MODULE
+-module_param_array(io, int, NULL, 0);
+-module_param_array(irq, int, NULL, 0);
++module_param_hw_array(io, int, ioport, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
+ module_param_array(bad, int, NULL, 0);
+ module_param_named(msg_enable, ne_msg_enable, uint, (S_IRUSR|S_IRGRP|S_IROTH));
+ MODULE_PARM_DESC(io, "I/O base address(es),required");
+diff --git a/drivers/net/ethernet/8390/smc-ultra.c b/drivers/net/ethernet/8390/smc-ultra.c
+index 364b6514f65f..4e02f6a23575 100644
+--- a/drivers/net/ethernet/8390/smc-ultra.c
++++ b/drivers/net/ethernet/8390/smc-ultra.c
+@@ -561,8 +561,8 @@ static struct net_device *dev_ultra[MAX_ULTRA_CARDS];
+ static int io[MAX_ULTRA_CARDS];
+ static int irq[MAX_ULTRA_CARDS];
+
+-module_param_array(io, int, NULL, 0);
+-module_param_array(irq, int, NULL, 0);
++module_param_hw_array(io, int, ioport, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
+ module_param_named(msg_enable, ultra_msg_enable, uint, (S_IRUSR|S_IRGRP|S_IROTH));
+ MODULE_PARM_DESC(io, "I/O base address(es)");
+ MODULE_PARM_DESC(irq, "IRQ number(s) (assigned)");
+diff --git a/drivers/net/ethernet/8390/wd.c b/drivers/net/ethernet/8390/wd.c
+index ad019cbc698f..6efa2722f850 100644
+--- a/drivers/net/ethernet/8390/wd.c
++++ b/drivers/net/ethernet/8390/wd.c
+@@ -503,10 +503,10 @@ static int irq[MAX_WD_CARDS];
+ static int mem[MAX_WD_CARDS];
+ static int mem_end[MAX_WD_CARDS]; /* for non std. mem size */
+
+-module_param_array(io, int, NULL, 0);
+-module_param_array(irq, int, NULL, 0);
+-module_param_array(mem, int, NULL, 0);
+-module_param_array(mem_end, int, NULL, 0);
++module_param_hw_array(io, int, ioport, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
++module_param_hw_array(mem, int, iomem, NULL, 0);
++module_param_hw_array(mem_end, int, iomem, NULL, 0);
+ module_param_named(msg_enable, wd_msg_enable, uint, (S_IRUSR|S_IRGRP|S_IROTH));
+ MODULE_PARM_DESC(io, "I/O base address(es)");
+ MODULE_PARM_DESC(irq, "IRQ number(s) (ignored for PureData boards)");
+diff --git a/drivers/net/ethernet/amd/lance.c b/drivers/net/ethernet/amd/lance.c
+index 61a641f23149..12a6a93d221b 100644
+--- a/drivers/net/ethernet/amd/lance.c
++++ b/drivers/net/ethernet/amd/lance.c
+@@ -318,9 +318,9 @@ static int io[MAX_CARDS];
+ static int dma[MAX_CARDS];
+ static int irq[MAX_CARDS];
+
+-module_param_array(io, int, NULL, 0);
+-module_param_array(dma, int, NULL, 0);
+-module_param_array(irq, int, NULL, 0);
++module_param_hw_array(io, int, ioport, NULL, 0);
++module_param_hw_array(dma, int, dma, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
+ module_param(lance_debug, int, 0);
+ MODULE_PARM_DESC(io, "LANCE/PCnet I/O base address(es),required");
+ MODULE_PARM_DESC(dma, "LANCE/PCnet ISA DMA channel (ignored for some devices)");
+diff --git a/drivers/net/ethernet/amd/ni65.c b/drivers/net/ethernet/amd/ni65.c
+index 5985bf220a8d..e248d1ab3e47 100644
+--- a/drivers/net/ethernet/amd/ni65.c
++++ b/drivers/net/ethernet/amd/ni65.c
+@@ -1227,9 +1227,9 @@ static void set_multicast_list(struct net_device *dev)
+ #ifdef MODULE
+ static struct net_device *dev_ni65;
+
+-module_param(irq, int, 0);
+-module_param(io, int, 0);
+-module_param(dma, int, 0);
++module_param_hw(irq, int, irq, 0);
++module_param_hw(io, int, ioport, 0);
++module_param_hw(dma, int, dma, 0);
+ MODULE_PARM_DESC(irq, "ni6510 IRQ number (ignored for some cards)");
+ MODULE_PARM_DESC(io, "ni6510 I/O base address");
+ MODULE_PARM_DESC(dma, "ni6510 ISA DMA channel (ignored for some cards)");
+diff --git a/drivers/net/ethernet/cirrus/cs89x0.c b/drivers/net/ethernet/cirrus/cs89x0.c
+index 3647b28e8de0..8f660d9761cc 100644
+--- a/drivers/net/ethernet/cirrus/cs89x0.c
++++ b/drivers/net/ethernet/cirrus/cs89x0.c
+@@ -1704,12 +1704,12 @@ static int use_dma; /* These generate unused var warnings if ALLOW_DMA = 0 */
+ static int dma;
+ static int dmasize = 16; /* or 64 */
+
+-module_param(io, int, 0);
+-module_param(irq, int, 0);
++module_param_hw(io, int, ioport, 0);
++module_param_hw(irq, int, irq, 0);
+ module_param(debug, int, 0);
+ module_param_string(media, media, sizeof(media), 0);
+ module_param(duplex, int, 0);
+-module_param(dma , int, 0);
++module_param_hw(dma , int, dma, 0);
+ module_param(dmasize , int, 0);
+ module_param(use_dma , int, 0);
+ MODULE_PARM_DESC(io, "cs89x0 I/O base address");
+diff --git a/drivers/net/ethernet/dec/tulip/de4x5.c b/drivers/net/ethernet/dec/tulip/de4x5.c
+index df4a871df633..fd6bcf024729 100644
+--- a/drivers/net/ethernet/dec/tulip/de4x5.c
++++ b/drivers/net/ethernet/dec/tulip/de4x5.c
+@@ -1015,7 +1015,7 @@ static int compact_infoblock(struct net_device *dev, u_char count, u_char *p
+
+ static int io=0x0;/* EDIT THIS LINE FOR YOUR CONFIGURATION IF NEEDED */
+
+-module_param(io, int, 0);
++module_param_hw(io, int, ioport, 0);
+ module_param(de4x5_debug, int, 0);
+ module_param(dec_only, int, 0);
+ module_param(args, charp, 0);
+diff --git a/drivers/net/ethernet/hp/hp100.c b/drivers/net/ethernet/hp/hp100.c
+index 1a31bee6e728..5673b071e39d 100644
+--- a/drivers/net/ethernet/hp/hp100.c
++++ b/drivers/net/ethernet/hp/hp100.c
+@@ -2966,7 +2966,7 @@ MODULE_DESCRIPTION("HP CASCADE Architecture Driver for 100VG-AnyLan Network Adap
+ #define HP100_DEVICES 5
+ /* Parameters set by insmod */
+ static int hp100_port[HP100_DEVICES] = { 0, [1 ... (HP100_DEVICES-1)] = -1 };
+-module_param_array(hp100_port, int, NULL, 0);
++module_param_hw_array(hp100_port, int, ioport, NULL, 0);
+
+ /* List of devices */
+ static struct net_device *hp100_devlist[HP100_DEVICES];
+diff --git a/drivers/net/ethernet/realtek/atp.c b/drivers/net/ethernet/realtek/atp.c
+index 9bcd4aefc9c5..bed34684994f 100644
+--- a/drivers/net/ethernet/realtek/atp.c
++++ b/drivers/net/ethernet/realtek/atp.c
+@@ -151,8 +151,8 @@ MODULE_LICENSE("GPL");
+
+ module_param(max_interrupt_work, int, 0);
+ module_param(debug, int, 0);
+-module_param_array(io, int, NULL, 0);
+-module_param_array(irq, int, NULL, 0);
++module_param_hw_array(io, int, ioport, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
+ module_param_array(xcvr, int, NULL, 0);
+ MODULE_PARM_DESC(max_interrupt_work, "ATP maximum events handled per interrupt");
+ MODULE_PARM_DESC(debug, "ATP debug level (0-7)");
+diff --git a/drivers/net/ethernet/smsc/smc9194.c b/drivers/net/ethernet/smsc/smc9194.c
+index c8d84679ede7..d3bb2ba51f40 100644
+--- a/drivers/net/ethernet/smsc/smc9194.c
++++ b/drivers/net/ethernet/smsc/smc9194.c
+@@ -1501,8 +1501,8 @@ static void smc_set_multicast_list(struct net_device *dev)
+ static struct net_device *devSMC9194;
+ MODULE_LICENSE("GPL");
+
+-module_param(io, int, 0);
+-module_param(irq, int, 0);
++module_param_hw(io, int, ioport, 0);
++module_param_hw(irq, int, irq, 0);
+ module_param(ifport, int, 0);
+ MODULE_PARM_DESC(io, "SMC 99194 I/O base address");
+ MODULE_PARM_DESC(irq, "SMC 99194 IRQ number");
diff --git a/debian/patches/features/all/lockdown/0020-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0020-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..621ba0b
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0020-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,111 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:26 +0100
+Subject: [20/62] Annotate hardware config module parameters in
+ drivers/net/hamradio/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=2bf23e0fa97ea5c3bad27fa6f878b6ecde838ea4
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/net/hamradio/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Thomas Sailer <t.sailer at alumni.ethz.ch>
+cc: Joerg Reuter <jreuter at yaina.de>
+cc: linux-hams at vger.kernel.org
+cc: netdev at vger.kernel.org
+---
+ drivers/net/hamradio/baycom_epp.c | 2 +-
+ drivers/net/hamradio/baycom_par.c | 2 +-
+ drivers/net/hamradio/baycom_ser_fdx.c | 4 ++--
+ drivers/net/hamradio/baycom_ser_hdx.c | 4 ++--
+ drivers/net/hamradio/dmascc.c | 2 +-
+ 5 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/hamradio/baycom_epp.c b/drivers/net/hamradio/baycom_epp.c
+index 594fa1407e29..1503f10122f7 100644
+--- a/drivers/net/hamradio/baycom_epp.c
++++ b/drivers/net/hamradio/baycom_epp.c
+@@ -1176,7 +1176,7 @@ static int iobase[NR_PORTS] = { 0x378, };
+
+ module_param_array(mode, charp, NULL, 0);
+ MODULE_PARM_DESC(mode, "baycom operating mode");
+-module_param_array(iobase, int, NULL, 0);
++module_param_hw_array(iobase, int, ioport, NULL, 0);
+ MODULE_PARM_DESC(iobase, "baycom io base address");
+
+ MODULE_AUTHOR("Thomas M. Sailer, sailer at ife.ee.ethz.ch, hb9jnx at hb9w.che.eu");
+diff --git a/drivers/net/hamradio/baycom_par.c b/drivers/net/hamradio/baycom_par.c
+index 809dc25909d1..92b13b39f426 100644
+--- a/drivers/net/hamradio/baycom_par.c
++++ b/drivers/net/hamradio/baycom_par.c
+@@ -481,7 +481,7 @@ static int iobase[NR_PORTS] = { 0x378, };
+
+ module_param_array(mode, charp, NULL, 0);
+ MODULE_PARM_DESC(mode, "baycom operating mode; eg. par96 or picpar");
+-module_param_array(iobase, int, NULL, 0);
++module_param_hw_array(iobase, int, ioport, NULL, 0);
+ MODULE_PARM_DESC(iobase, "baycom io base address");
+
+ MODULE_AUTHOR("Thomas M. Sailer, sailer at ife.ee.ethz.ch, hb9jnx at hb9w.che.eu");
+diff --git a/drivers/net/hamradio/baycom_ser_fdx.c b/drivers/net/hamradio/baycom_ser_fdx.c
+index ebc06822fd4d..d9a646acca20 100644
+--- a/drivers/net/hamradio/baycom_ser_fdx.c
++++ b/drivers/net/hamradio/baycom_ser_fdx.c
+@@ -614,9 +614,9 @@ static int baud[NR_PORTS] = { [0 ... NR_PORTS-1] = 1200 };
+
+ module_param_array(mode, charp, NULL, 0);
+ MODULE_PARM_DESC(mode, "baycom operating mode; * for software DCD");
+-module_param_array(iobase, int, NULL, 0);
++module_param_hw_array(iobase, int, ioport, NULL, 0);
+ MODULE_PARM_DESC(iobase, "baycom io base address");
+-module_param_array(irq, int, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
+ MODULE_PARM_DESC(irq, "baycom irq number");
+ module_param_array(baud, int, NULL, 0);
+ MODULE_PARM_DESC(baud, "baycom baud rate (300 to 4800)");
+diff --git a/drivers/net/hamradio/baycom_ser_hdx.c b/drivers/net/hamradio/baycom_ser_hdx.c
+index 60fcf512c208..f1c8a9ff3891 100644
+--- a/drivers/net/hamradio/baycom_ser_hdx.c
++++ b/drivers/net/hamradio/baycom_ser_hdx.c
+@@ -642,9 +642,9 @@ static int irq[NR_PORTS] = { 4, };
+
+ module_param_array(mode, charp, NULL, 0);
+ MODULE_PARM_DESC(mode, "baycom operating mode; * for software DCD");
+-module_param_array(iobase, int, NULL, 0);
++module_param_hw_array(iobase, int, ioport, NULL, 0);
+ MODULE_PARM_DESC(iobase, "baycom io base address");
+-module_param_array(irq, int, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
+ MODULE_PARM_DESC(irq, "baycom irq number");
+
+ MODULE_AUTHOR("Thomas M. Sailer, sailer at ife.ee.ethz.ch, hb9jnx at hb9w.che.eu");
+diff --git a/drivers/net/hamradio/dmascc.c b/drivers/net/hamradio/dmascc.c
+index 2479072981a1..dec6b76bc0fb 100644
+--- a/drivers/net/hamradio/dmascc.c
++++ b/drivers/net/hamradio/dmascc.c
+@@ -274,7 +274,7 @@ static unsigned long rand;
+
+ MODULE_AUTHOR("Klaus Kudielka");
+ MODULE_DESCRIPTION("Driver for high-speed SCC boards");
+-module_param_array(io, int, NULL, 0);
++module_param_hw_array(io, int, ioport, NULL, 0);
+ MODULE_LICENSE("GPL");
+
+ static void __exit dmascc_exit(void)
diff --git a/debian/patches/features/all/lockdown/0021-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0021-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..bd760af
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0021-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,125 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:26 +0100
+Subject: [21/62] Annotate hardware config module parameters in
+ drivers/net/irda/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=b14425b5b7dfe055d20f4e5b7e9c7013cf5784ac
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/net/irda/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Samuel Ortiz <samuel at sortiz.org>
+cc: netdev at vger.kernel.org
+---
+ drivers/net/irda/ali-ircc.c | 6 +++---
+ drivers/net/irda/nsc-ircc.c | 6 +++---
+ drivers/net/irda/smsc-ircc2.c | 10 +++++-----
+ drivers/net/irda/w83977af_ir.c | 4 ++--
+ 4 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/irda/ali-ircc.c b/drivers/net/irda/ali-ircc.c
+index c285eafd3f1c..35f198d83701 100644
+--- a/drivers/net/irda/ali-ircc.c
++++ b/drivers/net/irda/ali-ircc.c
+@@ -2207,11 +2207,11 @@ MODULE_LICENSE("GPL");
+ MODULE_ALIAS("platform:" ALI_IRCC_DRIVER_NAME);
+
+
+-module_param_array(io, int, NULL, 0);
++module_param_hw_array(io, int, ioport, NULL, 0);
+ MODULE_PARM_DESC(io, "Base I/O addresses");
+-module_param_array(irq, int, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
+ MODULE_PARM_DESC(irq, "IRQ lines");
+-module_param_array(dma, int, NULL, 0);
++module_param_hw_array(dma, int, dma, NULL, 0);
+ MODULE_PARM_DESC(dma, "DMA channels");
+
+ module_init(ali_ircc_init);
+diff --git a/drivers/net/irda/nsc-ircc.c b/drivers/net/irda/nsc-ircc.c
+index aaecc3baaf30..7beae147be11 100644
+--- a/drivers/net/irda/nsc-ircc.c
++++ b/drivers/net/irda/nsc-ircc.c
+@@ -2396,11 +2396,11 @@ MODULE_LICENSE("GPL");
+
+ module_param(qos_mtt_bits, int, 0);
+ MODULE_PARM_DESC(qos_mtt_bits, "Minimum Turn Time");
+-module_param_array(io, int, NULL, 0);
++module_param_hw_array(io, int, ioport, NULL, 0);
+ MODULE_PARM_DESC(io, "Base I/O addresses");
+-module_param_array(irq, int, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
+ MODULE_PARM_DESC(irq, "IRQ lines");
+-module_param_array(dma, int, NULL, 0);
++module_param_hw_array(dma, int, dma, NULL, 0);
+ MODULE_PARM_DESC(dma, "DMA channels");
+ module_param(dongle_id, int, 0);
+ MODULE_PARM_DESC(dongle_id, "Type-id of used dongle");
+diff --git a/drivers/net/irda/smsc-ircc2.c b/drivers/net/irda/smsc-ircc2.c
+index dcf92ba80872..23ed89ae5ddc 100644
+--- a/drivers/net/irda/smsc-ircc2.c
++++ b/drivers/net/irda/smsc-ircc2.c
+@@ -82,24 +82,24 @@ MODULE_PARM_DESC(nopnp, "Do not use PNP to detect controller settings, defaults
+
+ #define DMA_INVAL 255
+ static int ircc_dma = DMA_INVAL;
+-module_param(ircc_dma, int, 0);
++module_param_hw(ircc_dma, int, dma, 0);
+ MODULE_PARM_DESC(ircc_dma, "DMA channel");
+
+ #define IRQ_INVAL 255
+ static int ircc_irq = IRQ_INVAL;
+-module_param(ircc_irq, int, 0);
++module_param_hw(ircc_irq, int, irq, 0);
+ MODULE_PARM_DESC(ircc_irq, "IRQ line");
+
+ static int ircc_fir;
+-module_param(ircc_fir, int, 0);
++module_param_hw(ircc_fir, int, ioport, 0);
+ MODULE_PARM_DESC(ircc_fir, "FIR Base Address");
+
+ static int ircc_sir;
+-module_param(ircc_sir, int, 0);
++module_param_hw(ircc_sir, int, ioport, 0);
+ MODULE_PARM_DESC(ircc_sir, "SIR Base Address");
+
+ static int ircc_cfg;
+-module_param(ircc_cfg, int, 0);
++module_param_hw(ircc_cfg, int, ioport, 0);
+ MODULE_PARM_DESC(ircc_cfg, "Configuration register base address");
+
+ static int ircc_transceiver;
+diff --git a/drivers/net/irda/w83977af_ir.c b/drivers/net/irda/w83977af_ir.c
+index 8d5b903d1d9d..282b6c9ae05b 100644
+--- a/drivers/net/irda/w83977af_ir.c
++++ b/drivers/net/irda/w83977af_ir.c
+@@ -1263,9 +1263,9 @@ MODULE_LICENSE("GPL");
+
+ module_param(qos_mtt_bits, int, 0);
+ MODULE_PARM_DESC(qos_mtt_bits, "Mimimum Turn Time");
+-module_param_array(io, int, NULL, 0);
++module_param_hw_array(io, int, ioport, NULL, 0);
+ MODULE_PARM_DESC(io, "Base I/O addresses");
+-module_param_array(irq, int, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
+ MODULE_PARM_DESC(irq, "IRQ lines");
+
+ /*
diff --git a/debian/patches/features/all/lockdown/0022-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0022-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..781baae
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0022-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,112 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:27 +0100
+Subject: [22/62] Annotate hardware config module parameters in
+ drivers/net/wan/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=ded1b99ef0c3cc59cd79b7a8c20c844cf3374bb5
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/net/wan/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: "Jan \"Yenya\" Kasprzak" <kas at fi.muni.cz>
+cc: netdev at vger.kernel.org
+---
+ drivers/net/wan/cosa.c | 6 +++---
+ drivers/net/wan/hostess_sv11.c | 6 +++---
+ drivers/net/wan/sbni.c | 4 ++--
+ drivers/net/wan/sealevel.c | 8 ++++----
+ 4 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/wan/cosa.c b/drivers/net/wan/cosa.c
+index 4ca71bca39ac..6ea16260ec76 100644
+--- a/drivers/net/wan/cosa.c
++++ b/drivers/net/wan/cosa.c
+@@ -232,11 +232,11 @@ static int irq[MAX_CARDS+1] = { -1, -1, -1, -1, -1, -1, 0, };
+ static struct class *cosa_class;
+
+ #ifdef MODULE
+-module_param_array(io, int, NULL, 0);
++module_param_hw_array(io, int, ioport, NULL, 0);
+ MODULE_PARM_DESC(io, "The I/O bases of the COSA or SRP cards");
+-module_param_array(irq, int, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
+ MODULE_PARM_DESC(irq, "The IRQ lines of the COSA or SRP cards");
+-module_param_array(dma, int, NULL, 0);
++module_param_hw_array(dma, int, dma, NULL, 0);
+ MODULE_PARM_DESC(dma, "The DMA channels of the COSA or SRP cards");
+
+ MODULE_AUTHOR("Jan \"Yenya\" Kasprzak, <kas at fi.muni.cz>");
+diff --git a/drivers/net/wan/hostess_sv11.c b/drivers/net/wan/hostess_sv11.c
+index dd6bb3364ad2..4de0737fbf8a 100644
+--- a/drivers/net/wan/hostess_sv11.c
++++ b/drivers/net/wan/hostess_sv11.c
+@@ -324,11 +324,11 @@ static void sv11_shutdown(struct z8530_dev *dev)
+ static int io = 0x200;
+ static int irq = 9;
+
+-module_param(io, int, 0);
++module_param_hw(io, int, ioport, 0);
+ MODULE_PARM_DESC(io, "The I/O base of the Comtrol Hostess SV11 card");
+-module_param(dma, int, 0);
++module_param_hw(dma, int, dma, 0);
+ MODULE_PARM_DESC(dma, "Set this to 1 to use DMA1/DMA3 for TX/RX");
+-module_param(irq, int, 0);
++module_param_hw(irq, int, irq, 0);
+ MODULE_PARM_DESC(irq, "The interrupt line setting for the Comtrol Hostess SV11 card");
+
+ MODULE_AUTHOR("Alan Cox");
+diff --git a/drivers/net/wan/sbni.c b/drivers/net/wan/sbni.c
+index 3ca3419c54a0..bde8c0339831 100644
+--- a/drivers/net/wan/sbni.c
++++ b/drivers/net/wan/sbni.c
+@@ -1463,8 +1463,8 @@ set_multicast_list( struct net_device *dev )
+
+
+ #ifdef MODULE
+-module_param_array(io, int, NULL, 0);
+-module_param_array(irq, int, NULL, 0);
++module_param_hw_array(io, int, ioport, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
+ module_param_array(baud, int, NULL, 0);
+ module_param_array(rxl, int, NULL, 0);
+ module_param_array(mac, int, NULL, 0);
+diff --git a/drivers/net/wan/sealevel.c b/drivers/net/wan/sealevel.c
+index fbb5aa2c4d8f..c56f2c252113 100644
+--- a/drivers/net/wan/sealevel.c
++++ b/drivers/net/wan/sealevel.c
+@@ -363,13 +363,13 @@ static int rxdma=3;
+ static int irq=5;
+ static bool slow=false;
+
+-module_param(io, int, 0);
++module_param_hw(io, int, ioport, 0);
+ MODULE_PARM_DESC(io, "The I/O base of the Sealevel card");
+-module_param(txdma, int, 0);
++module_param_hw(txdma, int, dma, 0);
+ MODULE_PARM_DESC(txdma, "Transmit DMA channel");
+-module_param(rxdma, int, 0);
++module_param_hw(rxdma, int, dma, 0);
+ MODULE_PARM_DESC(rxdma, "Receive DMA channel");
+-module_param(irq, int, 0);
++module_param_hw(irq, int, irq, 0);
+ MODULE_PARM_DESC(irq, "The interrupt line setting for the SeaLevel card");
+ module_param(slow, bool, 0);
+ MODULE_PARM_DESC(slow, "Set this for an older Sealevel card such as the 4012");
diff --git a/debian/patches/features/all/lockdown/0023-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0023-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..842f064
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0023-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,50 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:27 +0100
+Subject: [23/62] Annotate hardware config module parameters in
+ drivers/net/wireless/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=8108f1c7cb7cc32f93f280322f4aa1ba5314a66e
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/net/wireless/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Kalle Valo <kvalo at codeaurora.org>
+cc: linux-wireless at vger.kernel.org
+cc: netdev at vger.kernel.org
+---
+ drivers/net/wireless/cisco/airo.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c
+index 4b040451a9b8..1b7e125a28e2 100644
+--- a/drivers/net/wireless/cisco/airo.c
++++ b/drivers/net/wireless/cisco/airo.c
+@@ -246,8 +246,8 @@ MODULE_DESCRIPTION("Support for Cisco/Aironet 802.11 wireless ethernet cards. "
+ "Direct support for ISA/PCI/MPI cards and support for PCMCIA when used with airo_cs.");
+ MODULE_LICENSE("Dual BSD/GPL");
+ MODULE_SUPPORTED_DEVICE("Aironet 4500, 4800 and Cisco 340/350");
+-module_param_array(io, int, NULL, 0);
+-module_param_array(irq, int, NULL, 0);
++module_param_hw_array(io, int, ioport, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
+ module_param_array(rates, int, NULL, 0);
+ module_param_array(ssids, charp, NULL, 0);
+ module_param(auto_wep, int, 0);
diff --git a/debian/patches/features/all/lockdown/0024-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0024-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..64db790
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0024-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,55 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:27 +0100
+Subject: [24/62] Annotate hardware config module parameters in
+ drivers/parport/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=e2450282634057131e64fb8bb83a22e1a9427694
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/parport/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Sudip Mukherjee <sudipm.mukherjee at gmail.com>
+---
+ drivers/parport/parport_pc.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/parport/parport_pc.c b/drivers/parport/parport_pc.c
+index 9d42dfe65d44..5548193a28a6 100644
+--- a/drivers/parport/parport_pc.c
++++ b/drivers/parport/parport_pc.c
+@@ -3150,13 +3150,13 @@ static char *irq[PARPORT_PC_MAX_PORTS];
+ static char *dma[PARPORT_PC_MAX_PORTS];
+
+ MODULE_PARM_DESC(io, "Base I/O address (SPP regs)");
+-module_param_array(io, int, NULL, 0);
++module_param_hw_array(io, int, ioport, NULL, 0);
+ MODULE_PARM_DESC(io_hi, "Base I/O address (ECR)");
+-module_param_array(io_hi, int, NULL, 0);
++module_param_hw_array(io_hi, int, ioport, NULL, 0);
+ MODULE_PARM_DESC(irq, "IRQ line");
+-module_param_array(irq, charp, NULL, 0);
++module_param_hw_array(irq, charp, irq, NULL, 0);
+ MODULE_PARM_DESC(dma, "DMA channel");
+-module_param_array(dma, charp, NULL, 0);
++module_param_hw_array(dma, charp, dma, NULL, 0);
+ #if defined(CONFIG_PARPORT_PC_SUPERIO) || \
+ (defined(CONFIG_PARPORT_1284) && defined(CONFIG_PARPORT_PC_FIFO))
+ MODULE_PARM_DESC(verbose_probing, "Log chit-chat during initialisation");
diff --git a/debian/patches/features/all/lockdown/0025-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0025-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..c00449a
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0025-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,48 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:27 +0100
+Subject: [25/62] Annotate hardware config module parameters in
+ drivers/pci/hotplug/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=683739ab2441e5a3c530bee7d7c79f13a38bb425
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/pci/hotplug/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+Acked-by: Bjorn Helgaas <bhelgaas at google.com>
+cc: Scott Murray <scott at spiteful.org>
+cc: linux-pci at vger.kernel.org
+---
+ drivers/pci/hotplug/cpcihp_generic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/hotplug/cpcihp_generic.c b/drivers/pci/hotplug/cpcihp_generic.c
+index 88a44a707b96..bbf9cf8aeaad 100644
+--- a/drivers/pci/hotplug/cpcihp_generic.c
++++ b/drivers/pci/hotplug/cpcihp_generic.c
+@@ -220,7 +220,7 @@ module_param(first_slot, byte, 0);
+ MODULE_PARM_DESC(first_slot, "Hotswap bus first slot number");
+ module_param(last_slot, byte, 0);
+ MODULE_PARM_DESC(last_slot, "Hotswap bus last slot number");
+-module_param(port, ushort, 0);
++module_param_hw(port, ushort, ioport, 0);
+ MODULE_PARM_DESC(port, "#ENUM signal I/O port");
+ module_param(enum_bit, uint, 0);
+ MODULE_PARM_DESC(enum_bit, "#ENUM signal bit (0-7)");
diff --git a/debian/patches/features/all/lockdown/0026-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0026-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..0c35057
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0026-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,75 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:27 +0100
+Subject: [26/62] Annotate hardware config module parameters in drivers/pcmcia/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=abc3baae64c4956fd6d5b1b2b0d78cdc75fb8765
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/pcmcia/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: linux-pcmcia at lists.infradead.org
+---
+ drivers/pcmcia/i82365.c | 8 ++++----
+ drivers/pcmcia/tcic.c | 8 ++++----
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/pcmcia/i82365.c b/drivers/pcmcia/i82365.c
+index eb0d80a429e4..fb38cc01859f 100644
+--- a/drivers/pcmcia/i82365.c
++++ b/drivers/pcmcia/i82365.c
+@@ -108,12 +108,12 @@ static int async_clock = -1;
+ static int cable_mode = -1;
+ static int wakeup = 0;
+
+-module_param(i365_base, ulong, 0444);
++module_param_hw(i365_base, ulong, ioport, 0444);
+ module_param(ignore, int, 0444);
+ module_param(extra_sockets, int, 0444);
+-module_param(irq_mask, int, 0444);
+-module_param_array(irq_list, int, &irq_list_count, 0444);
+-module_param(cs_irq, int, 0444);
++module_param_hw(irq_mask, int, other, 0444);
++module_param_hw_array(irq_list, int, irq, &irq_list_count, 0444);
++module_param_hw(cs_irq, int, irq, 0444);
+ module_param(async_clock, int, 0444);
+ module_param(cable_mode, int, 0444);
+ module_param(wakeup, int, 0444);
+diff --git a/drivers/pcmcia/tcic.c b/drivers/pcmcia/tcic.c
+index 1ee63e5f0550..a1ac72d51d70 100644
+--- a/drivers/pcmcia/tcic.c
++++ b/drivers/pcmcia/tcic.c
+@@ -85,12 +85,12 @@ static int poll_quick = HZ/20;
+ /* CCLK external clock time, in nanoseconds. 70 ns = 14.31818 MHz */
+ static int cycle_time = 70;
+
+-module_param(tcic_base, ulong, 0444);
++module_param_hw(tcic_base, ulong, ioport, 0444);
+ module_param(ignore, int, 0444);
+ module_param(do_scan, int, 0444);
+-module_param(irq_mask, int, 0444);
+-module_param_array(irq_list, int, &irq_list_count, 0444);
+-module_param(cs_irq, int, 0444);
++module_param_hw(irq_mask, int, other, 0444);
++module_param_hw_array(irq_list, int, irq, &irq_list_count, 0444);
++module_param_hw(cs_irq, int, irq, 0444);
+ module_param(poll_interval, int, 0444);
+ module_param(poll_quick, int, 0444);
+ module_param(cycle_time, int, 0444);
diff --git a/debian/patches/features/all/lockdown/0027-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0027-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..cc6ed98
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0027-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,131 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:27 +0100
+Subject: [27/62] Annotate hardware config module parameters in drivers/scsi/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=e3d6517827cdca4e24f36d50df94b0241e91ae8a
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/scsi/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: "Juergen E. Fischer" <fischer at norbit.de>
+cc: "James E.J. Bottomley" <jejb at linux.vnet.ibm.com>
+cc: "Martin K. Petersen" <martin.petersen at oracle.com>
+cc: Dario Ballabio <ballabio_dario at emc.com>
+cc: Finn Thain <fthain at telegraphics.com.au>
+cc: Michael Schmitz <schmitzmic at gmail.com>
+cc: Achim Leubner <achim_leubner at adaptec.com>
+cc: linux-scsi at vger.kernel.org
+---
+ drivers/scsi/aha152x.c | 4 ++--
+ drivers/scsi/aha1542.c | 2 +-
+ drivers/scsi/g_NCR5380.c | 8 ++++----
+ drivers/scsi/gdth.c | 2 +-
+ drivers/scsi/qlogicfas.c | 4 ++--
+ 5 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/scsi/aha152x.c b/drivers/scsi/aha152x.c
+index f44d0487236e..ce5dc73d85bb 100644
+--- a/drivers/scsi/aha152x.c
++++ b/drivers/scsi/aha152x.c
+@@ -331,11 +331,11 @@ MODULE_LICENSE("GPL");
+ #if !defined(PCMCIA)
+ #if defined(MODULE)
+ static int io[] = {0, 0};
+-module_param_array(io, int, NULL, 0);
++module_param_hw_array(io, int, ioport, NULL, 0);
+ MODULE_PARM_DESC(io,"base io address of controller");
+
+ static int irq[] = {0, 0};
+-module_param_array(irq, int, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
+ MODULE_PARM_DESC(irq,"interrupt for controller");
+
+ static int scsiid[] = {7, 7};
+diff --git a/drivers/scsi/aha1542.c b/drivers/scsi/aha1542.c
+index 7db448ec8beb..a23cc9ac5acd 100644
+--- a/drivers/scsi/aha1542.c
++++ b/drivers/scsi/aha1542.c
+@@ -31,7 +31,7 @@ module_param(isapnp, bool, 0);
+ MODULE_PARM_DESC(isapnp, "enable PnP support (default=1)");
+
+ static int io[MAXBOARDS] = { 0x330, 0x334, 0, 0 };
+-module_param_array(io, int, NULL, 0);
++module_param_hw_array(io, int, ioport, NULL, 0);
+ MODULE_PARM_DESC(io, "base IO address of controller (0x130,0x134,0x230,0x234,0x330,0x334, default=0x330,0x334)");
+
+ /* time AHA spends on the AT-bus during data transfer */
+diff --git a/drivers/scsi/g_NCR5380.c b/drivers/scsi/g_NCR5380.c
+index 67c8dac321ad..c34fc91ba486 100644
+--- a/drivers/scsi/g_NCR5380.c
++++ b/drivers/scsi/g_NCR5380.c
+@@ -85,8 +85,8 @@ static int ncr_53c400;
+ static int ncr_53c400a;
+ static int dtc_3181e;
+ static int hp_c2502;
+-module_param(ncr_irq, int, 0);
+-module_param(ncr_addr, int, 0);
++module_param_hw(ncr_irq, int, irq, 0);
++module_param_hw(ncr_addr, int, ioport, 0);
+ module_param(ncr_5380, int, 0);
+ module_param(ncr_53c400, int, 0);
+ module_param(ncr_53c400a, int, 0);
+@@ -94,11 +94,11 @@ module_param(dtc_3181e, int, 0);
+ module_param(hp_c2502, int, 0);
+
+ static int irq[] = { -1, -1, -1, -1, -1, -1, -1, -1 };
+-module_param_array(irq, int, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
+ MODULE_PARM_DESC(irq, "IRQ number(s) (0=none, 254=auto [default])");
+
+ static int base[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
+-module_param_array(base, int, NULL, 0);
++module_param_hw_array(base, int, ioport, NULL, 0);
+ MODULE_PARM_DESC(base, "base address(es)");
+
+ static int card[] = { -1, -1, -1, -1, -1, -1, -1, -1 };
+diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c
+index d020a13646ae..facc7271f932 100644
+--- a/drivers/scsi/gdth.c
++++ b/drivers/scsi/gdth.c
+@@ -353,7 +353,7 @@ static int probe_eisa_isa = 0;
+ static int force_dma32 = 0;
+
+ /* parameters for modprobe/insmod */
+-module_param_array(irq, int, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
+ module_param(disable, int, 0);
+ module_param(reserve_mode, int, 0);
+ module_param_array(reserve_list, int, NULL, 0);
+diff --git a/drivers/scsi/qlogicfas.c b/drivers/scsi/qlogicfas.c
+index 61cac87fb86f..840823b99e51 100644
+--- a/drivers/scsi/qlogicfas.c
++++ b/drivers/scsi/qlogicfas.c
+@@ -137,8 +137,8 @@ static struct Scsi_Host *__qlogicfas_detect(struct scsi_host_template *host,
+ static struct qlogicfas408_priv *cards;
+ static int iobase[MAX_QLOGICFAS];
+ static int irq[MAX_QLOGICFAS] = { [0 ... MAX_QLOGICFAS-1] = -1 };
+-module_param_array(iobase, int, NULL, 0);
+-module_param_array(irq, int, NULL, 0);
++module_param_hw_array(iobase, int, ioport, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
+ MODULE_PARM_DESC(iobase, "I/O address");
+ MODULE_PARM_DESC(irq, "IRQ");
+
diff --git a/debian/patches/features/all/lockdown/0028-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0028-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..2ec6903
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0028-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,53 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:28 +0100
+Subject: [28/62] Annotate hardware config module parameters in
+ drivers/staging/media/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=db33ab46d89c69211f56940278c394067fe6876e
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/staging/media/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Mauro Carvalho Chehab <mchehab at kernel.org>
+cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+cc: linux-media at vger.kernel.org
+cc: devel at driverdev.osuosl.org
+---
+ drivers/staging/media/lirc/lirc_sir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/media/lirc/lirc_sir.c b/drivers/staging/media/lirc/lirc_sir.c
+index c6c3de94adaa..dde46dd8cabb 100644
+--- a/drivers/staging/media/lirc/lirc_sir.c
++++ b/drivers/staging/media/lirc/lirc_sir.c
+@@ -826,10 +826,10 @@ MODULE_AUTHOR("Milan Pikula");
+ #endif
+ MODULE_LICENSE("GPL");
+
+-module_param(io, int, S_IRUGO);
++module_param_hw(io, int, ioport, S_IRUGO);
+ MODULE_PARM_DESC(io, "I/O address base (0x3f8 or 0x2f8)");
+
+-module_param(irq, int, S_IRUGO);
++module_param_hw(irq, int, irq, S_IRUGO);
+ MODULE_PARM_DESC(irq, "Interrupt (4 or 3)");
+
+ module_param(threshold, int, S_IRUGO);
diff --git a/debian/patches/features/all/lockdown/0029-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0029-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..c2fe660
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0029-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,76 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:28 +0100
+Subject: [29/62] Annotate hardware config module parameters in
+ drivers/staging/speakup/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=1f78a159fa613a2d95754c1e3ea067c749aeb509
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/staging/speakup/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+cc: speakup at linux-speakup.org
+cc: devel at driverdev.osuosl.org
+---
+ drivers/staging/speakup/speakup_acntpc.c | 2 +-
+ drivers/staging/speakup/speakup_dtlk.c | 2 +-
+ drivers/staging/speakup/speakup_keypc.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/staging/speakup/speakup_acntpc.c b/drivers/staging/speakup/speakup_acntpc.c
+index c7fab261d860..b6fbf9de1f85 100644
+--- a/drivers/staging/speakup/speakup_acntpc.c
++++ b/drivers/staging/speakup/speakup_acntpc.c
+@@ -307,7 +307,7 @@ static void accent_release(void)
+ speakup_info.port_tts = 0;
+ }
+
+-module_param_named(port, port_forced, int, 0444);
++module_param_hw_named(port, port_forced, int, ioport, 0444);
+ module_param_named(start, synth_acntpc.startup, short, 0444);
+
+ MODULE_PARM_DESC(port, "Set the port for the synthesizer (override probing).");
+diff --git a/drivers/staging/speakup/speakup_dtlk.c b/drivers/staging/speakup/speakup_dtlk.c
+index e2bf20806d8d..9c097fda07b0 100644
+--- a/drivers/staging/speakup/speakup_dtlk.c
++++ b/drivers/staging/speakup/speakup_dtlk.c
+@@ -378,7 +378,7 @@ static void dtlk_release(void)
+ speakup_info.port_tts = 0;
+ }
+
+-module_param_named(port, port_forced, int, 0444);
++module_param_hw_named(port, port_forced, int, ioport, 0444);
+ module_param_named(start, synth_dtlk.startup, short, 0444);
+
+ MODULE_PARM_DESC(port, "Set the port for the synthesizer (override probing).");
+diff --git a/drivers/staging/speakup/speakup_keypc.c b/drivers/staging/speakup/speakup_keypc.c
+index 10f4964782e2..e653b52175b8 100644
+--- a/drivers/staging/speakup/speakup_keypc.c
++++ b/drivers/staging/speakup/speakup_keypc.c
+@@ -309,7 +309,7 @@ static void keynote_release(void)
+ synth_port = 0;
+ }
+
+-module_param_named(port, port_forced, int, 0444);
++module_param_hw_named(port, port_forced, int, ioport, 0444);
+ module_param_named(start, synth_keypc.startup, short, 0444);
+
+ MODULE_PARM_DESC(port, "Set the port for the synthesizer (override probing).");
diff --git a/debian/patches/features/all/lockdown/0030-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0030-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..2b9ef64
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0030-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,61 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:28 +0100
+Subject: [30/62] Annotate hardware config module parameters in
+ drivers/staging/vme/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=ae1779570a11610bc25974a9574e2cbc29ba1508
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/staging/vme/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Martyn Welch <martyn at welchs.me.uk>
+cc: Manohar Vanga <manohar.vanga at gmail.com>
+cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+cc: devel at driverdev.osuosl.org
+---
+ drivers/staging/vme/devices/vme_pio2_core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/staging/vme/devices/vme_pio2_core.c b/drivers/staging/vme/devices/vme_pio2_core.c
+index 20a2d835fdaa..367535b4b77f 100644
+--- a/drivers/staging/vme/devices/vme_pio2_core.c
++++ b/drivers/staging/vme/devices/vme_pio2_core.c
+@@ -466,16 +466,16 @@ static void __exit pio2_exit(void)
+
+ /* These are required for each board */
+ MODULE_PARM_DESC(bus, "Enumeration of VMEbus to which the board is connected");
+-module_param_array(bus, int, &bus_num, 0444);
++module_param_hw_array(bus, int, other, &bus_num, 0444);
+
+ MODULE_PARM_DESC(base, "Base VME address for PIO2 Registers");
+-module_param_array(base, long, &base_num, 0444);
++module_param_hw_array(base, long, other, &base_num, 0444);
+
+ MODULE_PARM_DESC(vector, "VME IRQ Vector (Lower 4 bits masked)");
+-module_param_array(vector, int, &vector_num, 0444);
++module_param_hw_array(vector, int, other, &vector_num, 0444);
+
+ MODULE_PARM_DESC(level, "VME IRQ Level");
+-module_param_array(level, int, &level_num, 0444);
++module_param_hw_array(level, int, other, &level_num, 0444);
+
+ MODULE_PARM_DESC(variant, "Last 4 characters of PIO2 board variant");
+ module_param_array(variant, charp, &variant_num, 0444);
diff --git a/debian/patches/features/all/lockdown/0031-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0031-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..85ac44b
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0031-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,144 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:29 +0100
+Subject: [31/62] Annotate hardware config module parameters in drivers/tty/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=87194408fc816138aa4900548202ad45d5816b54
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/tty/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+cc: Jiri Slaby <jslaby at suse.com>
+cc: linux-serial at vger.kernel.org
+---
+ drivers/tty/cyclades.c | 4 ++--
+ drivers/tty/moxa.c | 2 +-
+ drivers/tty/mxser.c | 2 +-
+ drivers/tty/rocket.c | 10 +++++-----
+ drivers/tty/serial/8250/8250_core.c | 4 ++--
+ drivers/tty/synclink.c | 6 +++---
+ 6 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/tty/cyclades.c b/drivers/tty/cyclades.c
+index 5e4fa9206861..104f09c58163 100644
+--- a/drivers/tty/cyclades.c
++++ b/drivers/tty/cyclades.c
+@@ -156,8 +156,8 @@ static unsigned int cy_isa_addresses[] = {
+ static long maddr[NR_CARDS];
+ static int irq[NR_CARDS];
+
+-module_param_array(maddr, long, NULL, 0);
+-module_param_array(irq, int, NULL, 0);
++module_param_hw_array(maddr, long, iomem, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
+
+ #endif /* CONFIG_ISA */
+
+diff --git a/drivers/tty/moxa.c b/drivers/tty/moxa.c
+index 4caf0c3b1f99..3b251f4e5df0 100644
+--- a/drivers/tty/moxa.c
++++ b/drivers/tty/moxa.c
+@@ -179,7 +179,7 @@ MODULE_FIRMWARE("c320tunx.cod");
+
+ module_param_array(type, uint, NULL, 0);
+ MODULE_PARM_DESC(type, "card type: C218=2, C320=4");
+-module_param_array(baseaddr, ulong, NULL, 0);
++module_param_hw_array(baseaddr, ulong, ioport, NULL, 0);
+ MODULE_PARM_DESC(baseaddr, "base address");
+ module_param_array(numports, uint, NULL, 0);
+ MODULE_PARM_DESC(numports, "numports (ignored for C218)");
+diff --git a/drivers/tty/mxser.c b/drivers/tty/mxser.c
+index 7b8f383fb090..8bd6fb6d9391 100644
+--- a/drivers/tty/mxser.c
++++ b/drivers/tty/mxser.c
+@@ -183,7 +183,7 @@ static int ttymajor = MXSERMAJOR;
+
+ MODULE_AUTHOR("Casper Yang");
+ MODULE_DESCRIPTION("MOXA Smartio/Industio Family Multiport Board Device Driver");
+-module_param_array(ioaddr, ulong, NULL, 0);
++module_param_hw_array(ioaddr, ulong, ioport, NULL, 0);
+ MODULE_PARM_DESC(ioaddr, "ISA io addresses to look for a moxa board");
+ module_param(ttymajor, int, 0);
+ MODULE_LICENSE("GPL");
+diff --git a/drivers/tty/rocket.c b/drivers/tty/rocket.c
+index d66c1edd9892..b51a877da986 100644
+--- a/drivers/tty/rocket.c
++++ b/drivers/tty/rocket.c
+@@ -250,15 +250,15 @@ static int sReadAiopNumChan(WordIO_t io);
+
+ MODULE_AUTHOR("Theodore Ts'o");
+ MODULE_DESCRIPTION("Comtrol RocketPort driver");
+-module_param(board1, ulong, 0);
++module_param_hw(board1, ulong, ioport, 0);
+ MODULE_PARM_DESC(board1, "I/O port for (ISA) board #1");
+-module_param(board2, ulong, 0);
++module_param_hw(board2, ulong, ioport, 0);
+ MODULE_PARM_DESC(board2, "I/O port for (ISA) board #2");
+-module_param(board3, ulong, 0);
++module_param_hw(board3, ulong, ioport, 0);
+ MODULE_PARM_DESC(board3, "I/O port for (ISA) board #3");
+-module_param(board4, ulong, 0);
++module_param_hw(board4, ulong, ioport, 0);
+ MODULE_PARM_DESC(board4, "I/O port for (ISA) board #4");
+-module_param(controller, ulong, 0);
++module_param_hw(controller, ulong, ioport, 0);
+ MODULE_PARM_DESC(controller, "I/O port for (ISA) rocketport controller");
+ module_param(support_low_speed, bool, 0);
+ MODULE_PARM_DESC(support_low_speed, "1 means support 50 baud, 0 means support 460400 baud");
+diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c
+index 76e03a7de9cc..89fde17d9617 100644
+--- a/drivers/tty/serial/8250/8250_core.c
++++ b/drivers/tty/serial/8250/8250_core.c
+@@ -1191,7 +1191,7 @@ module_exit(serial8250_exit);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Generic 8250/16x50 serial driver");
+
+-module_param(share_irqs, uint, 0644);
++module_param_hw(share_irqs, uint, other, 0644);
+ MODULE_PARM_DESC(share_irqs, "Share IRQs with other non-8250/16x50 devices (unsafe)");
+
+ module_param(nr_uarts, uint, 0644);
+@@ -1201,7 +1201,7 @@ module_param(skip_txen_test, uint, 0644);
+ MODULE_PARM_DESC(skip_txen_test, "Skip checking for the TXEN bug at init time");
+
+ #ifdef CONFIG_SERIAL_8250_RSA
+-module_param_array(probe_rsa, ulong, &probe_rsa_count, 0444);
++module_param_hw_array(probe_rsa, ulong, ioport, &probe_rsa_count, 0444);
+ MODULE_PARM_DESC(probe_rsa, "Probe I/O ports for RSA");
+ #endif
+ MODULE_ALIAS_CHARDEV_MAJOR(TTY_MAJOR);
+diff --git a/drivers/tty/synclink.c b/drivers/tty/synclink.c
+index 657eed82eeb3..a2c308f7d637 100644
+--- a/drivers/tty/synclink.c
++++ b/drivers/tty/synclink.c
+@@ -869,9 +869,9 @@ static int txholdbufs[MAX_TOTAL_DEVICES];
+
+ module_param(break_on_load, bool, 0);
+ module_param(ttymajor, int, 0);
+-module_param_array(io, int, NULL, 0);
+-module_param_array(irq, int, NULL, 0);
+-module_param_array(dma, int, NULL, 0);
++module_param_hw_array(io, int, ioport, NULL, 0);
++module_param_hw_array(irq, int, irq, NULL, 0);
++module_param_hw_array(dma, int, dma, NULL, 0);
+ module_param(debug_level, int, 0);
+ module_param_array(maxframe, int, NULL, 0);
+ module_param_array(txdmabufs, int, NULL, 0);
diff --git a/debian/patches/features/all/lockdown/0032-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0032-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..5bd4858
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0032-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,80 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:29 +0100
+Subject: [32/62] Annotate hardware config module parameters in drivers/video/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=1692fe8ef6a9f19be6c4943dda5d67f31ea0f561
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/video/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Jaya Kumar <jayalk at intworks.biz>
+cc: Tomi Valkeinen <tomi.valkeinen at ti.com>
+cc: linux-fbdev at vger.kernel.org
+---
+ drivers/video/fbdev/arcfb.c | 8 ++++----
+ drivers/video/fbdev/n411.c | 6 +++---
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/video/fbdev/arcfb.c b/drivers/video/fbdev/arcfb.c
+index 1928cb2b5386..7e87d0d61658 100644
+--- a/drivers/video/fbdev/arcfb.c
++++ b/drivers/video/fbdev/arcfb.c
+@@ -645,17 +645,17 @@ module_param(nosplash, uint, 0);
+ MODULE_PARM_DESC(nosplash, "Disable doing the splash screen");
+ module_param(arcfb_enable, uint, 0);
+ MODULE_PARM_DESC(arcfb_enable, "Enable communication with Arc board");
+-module_param(dio_addr, ulong, 0);
++module_param_hw(dio_addr, ulong, ioport, 0);
+ MODULE_PARM_DESC(dio_addr, "IO address for data, eg: 0x480");
+-module_param(cio_addr, ulong, 0);
++module_param_hw(cio_addr, ulong, ioport, 0);
+ MODULE_PARM_DESC(cio_addr, "IO address for control, eg: 0x400");
+-module_param(c2io_addr, ulong, 0);
++module_param_hw(c2io_addr, ulong, ioport, 0);
+ MODULE_PARM_DESC(c2io_addr, "IO address for secondary control, eg: 0x408");
+ module_param(splashval, ulong, 0);
+ MODULE_PARM_DESC(splashval, "Splash pattern: 0xFF is black, 0x00 is green");
+ module_param(tuhold, ulong, 0);
+ MODULE_PARM_DESC(tuhold, "Time to hold between strobing data to Arc board");
+-module_param(irq, uint, 0);
++module_param_hw(irq, uint, irq, 0);
+ MODULE_PARM_DESC(irq, "IRQ for the Arc board");
+
+ module_init(arcfb_init);
+diff --git a/drivers/video/fbdev/n411.c b/drivers/video/fbdev/n411.c
+index 053deacad7cc..a3677313396e 100644
+--- a/drivers/video/fbdev/n411.c
++++ b/drivers/video/fbdev/n411.c
+@@ -193,11 +193,11 @@ module_exit(n411_exit);
+
+ module_param(nosplash, uint, 0);
+ MODULE_PARM_DESC(nosplash, "Disable doing the splash screen");
+-module_param(dio_addr, ulong, 0);
++module_param_hw(dio_addr, ulong, ioport, 0);
+ MODULE_PARM_DESC(dio_addr, "IO address for data, eg: 0x480");
+-module_param(cio_addr, ulong, 0);
++module_param_hw(cio_addr, ulong, ioport, 0);
+ MODULE_PARM_DESC(cio_addr, "IO address for control, eg: 0x400");
+-module_param(c2io_addr, ulong, 0);
++module_param_hw(c2io_addr, ulong, ioport, 0);
+ MODULE_PARM_DESC(c2io_addr, "IO address for secondary control, eg: 0x408");
+ module_param(splashval, ulong, 0);
+ MODULE_PARM_DESC(splashval, "Splash pattern: 0x00 is black, 0x01 is white");
diff --git a/debian/patches/features/all/lockdown/0033-Annotate-hardware-config-module-parameters-in-driver.patch b/debian/patches/features/all/lockdown/0033-Annotate-hardware-config-module-parameters-in-driver.patch
new file mode 100644
index 0000000..db39200
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0033-Annotate-hardware-config-module-parameters-in-driver.patch
@@ -0,0 +1,111 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:29 +0100
+Subject: [33/62] Annotate hardware config module parameters in
+ drivers/watchdog/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=6664038216d98a13d389bc26dfb70859e2c9f9f7
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in drivers/watchdog/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+Reviewed-by: Guenter Roeck <linux at roeck-us.net>
+cc: Wim Van Sebroeck <wim at iguana.be>
+cc: Zwane Mwaikambo <zwanem at gmail.com>
+cc: linux-watchdog at vger.kernel.org
+---
+ drivers/watchdog/cpu5wdt.c | 2 +-
+ drivers/watchdog/eurotechwdt.c | 4 ++--
+ drivers/watchdog/pc87413_wdt.c | 2 +-
+ drivers/watchdog/sc1200wdt.c | 2 +-
+ drivers/watchdog/wdt.c | 4 ++--
+ 5 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/watchdog/cpu5wdt.c b/drivers/watchdog/cpu5wdt.c
+index 6d03e8e30f8b..6c3f78e45c26 100644
+--- a/drivers/watchdog/cpu5wdt.c
++++ b/drivers/watchdog/cpu5wdt.c
+@@ -289,7 +289,7 @@ MODULE_DESCRIPTION("sma cpu5 watchdog driver");
+ MODULE_SUPPORTED_DEVICE("sma cpu5 watchdog");
+ MODULE_LICENSE("GPL");
+
+-module_param(port, int, 0);
++module_param_hw(port, int, ioport, 0);
+ MODULE_PARM_DESC(port, "base address of watchdog card, default is 0x91");
+
+ module_param(verbose, int, 0);
+diff --git a/drivers/watchdog/eurotechwdt.c b/drivers/watchdog/eurotechwdt.c
+index 23ee53240c4c..38e96712264f 100644
+--- a/drivers/watchdog/eurotechwdt.c
++++ b/drivers/watchdog/eurotechwdt.c
+@@ -97,9 +97,9 @@ MODULE_PARM_DESC(nowayout,
+ #define WDT_TIMER_CFG 0xf3
+
+
+-module_param(io, int, 0);
++module_param_hw(io, int, ioport, 0);
+ MODULE_PARM_DESC(io, "Eurotech WDT io port (default=0x3f0)");
+-module_param(irq, int, 0);
++module_param_hw(irq, int, irq, 0);
+ MODULE_PARM_DESC(irq, "Eurotech WDT irq (default=10)");
+ module_param(ev, charp, 0);
+ MODULE_PARM_DESC(ev, "Eurotech WDT event type (default is `int')");
+diff --git a/drivers/watchdog/pc87413_wdt.c b/drivers/watchdog/pc87413_wdt.c
+index 9f15dd9435d1..06a892e36a8d 100644
+--- a/drivers/watchdog/pc87413_wdt.c
++++ b/drivers/watchdog/pc87413_wdt.c
+@@ -579,7 +579,7 @@ MODULE_AUTHOR("Marcus Junker <junker at anduras.de>");
+ MODULE_DESCRIPTION("PC87413 WDT driver");
+ MODULE_LICENSE("GPL");
+
+-module_param(io, int, 0);
++module_param_hw(io, int, ioport, 0);
+ MODULE_PARM_DESC(io, MODNAME " I/O port (default: "
+ __MODULE_STRING(IO_DEFAULT) ").");
+
+diff --git a/drivers/watchdog/sc1200wdt.c b/drivers/watchdog/sc1200wdt.c
+index 131193a7acdf..b34d3d5ba632 100644
+--- a/drivers/watchdog/sc1200wdt.c
++++ b/drivers/watchdog/sc1200wdt.c
+@@ -88,7 +88,7 @@ MODULE_PARM_DESC(isapnp,
+ "When set to 0 driver ISA PnP support will be disabled");
+ #endif
+
+-module_param(io, int, 0);
++module_param_hw(io, int, ioport, 0);
+ MODULE_PARM_DESC(io, "io port");
+ module_param(timeout, int, 0);
+ MODULE_PARM_DESC(timeout, "range is 0-255 minutes, default is 1");
+diff --git a/drivers/watchdog/wdt.c b/drivers/watchdog/wdt.c
+index e0206b5b7d89..e481fbbc4ae7 100644
+--- a/drivers/watchdog/wdt.c
++++ b/drivers/watchdog/wdt.c
+@@ -78,9 +78,9 @@ static int irq = 11;
+
+ static DEFINE_SPINLOCK(wdt_lock);
+
+-module_param(io, int, 0);
++module_param_hw(io, int, ioport, 0);
+ MODULE_PARM_DESC(io, "WDT io port (default=0x240)");
+-module_param(irq, int, 0);
++module_param_hw(irq, int, irq, 0);
+ MODULE_PARM_DESC(irq, "WDT irq (default=11)");
+
+ /* Support for the Fan Tachometer on the WDT501-P */
diff --git a/debian/patches/features/all/lockdown/0034-Annotate-hardware-config-module-parameters-in-fs-pst.patch b/debian/patches/features/all/lockdown/0034-Annotate-hardware-config-module-parameters-in-fs-pst.patch
new file mode 100644
index 0000000..c2db1b7
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0034-Annotate-hardware-config-module-parameters-in-fs-pst.patch
@@ -0,0 +1,48 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:29 +0100
+Subject: [34/62] Annotate hardware config module parameters in fs/pstore/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=b68845c3946ffaf3fa58bb156c908a4e4531dcd9
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in fs/pstore/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Anton Vorontsov <anton at enomsg.org>
+cc: Colin Cross <ccross at android.com>
+cc: Kees Cook <keescook at chromium.org>
+cc: Tony Luck <tony.luck at intel.com>
+---
+ fs/pstore/ram.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c
+index 11f918d34b1e..cce1d38417ca 100644
+--- a/fs/pstore/ram.c
++++ b/fs/pstore/ram.c
+@@ -58,7 +58,7 @@ module_param_named(pmsg_size, ramoops_pmsg_size, ulong, 0400);
+ MODULE_PARM_DESC(pmsg_size, "size of user space message log");
+
+ static unsigned long long mem_address;
+-module_param(mem_address, ullong, 0400);
++module_param_hw(mem_address, ullong, other, 0400);
+ MODULE_PARM_DESC(mem_address,
+ "start of reserved RAM used to store oops/panic logs");
+
diff --git a/debian/patches/features/all/lockdown/0035-Annotate-hardware-config-module-parameters-in-sound-.patch b/debian/patches/features/all/lockdown/0035-Annotate-hardware-config-module-parameters-in-sound-.patch
new file mode 100644
index 0000000..f45d36d
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0035-Annotate-hardware-config-module-parameters-in-sound-.patch
@@ -0,0 +1,84 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:30 +0100
+Subject: [35/62] Annotate hardware config module parameters in sound/drivers/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=75c07d4b39cebaebd1d185077c4d062036e7b967
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in sound/drivers/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Jaroslav Kysela <perex at perex.cz>
+cc: Takashi Iwai <tiwai at suse.com>
+cc: alsa-devel at alsa-project.org
+---
+ sound/drivers/mpu401/mpu401.c | 4 ++--
+ sound/drivers/mtpav.c | 4 ++--
+ sound/drivers/serial-u16550.c | 4 ++--
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/sound/drivers/mpu401/mpu401.c b/sound/drivers/mpu401/mpu401.c
+index fed7e7e2177b..9b86e00d7d95 100644
+--- a/sound/drivers/mpu401/mpu401.c
++++ b/sound/drivers/mpu401/mpu401.c
+@@ -53,9 +53,9 @@ MODULE_PARM_DESC(enable, "Enable MPU-401 device.");
+ module_param_array(pnp, bool, NULL, 0444);
+ MODULE_PARM_DESC(pnp, "PnP detection for MPU-401 device.");
+ #endif
+-module_param_array(port, long, NULL, 0444);
++module_param_hw_array(port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(port, "Port # for MPU-401 device.");
+-module_param_array(irq, int, NULL, 0444);
++module_param_hw_array(irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(irq, "IRQ # for MPU-401 device.");
+ module_param_array(uart_enter, bool, NULL, 0444);
+ MODULE_PARM_DESC(uart_enter, "Issue UART_ENTER command at open.");
+diff --git a/sound/drivers/mtpav.c b/sound/drivers/mtpav.c
+index 00b31f92c504..0f6392001e30 100644
+--- a/sound/drivers/mtpav.c
++++ b/sound/drivers/mtpav.c
+@@ -86,9 +86,9 @@ module_param(index, int, 0444);
+ MODULE_PARM_DESC(index, "Index value for MotuMTPAV MIDI.");
+ module_param(id, charp, 0444);
+ MODULE_PARM_DESC(id, "ID string for MotuMTPAV MIDI.");
+-module_param(port, long, 0444);
++module_param_hw(port, long, ioport, 0444);
+ MODULE_PARM_DESC(port, "Parallel port # for MotuMTPAV MIDI.");
+-module_param(irq, int, 0444);
++module_param_hw(irq, int, irq, 0444);
+ MODULE_PARM_DESC(irq, "Parallel IRQ # for MotuMTPAV MIDI.");
+ module_param(hwports, int, 0444);
+ MODULE_PARM_DESC(hwports, "Hardware ports # for MotuMTPAV MIDI.");
+diff --git a/sound/drivers/serial-u16550.c b/sound/drivers/serial-u16550.c
+index 60d51ac4ccfe..88e66ea0306d 100644
+--- a/sound/drivers/serial-u16550.c
++++ b/sound/drivers/serial-u16550.c
+@@ -84,9 +84,9 @@ module_param_array(id, charp, NULL, 0444);
+ MODULE_PARM_DESC(id, "ID string for Serial MIDI.");
+ module_param_array(enable, bool, NULL, 0444);
+ MODULE_PARM_DESC(enable, "Enable UART16550A chip.");
+-module_param_array(port, long, NULL, 0444);
++module_param_hw_array(port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(port, "Port # for UART16550A chip.");
+-module_param_array(irq, int, NULL, 0444);
++module_param_hw_array(irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(irq, "IRQ # for UART16550A chip.");
+ module_param_array(speed, int, NULL, 0444);
+ MODULE_PARM_DESC(speed, "Speed in bauds.");
diff --git a/debian/patches/features/all/lockdown/0036-Annotate-hardware-config-module-parameters-in-sound-.patch b/debian/patches/features/all/lockdown/0036-Annotate-hardware-config-module-parameters-in-sound-.patch
new file mode 100644
index 0000000..c17e446
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0036-Annotate-hardware-config-module-parameters-in-sound-.patch
@@ -0,0 +1,731 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:30 +0100
+Subject: [36/62] Annotate hardware config module parameters in sound/isa/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=b7999a0d338e061fe8319b3860b86efacb12a056
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in sound/isa/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Jaroslav Kysela <perex at perex.cz>
+cc: Takashi Iwai <tiwai at suse.com>
+cc: alsa-devel at alsa-project.org
+---
+ sound/isa/ad1848/ad1848.c | 6 +++---
+ sound/isa/adlib.c | 2 +-
+ sound/isa/cmi8328.c | 12 ++++++------
+ sound/isa/cmi8330.c | 20 ++++++++++----------
+ sound/isa/cs423x/cs4231.c | 12 ++++++------
+ sound/isa/cs423x/cs4236.c | 18 +++++++++---------
+ sound/isa/es1688/es1688.c | 12 ++++++------
+ sound/isa/es18xx.c | 12 ++++++------
+ sound/isa/galaxy/galaxy.c | 16 ++++++++--------
+ sound/isa/gus/gusclassic.c | 8 ++++----
+ sound/isa/gus/gusextreme.c | 16 ++++++++--------
+ sound/isa/gus/gusmax.c | 8 ++++----
+ sound/isa/gus/interwave.c | 10 +++++-----
+ sound/isa/msnd/msnd_pinnacle.c | 20 ++++++++++----------
+ sound/isa/opl3sa2.c | 16 ++++++++--------
+ sound/isa/opti9xx/miro.c | 14 +++++++-------
+ sound/isa/opti9xx/opti92x-ad1848.c | 14 +++++++-------
+ sound/isa/sb/jazz16.c | 12 ++++++------
+ sound/isa/sb/sb16.c | 14 +++++++-------
+ sound/isa/sb/sb8.c | 6 +++---
+ sound/isa/sc6000.c | 12 ++++++------
+ sound/isa/sscape.c | 12 ++++++------
+ sound/isa/wavefront/wavefront.c | 18 +++++++++---------
+ 23 files changed, 145 insertions(+), 145 deletions(-)
+
+diff --git a/sound/isa/ad1848/ad1848.c b/sound/isa/ad1848/ad1848.c
+index a302d1f8d14f..e739b1c85c25 100644
+--- a/sound/isa/ad1848/ad1848.c
++++ b/sound/isa/ad1848/ad1848.c
+@@ -55,11 +55,11 @@ module_param_array(id, charp, NULL, 0444);
+ MODULE_PARM_DESC(id, "ID string for " CRD_NAME " soundcard.");
+ module_param_array(enable, bool, NULL, 0444);
+ MODULE_PARM_DESC(enable, "Enable " CRD_NAME " soundcard.");
+-module_param_array(port, long, NULL, 0444);
++module_param_hw_array(port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(port, "Port # for " CRD_NAME " driver.");
+-module_param_array(irq, int, NULL, 0444);
++module_param_hw_array(irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(irq, "IRQ # for " CRD_NAME " driver.");
+-module_param_array(dma1, int, NULL, 0444);
++module_param_hw_array(dma1, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma1, "DMA1 # for " CRD_NAME " driver.");
+ module_param_array(thinkpad, bool, NULL, 0444);
+ MODULE_PARM_DESC(thinkpad, "Enable only for the onboard CS4248 of IBM Thinkpad 360/750/755 series.");
+diff --git a/sound/isa/adlib.c b/sound/isa/adlib.c
+index 8d3060fd7ad7..5fb619eca5c8 100644
+--- a/sound/isa/adlib.c
++++ b/sound/isa/adlib.c
+@@ -27,7 +27,7 @@ module_param_array(id, charp, NULL, 0444);
+ MODULE_PARM_DESC(id, "ID string for " CRD_NAME " soundcard.");
+ module_param_array(enable, bool, NULL, 0444);
+ MODULE_PARM_DESC(enable, "Enable " CRD_NAME " soundcard.");
+-module_param_array(port, long, NULL, 0444);
++module_param_hw_array(port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(port, "Port # for " CRD_NAME " driver.");
+
+ static int snd_adlib_match(struct device *dev, unsigned int n)
+diff --git a/sound/isa/cmi8328.c b/sound/isa/cmi8328.c
+index 787475084f46..8e1756c3b9bb 100644
+--- a/sound/isa/cmi8328.c
++++ b/sound/isa/cmi8328.c
+@@ -51,18 +51,18 @@ MODULE_PARM_DESC(index, "Index value for CMI8328 soundcard.");
+ module_param_array(id, charp, NULL, 0444);
+ MODULE_PARM_DESC(id, "ID string for CMI8328 soundcard.");
+
+-module_param_array(port, long, NULL, 0444);
++module_param_hw_array(port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(port, "Port # for CMI8328 driver.");
+-module_param_array(irq, int, NULL, 0444);
++module_param_hw_array(irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(irq, "IRQ # for CMI8328 driver.");
+-module_param_array(dma1, int, NULL, 0444);
++module_param_hw_array(dma1, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma1, "DMA1 for CMI8328 driver.");
+-module_param_array(dma2, int, NULL, 0444);
++module_param_hw_array(dma2, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma2, "DMA2 for CMI8328 driver.");
+
+-module_param_array(mpuport, long, NULL, 0444);
++module_param_hw_array(mpuport, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(mpuport, "MPU-401 port # for CMI8328 driver.");
+-module_param_array(mpuirq, int, NULL, 0444);
++module_param_hw_array(mpuirq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(mpuirq, "IRQ # for CMI8328 MPU-401 port.");
+ #ifdef SUPPORT_JOYSTICK
+ module_param_array(gameport, bool, NULL, 0444);
+diff --git a/sound/isa/cmi8330.c b/sound/isa/cmi8330.c
+index dfedfd85f205..f64b29ab5cc7 100644
+--- a/sound/isa/cmi8330.c
++++ b/sound/isa/cmi8330.c
+@@ -95,27 +95,27 @@ module_param_array(isapnp, bool, NULL, 0444);
+ MODULE_PARM_DESC(isapnp, "PnP detection for specified soundcard.");
+ #endif
+
+-module_param_array(sbport, long, NULL, 0444);
++module_param_hw_array(sbport, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(sbport, "Port # for CMI8330/CMI8329 SB driver.");
+-module_param_array(sbirq, int, NULL, 0444);
++module_param_hw_array(sbirq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(sbirq, "IRQ # for CMI8330/CMI8329 SB driver.");
+-module_param_array(sbdma8, int, NULL, 0444);
++module_param_hw_array(sbdma8, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(sbdma8, "DMA8 for CMI8330/CMI8329 SB driver.");
+-module_param_array(sbdma16, int, NULL, 0444);
++module_param_hw_array(sbdma16, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(sbdma16, "DMA16 for CMI8330/CMI8329 SB driver.");
+
+-module_param_array(wssport, long, NULL, 0444);
++module_param_hw_array(wssport, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(wssport, "Port # for CMI8330/CMI8329 WSS driver.");
+-module_param_array(wssirq, int, NULL, 0444);
++module_param_hw_array(wssirq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(wssirq, "IRQ # for CMI8330/CMI8329 WSS driver.");
+-module_param_array(wssdma, int, NULL, 0444);
++module_param_hw_array(wssdma, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(wssdma, "DMA for CMI8330/CMI8329 WSS driver.");
+
+-module_param_array(fmport, long, NULL, 0444);
++module_param_hw_array(fmport, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(fmport, "FM port # for CMI8330/CMI8329 driver.");
+-module_param_array(mpuport, long, NULL, 0444);
++module_param_hw_array(mpuport, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(mpuport, "MPU-401 port # for CMI8330/CMI8329 driver.");
+-module_param_array(mpuirq, int, NULL, 0444);
++module_param_hw_array(mpuirq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(mpuirq, "IRQ # for CMI8330/CMI8329 MPU-401 port.");
+ #ifdef CONFIG_PNP
+ static int isa_registered;
+diff --git a/sound/isa/cs423x/cs4231.c b/sound/isa/cs423x/cs4231.c
+index ef7448e9f813..e8edd9017a2f 100644
+--- a/sound/isa/cs423x/cs4231.c
++++ b/sound/isa/cs423x/cs4231.c
+@@ -55,17 +55,17 @@ module_param_array(id, charp, NULL, 0444);
+ MODULE_PARM_DESC(id, "ID string for " CRD_NAME " soundcard.");
+ module_param_array(enable, bool, NULL, 0444);
+ MODULE_PARM_DESC(enable, "Enable " CRD_NAME " soundcard.");
+-module_param_array(port, long, NULL, 0444);
++module_param_hw_array(port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(port, "Port # for " CRD_NAME " driver.");
+-module_param_array(mpu_port, long, NULL, 0444);
++module_param_hw_array(mpu_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(mpu_port, "MPU-401 port # for " CRD_NAME " driver.");
+-module_param_array(irq, int, NULL, 0444);
++module_param_hw_array(irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(irq, "IRQ # for " CRD_NAME " driver.");
+-module_param_array(mpu_irq, int, NULL, 0444);
++module_param_hw_array(mpu_irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(mpu_irq, "MPU-401 IRQ # for " CRD_NAME " driver.");
+-module_param_array(dma1, int, NULL, 0444);
++module_param_hw_array(dma1, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma1, "DMA1 # for " CRD_NAME " driver.");
+-module_param_array(dma2, int, NULL, 0444);
++module_param_hw_array(dma2, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma2, "DMA2 # for " CRD_NAME " driver.");
+
+ static int snd_cs4231_match(struct device *dev, unsigned int n)
+diff --git a/sound/isa/cs423x/cs4236.c b/sound/isa/cs423x/cs4236.c
+index 9d7582c90a95..1f9a3b2be7a1 100644
+--- a/sound/isa/cs423x/cs4236.c
++++ b/sound/isa/cs423x/cs4236.c
+@@ -98,23 +98,23 @@ MODULE_PARM_DESC(enable, "Enable " IDENT " soundcard.");
+ module_param_array(isapnp, bool, NULL, 0444);
+ MODULE_PARM_DESC(isapnp, "ISA PnP detection for specified soundcard.");
+ #endif
+-module_param_array(port, long, NULL, 0444);
++module_param_hw_array(port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(port, "Port # for " IDENT " driver.");
+-module_param_array(cport, long, NULL, 0444);
++module_param_hw_array(cport, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(cport, "Control port # for " IDENT " driver.");
+-module_param_array(mpu_port, long, NULL, 0444);
++module_param_hw_array(mpu_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(mpu_port, "MPU-401 port # for " IDENT " driver.");
+-module_param_array(fm_port, long, NULL, 0444);
++module_param_hw_array(fm_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(fm_port, "FM port # for " IDENT " driver.");
+-module_param_array(sb_port, long, NULL, 0444);
++module_param_hw_array(sb_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(sb_port, "SB port # for " IDENT " driver (optional).");
+-module_param_array(irq, int, NULL, 0444);
++module_param_hw_array(irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(irq, "IRQ # for " IDENT " driver.");
+-module_param_array(mpu_irq, int, NULL, 0444);
++module_param_hw_array(mpu_irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(mpu_irq, "MPU-401 IRQ # for " IDENT " driver.");
+-module_param_array(dma1, int, NULL, 0444);
++module_param_hw_array(dma1, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma1, "DMA1 # for " IDENT " driver.");
+-module_param_array(dma2, int, NULL, 0444);
++module_param_hw_array(dma2, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma2, "DMA2 # for " IDENT " driver.");
+
+ #ifdef CONFIG_PNP
+diff --git a/sound/isa/es1688/es1688.c b/sound/isa/es1688/es1688.c
+index 1901c2bb6c3b..36320e7f2789 100644
+--- a/sound/isa/es1688/es1688.c
++++ b/sound/isa/es1688/es1688.c
+@@ -71,17 +71,17 @@ module_param_array(isapnp, bool, NULL, 0444);
+ MODULE_PARM_DESC(isapnp, "PnP detection for specified soundcard.");
+ #endif
+ MODULE_PARM_DESC(enable, "Enable " CRD_NAME " soundcard.");
+-module_param_array(port, long, NULL, 0444);
++module_param_hw_array(port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(port, "Port # for " CRD_NAME " driver.");
+-module_param_array(mpu_port, long, NULL, 0444);
++module_param_hw_array(mpu_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(mpu_port, "MPU-401 port # for " CRD_NAME " driver.");
+-module_param_array(irq, int, NULL, 0444);
+-module_param_array(fm_port, long, NULL, 0444);
++module_param_hw_array(irq, int, irq, NULL, 0444);
++module_param_hw_array(fm_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(fm_port, "FM port # for ES1688 driver.");
+ MODULE_PARM_DESC(irq, "IRQ # for " CRD_NAME " driver.");
+-module_param_array(mpu_irq, int, NULL, 0444);
++module_param_hw_array(mpu_irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(mpu_irq, "MPU-401 IRQ # for " CRD_NAME " driver.");
+-module_param_array(dma8, int, NULL, 0444);
++module_param_hw_array(dma8, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma8, "8-bit DMA # for " CRD_NAME " driver.");
+
+ #ifdef CONFIG_PNP
+diff --git a/sound/isa/es18xx.c b/sound/isa/es18xx.c
+index 5094b62d8f77..0cabe2b8974f 100644
+--- a/sound/isa/es18xx.c
++++ b/sound/isa/es18xx.c
+@@ -1999,17 +1999,17 @@ MODULE_PARM_DESC(enable, "Enable ES18xx soundcard.");
+ module_param_array(isapnp, bool, NULL, 0444);
+ MODULE_PARM_DESC(isapnp, "PnP detection for specified soundcard.");
+ #endif
+-module_param_array(port, long, NULL, 0444);
++module_param_hw_array(port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(port, "Port # for ES18xx driver.");
+-module_param_array(mpu_port, long, NULL, 0444);
++module_param_hw_array(mpu_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(mpu_port, "MPU-401 port # for ES18xx driver.");
+-module_param_array(fm_port, long, NULL, 0444);
++module_param_hw_array(fm_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(fm_port, "FM port # for ES18xx driver.");
+-module_param_array(irq, int, NULL, 0444);
++module_param_hw_array(irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(irq, "IRQ # for ES18xx driver.");
+-module_param_array(dma1, int, NULL, 0444);
++module_param_hw_array(dma1, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma1, "DMA 1 # for ES18xx driver.");
+-module_param_array(dma2, int, NULL, 0444);
++module_param_hw_array(dma2, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma2, "DMA 2 # for ES18xx driver.");
+
+ #ifdef CONFIG_PNP
+diff --git a/sound/isa/galaxy/galaxy.c b/sound/isa/galaxy/galaxy.c
+index 379abe2cbeb2..b9994cc9f5fb 100644
+--- a/sound/isa/galaxy/galaxy.c
++++ b/sound/isa/galaxy/galaxy.c
+@@ -53,21 +53,21 @@ static int mpu_irq[SNDRV_CARDS] = SNDRV_DEFAULT_IRQ;
+ static int dma1[SNDRV_CARDS] = SNDRV_DEFAULT_DMA;
+ static int dma2[SNDRV_CARDS] = SNDRV_DEFAULT_DMA;
+
+-module_param_array(port, long, NULL, 0444);
++module_param_hw_array(port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(port, "Port # for " CRD_NAME " driver.");
+-module_param_array(wss_port, long, NULL, 0444);
++module_param_hw_array(wss_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(wss_port, "WSS port # for " CRD_NAME " driver.");
+-module_param_array(mpu_port, long, NULL, 0444);
++module_param_hw_array(mpu_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(mpu_port, "MPU-401 port # for " CRD_NAME " driver.");
+-module_param_array(fm_port, long, NULL, 0444);
++module_param_hw_array(fm_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(fm_port, "FM port # for " CRD_NAME " driver.");
+-module_param_array(irq, int, NULL, 0444);
++module_param_hw_array(irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(irq, "IRQ # for " CRD_NAME " driver.");
+-module_param_array(mpu_irq, int, NULL, 0444);
++module_param_hw_array(mpu_irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(mpu_irq, "MPU-401 IRQ # for " CRD_NAME " driver.");
+-module_param_array(dma1, int, NULL, 0444);
++module_param_hw_array(dma1, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma1, "Playback DMA # for " CRD_NAME " driver.");
+-module_param_array(dma2, int, NULL, 0444);
++module_param_hw_array(dma2, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma2, "Capture DMA # for " CRD_NAME " driver.");
+
+ /*
+diff --git a/sound/isa/gus/gusclassic.c b/sound/isa/gus/gusclassic.c
+index c169be49ed71..92a997ab1229 100644
+--- a/sound/isa/gus/gusclassic.c
++++ b/sound/isa/gus/gusclassic.c
+@@ -58,13 +58,13 @@ module_param_array(id, charp, NULL, 0444);
+ MODULE_PARM_DESC(id, "ID string for " CRD_NAME " soundcard.");
+ module_param_array(enable, bool, NULL, 0444);
+ MODULE_PARM_DESC(enable, "Enable " CRD_NAME " soundcard.");
+-module_param_array(port, long, NULL, 0444);
++module_param_hw_array(port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(port, "Port # for " CRD_NAME " driver.");
+-module_param_array(irq, int, NULL, 0444);
++module_param_hw_array(irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(irq, "IRQ # for " CRD_NAME " driver.");
+-module_param_array(dma1, int, NULL, 0444);
++module_param_hw_array(dma1, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma1, "DMA1 # for " CRD_NAME " driver.");
+-module_param_array(dma2, int, NULL, 0444);
++module_param_hw_array(dma2, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma2, "DMA2 # for " CRD_NAME " driver.");
+ module_param_array(joystick_dac, int, NULL, 0444);
+ MODULE_PARM_DESC(joystick_dac, "Joystick DAC level 0.59V-4.52V or 0.389V-2.98V for " CRD_NAME " driver.");
+diff --git a/sound/isa/gus/gusextreme.c b/sound/isa/gus/gusextreme.c
+index 77ac2fd723b4..beb52c0f70ea 100644
+--- a/sound/isa/gus/gusextreme.c
++++ b/sound/isa/gus/gusextreme.c
+@@ -66,21 +66,21 @@ module_param_array(id, charp, NULL, 0444);
+ MODULE_PARM_DESC(id, "ID string for " CRD_NAME " soundcard.");
+ module_param_array(enable, bool, NULL, 0444);
+ MODULE_PARM_DESC(enable, "Enable " CRD_NAME " soundcard.");
+-module_param_array(port, long, NULL, 0444);
++module_param_hw_array(port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(port, "Port # for " CRD_NAME " driver.");
+-module_param_array(gf1_port, long, NULL, 0444);
++module_param_hw_array(gf1_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(gf1_port, "GF1 port # for " CRD_NAME " driver (optional).");
+-module_param_array(mpu_port, long, NULL, 0444);
++module_param_hw_array(mpu_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(mpu_port, "MPU-401 port # for " CRD_NAME " driver.");
+-module_param_array(irq, int, NULL, 0444);
++module_param_hw_array(irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(irq, "IRQ # for " CRD_NAME " driver.");
+-module_param_array(mpu_irq, int, NULL, 0444);
++module_param_hw_array(mpu_irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(mpu_irq, "MPU-401 IRQ # for " CRD_NAME " driver.");
+-module_param_array(gf1_irq, int, NULL, 0444);
++module_param_hw_array(gf1_irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(gf1_irq, "GF1 IRQ # for " CRD_NAME " driver.");
+-module_param_array(dma8, int, NULL, 0444);
++module_param_hw_array(dma8, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma8, "8-bit DMA # for " CRD_NAME " driver.");
+-module_param_array(dma1, int, NULL, 0444);
++module_param_hw_array(dma1, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma1, "GF1 DMA # for " CRD_NAME " driver.");
+ module_param_array(joystick_dac, int, NULL, 0444);
+ MODULE_PARM_DESC(joystick_dac, "Joystick DAC level 0.59V-4.52V or 0.389V-2.98V for " CRD_NAME " driver.");
+diff --git a/sound/isa/gus/gusmax.c b/sound/isa/gus/gusmax.c
+index dd88c9d33492..63309a453140 100644
+--- a/sound/isa/gus/gusmax.c
++++ b/sound/isa/gus/gusmax.c
+@@ -56,13 +56,13 @@ module_param_array(id, charp, NULL, 0444);
+ MODULE_PARM_DESC(id, "ID string for GUS MAX soundcard.");
+ module_param_array(enable, bool, NULL, 0444);
+ MODULE_PARM_DESC(enable, "Enable GUS MAX soundcard.");
+-module_param_array(port, long, NULL, 0444);
++module_param_hw_array(port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(port, "Port # for GUS MAX driver.");
+-module_param_array(irq, int, NULL, 0444);
++module_param_hw_array(irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(irq, "IRQ # for GUS MAX driver.");
+-module_param_array(dma1, int, NULL, 0444);
++module_param_hw_array(dma1, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma1, "DMA1 # for GUS MAX driver.");
+-module_param_array(dma2, int, NULL, 0444);
++module_param_hw_array(dma2, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma2, "DMA2 # for GUS MAX driver.");
+ module_param_array(joystick_dac, int, NULL, 0444);
+ MODULE_PARM_DESC(joystick_dac, "Joystick DAC level 0.59V-4.52V or 0.389V-2.98V for GUS MAX driver.");
+diff --git a/sound/isa/gus/interwave.c b/sound/isa/gus/interwave.c
+index 70d0040484c8..0687b7ef3e53 100644
+--- a/sound/isa/gus/interwave.c
++++ b/sound/isa/gus/interwave.c
+@@ -92,17 +92,17 @@ MODULE_PARM_DESC(enable, "Enable InterWave soundcard.");
+ module_param_array(isapnp, bool, NULL, 0444);
+ MODULE_PARM_DESC(isapnp, "ISA PnP detection for specified soundcard.");
+ #endif
+-module_param_array(port, long, NULL, 0444);
++module_param_hw_array(port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(port, "Port # for InterWave driver.");
+ #ifdef SNDRV_STB
+-module_param_array(port_tc, long, NULL, 0444);
++module_param_hw_array(port_tc, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(port_tc, "Tone control (TEA6330T - i2c bus) port # for InterWave driver.");
+ #endif
+-module_param_array(irq, int, NULL, 0444);
++module_param_hw_array(irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(irq, "IRQ # for InterWave driver.");
+-module_param_array(dma1, int, NULL, 0444);
++module_param_hw_array(dma1, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma1, "DMA1 # for InterWave driver.");
+-module_param_array(dma2, int, NULL, 0444);
++module_param_hw_array(dma2, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma2, "DMA2 # for InterWave driver.");
+ module_param_array(joystick_dac, int, NULL, 0444);
+ MODULE_PARM_DESC(joystick_dac, "Joystick DAC level 0.59V-4.52V or 0.389V-2.98V for InterWave driver.");
+diff --git a/sound/isa/msnd/msnd_pinnacle.c b/sound/isa/msnd/msnd_pinnacle.c
+index 4c072666115d..ad4897337df5 100644
+--- a/sound/isa/msnd/msnd_pinnacle.c
++++ b/sound/isa/msnd/msnd_pinnacle.c
+@@ -800,22 +800,22 @@ MODULE_LICENSE("GPL");
+ MODULE_FIRMWARE(INITCODEFILE);
+ MODULE_FIRMWARE(PERMCODEFILE);
+
+-module_param_array(io, long, NULL, S_IRUGO);
++module_param_hw_array(io, long, ioport, NULL, S_IRUGO);
+ MODULE_PARM_DESC(io, "IO port #");
+-module_param_array(irq, int, NULL, S_IRUGO);
+-module_param_array(mem, long, NULL, S_IRUGO);
++module_param_hw_array(irq, int, irq, NULL, S_IRUGO);
++module_param_hw_array(mem, long, iomem, NULL, S_IRUGO);
+ module_param_array(write_ndelay, int, NULL, S_IRUGO);
+ module_param(calibrate_signal, int, S_IRUGO);
+ #ifndef MSND_CLASSIC
+ module_param_array(digital, int, NULL, S_IRUGO);
+-module_param_array(cfg, long, NULL, S_IRUGO);
++module_param_hw_array(cfg, long, ioport, NULL, S_IRUGO);
+ module_param_array(reset, int, 0, S_IRUGO);
+-module_param_array(mpu_io, long, NULL, S_IRUGO);
+-module_param_array(mpu_irq, int, NULL, S_IRUGO);
+-module_param_array(ide_io0, long, NULL, S_IRUGO);
+-module_param_array(ide_io1, long, NULL, S_IRUGO);
+-module_param_array(ide_irq, int, NULL, S_IRUGO);
+-module_param_array(joystick_io, long, NULL, S_IRUGO);
++module_param_hw_array(mpu_io, long, ioport, NULL, S_IRUGO);
++module_param_hw_array(mpu_irq, int, irq, NULL, S_IRUGO);
++module_param_hw_array(ide_io0, long, ioport, NULL, S_IRUGO);
++module_param_hw_array(ide_io1, long, ioport, NULL, S_IRUGO);
++module_param_hw_array(ide_irq, int, irq, NULL, S_IRUGO);
++module_param_hw_array(joystick_io, long, ioport, NULL, S_IRUGO);
+ #endif
+
+
+diff --git a/sound/isa/opl3sa2.c b/sound/isa/opl3sa2.c
+index ae133633a420..4098e3e0353d 100644
+--- a/sound/isa/opl3sa2.c
++++ b/sound/isa/opl3sa2.c
+@@ -69,21 +69,21 @@ MODULE_PARM_DESC(enable, "Enable OPL3-SA soundcard.");
+ module_param_array(isapnp, bool, NULL, 0444);
+ MODULE_PARM_DESC(isapnp, "PnP detection for specified soundcard.");
+ #endif
+-module_param_array(port, long, NULL, 0444);
++module_param_hw_array(port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(port, "Port # for OPL3-SA driver.");
+-module_param_array(sb_port, long, NULL, 0444);
++module_param_hw_array(sb_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(sb_port, "SB port # for OPL3-SA driver.");
+-module_param_array(wss_port, long, NULL, 0444);
++module_param_hw_array(wss_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(wss_port, "WSS port # for OPL3-SA driver.");
+-module_param_array(fm_port, long, NULL, 0444);
++module_param_hw_array(fm_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(fm_port, "FM port # for OPL3-SA driver.");
+-module_param_array(midi_port, long, NULL, 0444);
++module_param_hw_array(midi_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(midi_port, "MIDI port # for OPL3-SA driver.");
+-module_param_array(irq, int, NULL, 0444);
++module_param_hw_array(irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(irq, "IRQ # for OPL3-SA driver.");
+-module_param_array(dma1, int, NULL, 0444);
++module_param_hw_array(dma1, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma1, "DMA1 # for OPL3-SA driver.");
+-module_param_array(dma2, int, NULL, 0444);
++module_param_hw_array(dma2, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma2, "DMA2 # for OPL3-SA driver.");
+ module_param_array(opl3sa3_ymode, int, NULL, 0444);
+ MODULE_PARM_DESC(opl3sa3_ymode, "Speaker size selection for 3D Enhancement mode: Desktop/Large Notebook/Small Notebook/HiFi.");
+diff --git a/sound/isa/opti9xx/miro.c b/sound/isa/opti9xx/miro.c
+index 3a9067db1a84..bcbff56f060d 100644
+--- a/sound/isa/opti9xx/miro.c
++++ b/sound/isa/opti9xx/miro.c
+@@ -69,19 +69,19 @@ module_param(index, int, 0444);
+ MODULE_PARM_DESC(index, "Index value for miro soundcard.");
+ module_param(id, charp, 0444);
+ MODULE_PARM_DESC(id, "ID string for miro soundcard.");
+-module_param(port, long, 0444);
++module_param_hw(port, long, ioport, 0444);
+ MODULE_PARM_DESC(port, "WSS port # for miro driver.");
+-module_param(mpu_port, long, 0444);
++module_param_hw(mpu_port, long, ioport, 0444);
+ MODULE_PARM_DESC(mpu_port, "MPU-401 port # for miro driver.");
+-module_param(fm_port, long, 0444);
++module_param_hw(fm_port, long, ioport, 0444);
+ MODULE_PARM_DESC(fm_port, "FM Port # for miro driver.");
+-module_param(irq, int, 0444);
++module_param_hw(irq, int, irq, 0444);
+ MODULE_PARM_DESC(irq, "WSS irq # for miro driver.");
+-module_param(mpu_irq, int, 0444);
++module_param_hw(mpu_irq, int, irq, 0444);
+ MODULE_PARM_DESC(mpu_irq, "MPU-401 irq # for miro driver.");
+-module_param(dma1, int, 0444);
++module_param_hw(dma1, int, dma, 0444);
+ MODULE_PARM_DESC(dma1, "1st dma # for miro driver.");
+-module_param(dma2, int, 0444);
++module_param_hw(dma2, int, dma, 0444);
+ MODULE_PARM_DESC(dma2, "2nd dma # for miro driver.");
+ module_param(wss, int, 0444);
+ MODULE_PARM_DESC(wss, "wss mode");
+diff --git a/sound/isa/opti9xx/opti92x-ad1848.c b/sound/isa/opti9xx/opti92x-ad1848.c
+index 0a5266003786..ceddb392b1e3 100644
+--- a/sound/isa/opti9xx/opti92x-ad1848.c
++++ b/sound/isa/opti9xx/opti92x-ad1848.c
+@@ -88,20 +88,20 @@ MODULE_PARM_DESC(id, "ID string for opti9xx based soundcard.");
+ module_param(isapnp, bool, 0444);
+ MODULE_PARM_DESC(isapnp, "Enable ISA PnP detection for specified soundcard.");
+ #endif
+-module_param(port, long, 0444);
++module_param_hw(port, long, ioport, 0444);
+ MODULE_PARM_DESC(port, "WSS port # for opti9xx driver.");
+-module_param(mpu_port, long, 0444);
++module_param_hw(mpu_port, long, ioport, 0444);
+ MODULE_PARM_DESC(mpu_port, "MPU-401 port # for opti9xx driver.");
+-module_param(fm_port, long, 0444);
++module_param_hw(fm_port, long, ioport, 0444);
+ MODULE_PARM_DESC(fm_port, "FM port # for opti9xx driver.");
+-module_param(irq, int, 0444);
++module_param_hw(irq, int, irq, 0444);
+ MODULE_PARM_DESC(irq, "WSS irq # for opti9xx driver.");
+-module_param(mpu_irq, int, 0444);
++module_param_hw(mpu_irq, int, irq, 0444);
+ MODULE_PARM_DESC(mpu_irq, "MPU-401 irq # for opti9xx driver.");
+-module_param(dma1, int, 0444);
++module_param_hw(dma1, int, dma, 0444);
+ MODULE_PARM_DESC(dma1, "1st dma # for opti9xx driver.");
+ #if defined(CS4231) || defined(OPTi93X)
+-module_param(dma2, int, 0444);
++module_param_hw(dma2, int, dma, 0444);
+ MODULE_PARM_DESC(dma2, "2nd dma # for opti9xx driver.");
+ #endif /* CS4231 || OPTi93X */
+
+diff --git a/sound/isa/sb/jazz16.c b/sound/isa/sb/jazz16.c
+index 4d909971eedb..bfa0055e1fd6 100644
+--- a/sound/isa/sb/jazz16.c
++++ b/sound/isa/sb/jazz16.c
+@@ -50,17 +50,17 @@ module_param_array(id, charp, NULL, 0444);
+ MODULE_PARM_DESC(id, "ID string for Media Vision Jazz16 based soundcard.");
+ module_param_array(enable, bool, NULL, 0444);
+ MODULE_PARM_DESC(enable, "Enable Media Vision Jazz16 based soundcard.");
+-module_param_array(port, long, NULL, 0444);
++module_param_hw_array(port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(port, "Port # for jazz16 driver.");
+-module_param_array(mpu_port, long, NULL, 0444);
++module_param_hw_array(mpu_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(mpu_port, "MPU-401 port # for jazz16 driver.");
+-module_param_array(irq, int, NULL, 0444);
++module_param_hw_array(irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(irq, "IRQ # for jazz16 driver.");
+-module_param_array(mpu_irq, int, NULL, 0444);
++module_param_hw_array(mpu_irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(mpu_irq, "MPU-401 IRQ # for jazz16 driver.");
+-module_param_array(dma8, int, NULL, 0444);
++module_param_hw_array(dma8, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma8, "DMA8 # for jazz16 driver.");
+-module_param_array(dma16, int, NULL, 0444);
++module_param_hw_array(dma16, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma16, "DMA16 # for jazz16 driver.");
+
+ #define SB_JAZZ16_WAKEUP 0xaf
+diff --git a/sound/isa/sb/sb16.c b/sound/isa/sb/sb16.c
+index 4a7d7c89808f..3b2e4f405ff2 100644
+--- a/sound/isa/sb/sb16.c
++++ b/sound/isa/sb/sb16.c
+@@ -99,21 +99,21 @@ MODULE_PARM_DESC(enable, "Enable SoundBlaster 16 soundcard.");
+ module_param_array(isapnp, bool, NULL, 0444);
+ MODULE_PARM_DESC(isapnp, "PnP detection for specified soundcard.");
+ #endif
+-module_param_array(port, long, NULL, 0444);
++module_param_hw_array(port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(port, "Port # for SB16 driver.");
+-module_param_array(mpu_port, long, NULL, 0444);
++module_param_hw_array(mpu_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(mpu_port, "MPU-401 port # for SB16 driver.");
+-module_param_array(fm_port, long, NULL, 0444);
++module_param_hw_array(fm_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(fm_port, "FM port # for SB16 PnP driver.");
+ #ifdef SNDRV_SBAWE_EMU8000
+-module_param_array(awe_port, long, NULL, 0444);
++module_param_hw_array(awe_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(awe_port, "AWE port # for SB16 PnP driver.");
+ #endif
+-module_param_array(irq, int, NULL, 0444);
++module_param_hw_array(irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(irq, "IRQ # for SB16 driver.");
+-module_param_array(dma8, int, NULL, 0444);
++module_param_hw_array(dma8, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma8, "8-bit DMA # for SB16 driver.");
+-module_param_array(dma16, int, NULL, 0444);
++module_param_hw_array(dma16, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma16, "16-bit DMA # for SB16 driver.");
+ module_param_array(mic_agc, int, NULL, 0444);
+ MODULE_PARM_DESC(mic_agc, "Mic Auto-Gain-Control switch.");
+diff --git a/sound/isa/sb/sb8.c b/sound/isa/sb/sb8.c
+index ad42d2364199..d77dcba276b5 100644
+--- a/sound/isa/sb/sb8.c
++++ b/sound/isa/sb/sb8.c
+@@ -47,11 +47,11 @@ module_param_array(id, charp, NULL, 0444);
+ MODULE_PARM_DESC(id, "ID string for Sound Blaster soundcard.");
+ module_param_array(enable, bool, NULL, 0444);
+ MODULE_PARM_DESC(enable, "Enable Sound Blaster soundcard.");
+-module_param_array(port, long, NULL, 0444);
++module_param_hw_array(port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(port, "Port # for SB8 driver.");
+-module_param_array(irq, int, NULL, 0444);
++module_param_hw_array(irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(irq, "IRQ # for SB8 driver.");
+-module_param_array(dma8, int, NULL, 0444);
++module_param_hw_array(dma8, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma8, "8-bit DMA # for SB8 driver.");
+
+ struct snd_sb8 {
+diff --git a/sound/isa/sc6000.c b/sound/isa/sc6000.c
+index b61a6633d8f2..c09d9b914efe 100644
+--- a/sound/isa/sc6000.c
++++ b/sound/isa/sc6000.c
+@@ -64,17 +64,17 @@ module_param_array(id, charp, NULL, 0444);
+ MODULE_PARM_DESC(id, "ID string for sc-6000 based soundcard.");
+ module_param_array(enable, bool, NULL, 0444);
+ MODULE_PARM_DESC(enable, "Enable sc-6000 based soundcard.");
+-module_param_array(port, long, NULL, 0444);
++module_param_hw_array(port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(port, "Port # for sc-6000 driver.");
+-module_param_array(mss_port, long, NULL, 0444);
++module_param_hw_array(mss_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(mss_port, "MSS Port # for sc-6000 driver.");
+-module_param_array(mpu_port, long, NULL, 0444);
++module_param_hw_array(mpu_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(mpu_port, "MPU-401 port # for sc-6000 driver.");
+-module_param_array(irq, int, NULL, 0444);
++module_param_hw_array(irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(irq, "IRQ # for sc-6000 driver.");
+-module_param_array(mpu_irq, int, NULL, 0444);
++module_param_hw_array(mpu_irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(mpu_irq, "MPU-401 IRQ # for sc-6000 driver.");
+-module_param_array(dma, int, NULL, 0444);
++module_param_hw_array(dma, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma, "DMA # for sc-6000 driver.");
+ module_param_array(joystick, bool, NULL, 0444);
+ MODULE_PARM_DESC(joystick, "Enable gameport.");
+diff --git a/sound/isa/sscape.c b/sound/isa/sscape.c
+index fdcfa29e2205..54f5758a1bb3 100644
+--- a/sound/isa/sscape.c
++++ b/sound/isa/sscape.c
+@@ -63,22 +63,22 @@ MODULE_PARM_DESC(index, "Index number for SoundScape soundcard");
+ module_param_array(id, charp, NULL, 0444);
+ MODULE_PARM_DESC(id, "Description for SoundScape card");
+
+-module_param_array(port, long, NULL, 0444);
++module_param_hw_array(port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(port, "Port # for SoundScape driver.");
+
+-module_param_array(wss_port, long, NULL, 0444);
++module_param_hw_array(wss_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(wss_port, "WSS Port # for SoundScape driver.");
+
+-module_param_array(irq, int, NULL, 0444);
++module_param_hw_array(irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(irq, "IRQ # for SoundScape driver.");
+
+-module_param_array(mpu_irq, int, NULL, 0444);
++module_param_hw_array(mpu_irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(mpu_irq, "MPU401 IRQ # for SoundScape driver.");
+
+-module_param_array(dma, int, NULL, 0444);
++module_param_hw_array(dma, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma, "DMA # for SoundScape driver.");
+
+-module_param_array(dma2, int, NULL, 0444);
++module_param_hw_array(dma2, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma2, "DMA2 # for SoundScape driver.");
+
+ module_param_array(joystick, bool, NULL, 0444);
+diff --git a/sound/isa/wavefront/wavefront.c b/sound/isa/wavefront/wavefront.c
+index a0987a57c8a9..da4e9a85f0af 100644
+--- a/sound/isa/wavefront/wavefront.c
++++ b/sound/isa/wavefront/wavefront.c
+@@ -63,23 +63,23 @@ MODULE_PARM_DESC(enable, "Enable WaveFront soundcard.");
+ module_param_array(isapnp, bool, NULL, 0444);
+ MODULE_PARM_DESC(isapnp, "ISA PnP detection for WaveFront soundcards.");
+ #endif
+-module_param_array(cs4232_pcm_port, long, NULL, 0444);
++module_param_hw_array(cs4232_pcm_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(cs4232_pcm_port, "Port # for CS4232 PCM interface.");
+-module_param_array(cs4232_pcm_irq, int, NULL, 0444);
++module_param_hw_array(cs4232_pcm_irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(cs4232_pcm_irq, "IRQ # for CS4232 PCM interface.");
+-module_param_array(dma1, int, NULL, 0444);
++module_param_hw_array(dma1, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma1, "DMA1 # for CS4232 PCM interface.");
+-module_param_array(dma2, int, NULL, 0444);
++module_param_hw_array(dma2, int, dma, NULL, 0444);
+ MODULE_PARM_DESC(dma2, "DMA2 # for CS4232 PCM interface.");
+-module_param_array(cs4232_mpu_port, long, NULL, 0444);
++module_param_hw_array(cs4232_mpu_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(cs4232_mpu_port, "port # for CS4232 MPU-401 interface.");
+-module_param_array(cs4232_mpu_irq, int, NULL, 0444);
++module_param_hw_array(cs4232_mpu_irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(cs4232_mpu_irq, "IRQ # for CS4232 MPU-401 interface.");
+-module_param_array(ics2115_irq, int, NULL, 0444);
++module_param_hw_array(ics2115_irq, int, irq, NULL, 0444);
+ MODULE_PARM_DESC(ics2115_irq, "IRQ # for ICS2115.");
+-module_param_array(ics2115_port, long, NULL, 0444);
++module_param_hw_array(ics2115_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(ics2115_port, "Port # for ICS2115.");
+-module_param_array(fm_port, long, NULL, 0444);
++module_param_hw_array(fm_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(fm_port, "FM port #.");
+ module_param_array(use_cs4232_midi, bool, NULL, 0444);
+ MODULE_PARM_DESC(use_cs4232_midi, "Use CS4232 MPU-401 interface (inaccessibly located inside your computer)");
diff --git a/debian/patches/features/all/lockdown/0037-Annotate-hardware-config-module-parameters-in-sound-.patch b/debian/patches/features/all/lockdown/0037-Annotate-hardware-config-module-parameters-in-sound-.patch
new file mode 100644
index 0000000..5ca0751
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0037-Annotate-hardware-config-module-parameters-in-sound-.patch
@@ -0,0 +1,320 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:30 +0100
+Subject: [37/62] Annotate hardware config module parameters in sound/oss/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=aa247badbbe86b0d25ccd7050b375938632fc407
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in sound/oss/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Jaroslav Kysela <perex at perex.cz>
+cc: Takashi Iwai <tiwai at suse.com>
+cc: Riccardo Facchetti <fizban at tin.it>
+cc: Andrew Veliath <andrewtv at usa.net>
+cc: alsa-devel at alsa-project.org
+---
+ sound/oss/ad1848.c | 8 ++++----
+ sound/oss/aedsp16.c | 12 ++++++------
+ sound/oss/mpu401.c | 4 ++--
+ sound/oss/msnd_pinnacle.c | 20 ++++++++++----------
+ sound/oss/opl3.c | 2 +-
+ sound/oss/pas2_card.c | 18 +++++++++---------
+ sound/oss/pss.c | 14 +++++++-------
+ sound/oss/sb_card.c | 10 +++++-----
+ sound/oss/trix.c | 18 +++++++++---------
+ sound/oss/uart401.c | 4 ++--
+ sound/oss/uart6850.c | 4 ++--
+ sound/oss/waveartist.c | 8 ++++----
+ 12 files changed, 61 insertions(+), 61 deletions(-)
+
+diff --git a/sound/oss/ad1848.c b/sound/oss/ad1848.c
+index f6156d8169d0..2421f59cf279 100644
+--- a/sound/oss/ad1848.c
++++ b/sound/oss/ad1848.c
+@@ -2805,10 +2805,10 @@ static int __initdata dma = -1;
+ static int __initdata dma2 = -1;
+ static int __initdata type = 0;
+
+-module_param(io, int, 0); /* I/O for a raw AD1848 card */
+-module_param(irq, int, 0); /* IRQ to use */
+-module_param(dma, int, 0); /* First DMA channel */
+-module_param(dma2, int, 0); /* Second DMA channel */
++module_param_hw(io, int, ioport, 0); /* I/O for a raw AD1848 card */
++module_param_hw(irq, int, irq, 0); /* IRQ to use */
++module_param_hw(dma, int, dma, 0); /* First DMA channel */
++module_param_hw(dma2, int, dma, 0); /* Second DMA channel */
+ module_param(type, int, 0); /* Card type */
+ module_param(deskpro_xl, bool, 0); /* Special magic for Deskpro XL boxen */
+ module_param(deskpro_m, bool, 0); /* Special magic for Deskpro M box */
+diff --git a/sound/oss/aedsp16.c b/sound/oss/aedsp16.c
+index bb477d5c8528..f058ed6bdb69 100644
+--- a/sound/oss/aedsp16.c
++++ b/sound/oss/aedsp16.c
+@@ -1303,17 +1303,17 @@ static int __initdata mpu_irq = -1;
+ static int __initdata mss_base = -1;
+ static int __initdata mpu_base = -1;
+
+-module_param(io, int, 0);
++module_param_hw(io, int, ioport, 0);
+ MODULE_PARM_DESC(io, "I/O base address (0x220 0x240)");
+-module_param(irq, int, 0);
++module_param_hw(irq, int, irq, 0);
+ MODULE_PARM_DESC(irq, "IRQ line (5 7 9 10 11)");
+-module_param(dma, int, 0);
++module_param_hw(dma, int, dma, 0);
+ MODULE_PARM_DESC(dma, "dma line (0 1 3)");
+-module_param(mpu_irq, int, 0);
++module_param_hw(mpu_irq, int, irq, 0);
+ MODULE_PARM_DESC(mpu_irq, "MPU-401 IRQ line (5 7 9 10 0)");
+-module_param(mss_base, int, 0);
++module_param_hw(mss_base, int, ioport, 0);
+ MODULE_PARM_DESC(mss_base, "MSS emulation I/O base address (0x530 0xE80)");
+-module_param(mpu_base, int, 0);
++module_param_hw(mpu_base, int, ioport, 0);
+ MODULE_PARM_DESC(mpu_base,"MPU-401 I/O base address (0x300 0x310 0x320 0x330)");
+ MODULE_AUTHOR("Riccardo Facchetti <fizban at tin.it>");
+ MODULE_DESCRIPTION("Audio Excel DSP 16 Driver Version " VERSION);
+diff --git a/sound/oss/mpu401.c b/sound/oss/mpu401.c
+index 862735005b43..20e8fa46f647 100644
+--- a/sound/oss/mpu401.c
++++ b/sound/oss/mpu401.c
+@@ -1748,8 +1748,8 @@ static struct address_info cfg;
+ static int io = -1;
+ static int irq = -1;
+
+-module_param(irq, int, 0);
+-module_param(io, int, 0);
++module_param_hw(irq, int, irq, 0);
++module_param_hw(io, int, ioport, 0);
+
+ static int __init init_mpu401(void)
+ {
+diff --git a/sound/oss/msnd_pinnacle.c b/sound/oss/msnd_pinnacle.c
+index f34ec01d2239..d2abc2cf3213 100644
+--- a/sound/oss/msnd_pinnacle.c
++++ b/sound/oss/msnd_pinnacle.c
+@@ -1727,22 +1727,22 @@ static int
+ calibrate_signal __initdata = CONFIG_MSND_CALSIGNAL;
+ #endif /* MODULE */
+
+-module_param (io, int, 0);
+-module_param (irq, int, 0);
+-module_param (mem, int, 0);
++module_param_hw (io, int, ioport, 0);
++module_param_hw (irq, int, irq, 0);
++module_param_hw (mem, int, iomem, 0);
+ module_param (write_ndelay, int, 0);
+ module_param (fifosize, int, 0);
+ module_param (calibrate_signal, int, 0);
+ #ifndef MSND_CLASSIC
+ module_param (digital, bool, 0);
+-module_param (cfg, int, 0);
++module_param_hw (cfg, int, ioport, 0);
+ module_param (reset, int, 0);
+-module_param (mpu_io, int, 0);
+-module_param (mpu_irq, int, 0);
+-module_param (ide_io0, int, 0);
+-module_param (ide_io1, int, 0);
+-module_param (ide_irq, int, 0);
+-module_param (joystick_io, int, 0);
++module_param_hw (mpu_io, int, ioport, 0);
++module_param_hw (mpu_irq, int, irq, 0);
++module_param_hw (ide_io0, int, ioport, 0);
++module_param_hw (ide_io1, int, ioport, 0);
++module_param_hw (ide_irq, int, irq, 0);
++module_param_hw (joystick_io, int, ioport, 0);
+ #endif
+
+ static int __init msnd_init(void)
+diff --git a/sound/oss/opl3.c b/sound/oss/opl3.c
+index b6d19adf8f41..f0f5b5be6314 100644
+--- a/sound/oss/opl3.c
++++ b/sound/oss/opl3.c
+@@ -1200,7 +1200,7 @@ static int me;
+
+ static int io = -1;
+
+-module_param(io, int, 0);
++module_param_hw(io, int, ioport, 0);
+
+ static int __init init_opl3 (void)
+ {
+diff --git a/sound/oss/pas2_card.c b/sound/oss/pas2_card.c
+index b07954a79536..769fca692d2a 100644
+--- a/sound/oss/pas2_card.c
++++ b/sound/oss/pas2_card.c
+@@ -383,15 +383,15 @@ static int __initdata sb_irq = -1;
+ static int __initdata sb_dma = -1;
+ static int __initdata sb_dma16 = -1;
+
+-module_param(io, int, 0);
+-module_param(irq, int, 0);
+-module_param(dma, int, 0);
+-module_param(dma16, int, 0);
+-
+-module_param(sb_io, int, 0);
+-module_param(sb_irq, int, 0);
+-module_param(sb_dma, int, 0);
+-module_param(sb_dma16, int, 0);
++module_param_hw(io, int, ioport, 0);
++module_param_hw(irq, int, irq, 0);
++module_param_hw(dma, int, dma, 0);
++module_param_hw(dma16, int, dma, 0);
++
++module_param_hw(sb_io, int, ioport, 0);
++module_param_hw(sb_irq, int, irq, 0);
++module_param_hw(sb_dma, int, dma, 0);
++module_param_hw(sb_dma16, int, dma, 0);
+
+ module_param(joystick, bool, 0);
+ module_param(symphony, bool, 0);
+diff --git a/sound/oss/pss.c b/sound/oss/pss.c
+index 81314f9e2ccb..33c3a442e162 100644
+--- a/sound/oss/pss.c
++++ b/sound/oss/pss.c
+@@ -1139,19 +1139,19 @@ static bool pss_no_sound = 0; /* Just configure non-sound components */
+ static bool pss_keep_settings = 1; /* Keep hardware settings at module exit */
+ static char *pss_firmware = "/etc/sound/pss_synth";
+
+-module_param(pss_io, int, 0);
++module_param_hw(pss_io, int, ioport, 0);
+ MODULE_PARM_DESC(pss_io, "Set i/o base of PSS card (probably 0x220 or 0x240)");
+-module_param(mss_io, int, 0);
++module_param_hw(mss_io, int, ioport, 0);
+ MODULE_PARM_DESC(mss_io, "Set WSS (audio) i/o base (0x530, 0x604, 0xE80, 0xF40, or other. Address must end in 0 or 4 and must be from 0x100 to 0xFF4)");
+-module_param(mss_irq, int, 0);
++module_param_hw(mss_irq, int, irq, 0);
+ MODULE_PARM_DESC(mss_irq, "Set WSS (audio) IRQ (3, 5, 7, 9, 10, 11, 12)");
+-module_param(mss_dma, int, 0);
++module_param_hw(mss_dma, int, dma, 0);
+ MODULE_PARM_DESC(mss_dma, "Set WSS (audio) DMA (0, 1, 3)");
+-module_param(mpu_io, int, 0);
++module_param_hw(mpu_io, int, ioport, 0);
+ MODULE_PARM_DESC(mpu_io, "Set MIDI i/o base (0x330 or other. Address must be on 4 location boundaries and must be from 0x100 to 0xFFC)");
+-module_param(mpu_irq, int, 0);
++module_param_hw(mpu_irq, int, irq, 0);
+ MODULE_PARM_DESC(mpu_irq, "Set MIDI IRQ (3, 5, 7, 9, 10, 11, 12)");
+-module_param(pss_cdrom_port, int, 0);
++module_param_hw(pss_cdrom_port, int, ioport, 0);
+ MODULE_PARM_DESC(pss_cdrom_port, "Set the PSS CDROM port i/o base (0x340 or other)");
+ module_param(pss_enable_joystick, bool, 0);
+ MODULE_PARM_DESC(pss_enable_joystick, "Enables the PSS joystick port (1 to enable, 0 to disable)");
+diff --git a/sound/oss/sb_card.c b/sound/oss/sb_card.c
+index fb5d7250de38..2a92cfe6cfe9 100644
+--- a/sound/oss/sb_card.c
++++ b/sound/oss/sb_card.c
+@@ -61,15 +61,15 @@ static int __initdata uart401 = 0;
+ static int __initdata pnp = 0;
+ #endif
+
+-module_param(io, int, 000);
++module_param_hw(io, int, ioport, 000);
+ MODULE_PARM_DESC(io, "Soundblaster i/o base address (0x220,0x240,0x260,0x280)");
+-module_param(irq, int, 000);
++module_param_hw(irq, int, irq, 000);
+ MODULE_PARM_DESC(irq, "IRQ (5,7,9,10)");
+-module_param(dma, int, 000);
++module_param_hw(dma, int, dma, 000);
+ MODULE_PARM_DESC(dma, "8-bit DMA channel (0,1,3)");
+-module_param(dma16, int, 000);
++module_param_hw(dma16, int, dma, 000);
+ MODULE_PARM_DESC(dma16, "16-bit DMA channel (5,6,7)");
+-module_param(mpu_io, int, 000);
++module_param_hw(mpu_io, int, ioport, 000);
+ MODULE_PARM_DESC(mpu_io, "MPU base address");
+ module_param(type, int, 000);
+ MODULE_PARM_DESC(type, "You can set this to specific card type (doesn't " \
+diff --git a/sound/oss/trix.c b/sound/oss/trix.c
+index 3c494dc93b93..a57bc635d758 100644
+--- a/sound/oss/trix.c
++++ b/sound/oss/trix.c
+@@ -413,15 +413,15 @@ static int __initdata sb_irq = -1;
+ static int __initdata mpu_io = -1;
+ static int __initdata mpu_irq = -1;
+
+-module_param(io, int, 0);
+-module_param(irq, int, 0);
+-module_param(dma, int, 0);
+-module_param(dma2, int, 0);
+-module_param(sb_io, int, 0);
+-module_param(sb_dma, int, 0);
+-module_param(sb_irq, int, 0);
+-module_param(mpu_io, int, 0);
+-module_param(mpu_irq, int, 0);
++module_param_hw(io, int, ioport, 0);
++module_param_hw(irq, int, irq, 0);
++module_param_hw(dma, int, dma, 0);
++module_param_hw(dma2, int, dma, 0);
++module_param_hw(sb_io, int, ioport, 0);
++module_param_hw(sb_dma, int, dma, 0);
++module_param_hw(sb_irq, int, irq, 0);
++module_param_hw(mpu_io, int, ioport, 0);
++module_param_hw(mpu_irq, int, irq, 0);
+ module_param(joystick, bool, 0);
+
+ static int __init init_trix(void)
+diff --git a/sound/oss/uart401.c b/sound/oss/uart401.c
+index dae4d4344407..83dcc85b8688 100644
+--- a/sound/oss/uart401.c
++++ b/sound/oss/uart401.c
+@@ -429,8 +429,8 @@ static struct address_info cfg_mpu;
+ static int io = -1;
+ static int irq = -1;
+
+-module_param(io, int, 0444);
+-module_param(irq, int, 0444);
++module_param_hw(io, int, ioport, 0444);
++module_param_hw(irq, int, irq, 0444);
+
+
+ static int __init init_uart401(void)
+diff --git a/sound/oss/uart6850.c b/sound/oss/uart6850.c
+index 1079133dd6ab..eda32d7eddbd 100644
+--- a/sound/oss/uart6850.c
++++ b/sound/oss/uart6850.c
+@@ -315,8 +315,8 @@ static struct address_info cfg_mpu;
+ static int __initdata io = -1;
+ static int __initdata irq = -1;
+
+-module_param(io, int, 0);
+-module_param(irq, int, 0);
++module_param_hw(io, int, ioport, 0);
++module_param_hw(irq, int, irq, 0);
+
+ static int __init init_uart6850(void)
+ {
+diff --git a/sound/oss/waveartist.c b/sound/oss/waveartist.c
+index 0b8d0de87273..4f0c3a232e41 100644
+--- a/sound/oss/waveartist.c
++++ b/sound/oss/waveartist.c
+@@ -2036,8 +2036,8 @@ __setup("waveartist=", setup_waveartist);
+ #endif
+
+ MODULE_DESCRIPTION("Rockwell WaveArtist RWA-010 sound driver");
+-module_param(io, int, 0); /* IO base */
+-module_param(irq, int, 0); /* IRQ */
+-module_param(dma, int, 0); /* DMA */
+-module_param(dma2, int, 0); /* DMA2 */
++module_param_hw(io, int, ioport, 0); /* IO base */
++module_param_hw(irq, int, irq, 0); /* IRQ */
++module_param_hw(dma, int, dma, 0); /* DMA */
++module_param_hw(dma2, int, dma, 0); /* DMA2 */
+ MODULE_LICENSE("GPL");
diff --git a/debian/patches/features/all/lockdown/0038-Annotate-hardware-config-module-parameters-in-sound-.patch b/debian/patches/features/all/lockdown/0038-Annotate-hardware-config-module-parameters-in-sound-.patch
new file mode 100644
index 0000000..9cdf369
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0038-Annotate-hardware-config-module-parameters-in-sound-.patch
@@ -0,0 +1,154 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 4 Apr 2017 16:54:30 +0100
+Subject: [38/62] Annotate hardware config module parameters in sound/pci/
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=625c33b384a0f2e3ac63d6d513e389d4e290b667
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+To this end, annotate module_param* statements that refer to hardware
+configuration and indicate for future reference what type of parameter they
+specify. The parameter parser in the core sees this information and can
+skip such parameters with an error message if the kernel is locked down.
+The module initialisation then runs as normal, but just sees whatever the
+default values for those parameters is.
+
+Note that we do still need to do the module initialisation because some
+drivers have viable defaults set in case parameters aren't specified and
+some drivers support automatic configuration (e.g. PNP or PCI) in addition
+to manually coded parameters.
+
+This patch annotates drivers in sound/pci/.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Jaroslav Kysela <perex at perex.cz>
+cc: Takashi Iwai <tiwai at suse.com>
+cc: alsa-devel at alsa-project.org
+---
+ sound/pci/als4000.c | 2 +-
+ sound/pci/cmipci.c | 6 +++---
+ sound/pci/ens1370.c | 2 +-
+ sound/pci/riptide/riptide.c | 6 +++---
+ sound/pci/sonicvibes.c | 2 +-
+ sound/pci/via82xx.c | 2 +-
+ sound/pci/ymfpci/ymfpci.c | 6 +++---
+ 7 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/sound/pci/als4000.c b/sound/pci/als4000.c
+index 92bc06d01288..7844a75d8ed9 100644
+--- a/sound/pci/als4000.c
++++ b/sound/pci/als4000.c
+@@ -102,7 +102,7 @@ MODULE_PARM_DESC(id, "ID string for ALS4000 soundcard.");
+ module_param_array(enable, bool, NULL, 0444);
+ MODULE_PARM_DESC(enable, "Enable ALS4000 soundcard.");
+ #ifdef SUPPORT_JOYSTICK
+-module_param_array(joystick_port, int, NULL, 0444);
++module_param_hw_array(joystick_port, int, ioport, NULL, 0444);
+ MODULE_PARM_DESC(joystick_port, "Joystick port address for ALS4000 soundcard. (0 = disabled)");
+ #endif
+
+diff --git a/sound/pci/cmipci.c b/sound/pci/cmipci.c
+index aeedc270ed9b..430f064c64da 100644
+--- a/sound/pci/cmipci.c
++++ b/sound/pci/cmipci.c
+@@ -68,14 +68,14 @@ module_param_array(id, charp, NULL, 0444);
+ MODULE_PARM_DESC(id, "ID string for C-Media PCI soundcard.");
+ module_param_array(enable, bool, NULL, 0444);
+ MODULE_PARM_DESC(enable, "Enable C-Media PCI soundcard.");
+-module_param_array(mpu_port, long, NULL, 0444);
++module_param_hw_array(mpu_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(mpu_port, "MPU-401 port.");
+-module_param_array(fm_port, long, NULL, 0444);
++module_param_hw_array(fm_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(fm_port, "FM port.");
+ module_param_array(soft_ac3, bool, NULL, 0444);
+ MODULE_PARM_DESC(soft_ac3, "Software-conversion of raw SPDIF packets (model 033 only).");
+ #ifdef SUPPORT_JOYSTICK
+-module_param_array(joystick_port, int, NULL, 0444);
++module_param_hw_array(joystick_port, int, ioport, NULL, 0444);
+ MODULE_PARM_DESC(joystick_port, "Joystick port address.");
+ #endif
+
+diff --git a/sound/pci/ens1370.c b/sound/pci/ens1370.c
+index 164adad91650..90376739c5e1 100644
+--- a/sound/pci/ens1370.c
++++ b/sound/pci/ens1370.c
+@@ -106,7 +106,7 @@ module_param_array(enable, bool, NULL, 0444);
+ MODULE_PARM_DESC(enable, "Enable Ensoniq AudioPCI soundcard.");
+ #ifdef SUPPORT_JOYSTICK
+ #ifdef CHIP1371
+-module_param_array(joystick_port, int, NULL, 0444);
++module_param_hw_array(joystick_port, int, ioport, NULL, 0444);
+ MODULE_PARM_DESC(joystick_port, "Joystick port address.");
+ #else
+ module_param_array(joystick, bool, NULL, 0444);
+diff --git a/sound/pci/riptide/riptide.c b/sound/pci/riptide/riptide.c
+index 19c9df6b0f3d..f067c76d77f8 100644
+--- a/sound/pci/riptide/riptide.c
++++ b/sound/pci/riptide/riptide.c
+@@ -137,12 +137,12 @@ MODULE_PARM_DESC(id, "ID string for Riptide soundcard.");
+ module_param_array(enable, bool, NULL, 0444);
+ MODULE_PARM_DESC(enable, "Enable Riptide soundcard.");
+ #ifdef SUPPORT_JOYSTICK
+-module_param_array(joystick_port, int, NULL, 0444);
++module_param_hw_array(joystick_port, int, ioport, NULL, 0444);
+ MODULE_PARM_DESC(joystick_port, "Joystick port # for Riptide soundcard.");
+ #endif
+-module_param_array(mpu_port, int, NULL, 0444);
++module_param_hw_array(mpu_port, int, ioport, NULL, 0444);
+ MODULE_PARM_DESC(mpu_port, "MPU401 port # for Riptide driver.");
+-module_param_array(opl3_port, int, NULL, 0444);
++module_param_hw_array(opl3_port, int, ioport, NULL, 0444);
+ MODULE_PARM_DESC(opl3_port, "OPL3 port # for Riptide driver.");
+
+ /*
+diff --git a/sound/pci/sonicvibes.c b/sound/pci/sonicvibes.c
+index a6aa48c5b969..8e3d4ec39c35 100644
+--- a/sound/pci/sonicvibes.c
++++ b/sound/pci/sonicvibes.c
+@@ -66,7 +66,7 @@ module_param_array(reverb, bool, NULL, 0444);
+ MODULE_PARM_DESC(reverb, "Enable reverb (SRAM is present) for S3 SonicVibes soundcard.");
+ module_param_array(mge, bool, NULL, 0444);
+ MODULE_PARM_DESC(mge, "MIC Gain Enable for S3 SonicVibes soundcard.");
+-module_param(dmaio, uint, 0444);
++module_param_hw(dmaio, uint, ioport, 0444);
+ MODULE_PARM_DESC(dmaio, "DDMA i/o base address for S3 SonicVibes soundcard.");
+
+ /*
+diff --git a/sound/pci/via82xx.c b/sound/pci/via82xx.c
+index 2d8c14e3f8d2..127834021175 100644
+--- a/sound/pci/via82xx.c
++++ b/sound/pci/via82xx.c
+@@ -92,7 +92,7 @@ module_param(index, int, 0444);
+ MODULE_PARM_DESC(index, "Index value for VIA 82xx bridge.");
+ module_param(id, charp, 0444);
+ MODULE_PARM_DESC(id, "ID string for VIA 82xx bridge.");
+-module_param(mpu_port, long, 0444);
++module_param_hw(mpu_port, long, ioport, 0444);
+ MODULE_PARM_DESC(mpu_port, "MPU-401 port. (VT82C686x only)");
+ #ifdef SUPPORT_JOYSTICK
+ module_param(joystick, bool, 0444);
+diff --git a/sound/pci/ymfpci/ymfpci.c b/sound/pci/ymfpci/ymfpci.c
+index 812e27a1bcbc..4faf3e1ed06a 100644
+--- a/sound/pci/ymfpci/ymfpci.c
++++ b/sound/pci/ymfpci/ymfpci.c
+@@ -55,12 +55,12 @@ module_param_array(id, charp, NULL, 0444);
+ MODULE_PARM_DESC(id, "ID string for the Yamaha DS-1 PCI soundcard.");
+ module_param_array(enable, bool, NULL, 0444);
+ MODULE_PARM_DESC(enable, "Enable Yamaha DS-1 soundcard.");
+-module_param_array(mpu_port, long, NULL, 0444);
++module_param_hw_array(mpu_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(mpu_port, "MPU-401 Port.");
+-module_param_array(fm_port, long, NULL, 0444);
++module_param_hw_array(fm_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(fm_port, "FM OPL-3 Port.");
+ #ifdef SUPPORT_JOYSTICK
+-module_param_array(joystick_port, long, NULL, 0444);
++module_param_hw_array(joystick_port, long, ioport, NULL, 0444);
+ MODULE_PARM_DESC(joystick_port, "Joystick port address");
+ #endif
+ module_param_array(rear_switch, bool, NULL, 0444);
diff --git a/debian/patches/features/all/lockdown/0039-efi-Add-EFI_SECURE_BOOT-bit.patch b/debian/patches/features/all/lockdown/0039-efi-Add-EFI_SECURE_BOOT-bit.patch
new file mode 100644
index 0000000..06ed973
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0039-efi-Add-EFI_SECURE_BOOT-bit.patch
@@ -0,0 +1,43 @@
+From: Josh Boyer <jwboyer at fedoraproject.org>
+Date: Wed, 5 Apr 2017 17:40:29 +0100
+Subject: [39/62] efi: Add EFI_SECURE_BOOT bit
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=7c121e1d97d6af4d25fb49bffb10571964f37ab1
+
+UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
+that can be passed to efi_enabled() to find out whether secure boot is
+enabled.
+
+This will be used by the SysRq+x handler, registered by the x86 arch, to find
+out whether secure boot mode is enabled so that it can be disabled.
+
+Signed-off-by: Josh Boyer <jwboyer at fedoraproject.org>
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ arch/x86/kernel/setup.c | 1 +
+ include/linux/efi.h | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+index 4bf0c8926a1c..396285bddb93 100644
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -1184,6 +1184,7 @@ void __init setup_arch(char **cmdline_p)
+ pr_info("Secure boot disabled\n");
+ break;
+ case efi_secureboot_mode_enabled:
++ set_bit(EFI_SECURE_BOOT, &efi.flags);
+ pr_info("Secure boot enabled\n");
+ break;
+ default:
+diff --git a/include/linux/efi.h b/include/linux/efi.h
+index 94d34e0be24f..6049600e5475 100644
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -1069,6 +1069,7 @@ extern int __init efi_setup_pcdp_console(char *);
+ #define EFI_DBG 8 /* Print additional debug info at runtime */
+ #define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */
+ #define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
++#define EFI_SECURE_BOOT 11 /* Are we in Secure Boot mode? */
+
+ #ifdef CONFIG_EFI
+ /*
diff --git a/debian/patches/features/all/lockdown/0040-Add-the-ability-to-lock-down-access-to-the-running-k.patch b/debian/patches/features/all/lockdown/0040-Add-the-ability-to-lock-down-access-to-the-running-k.patch
new file mode 100644
index 0000000..1718610
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0040-Add-the-ability-to-lock-down-access-to-the-running-k.patch
@@ -0,0 +1,146 @@
+From: David Howells <dhowells at redhat.com>
+Date: Wed, 5 Apr 2017 17:40:29 +0100
+Subject: [40/62] Add the ability to lock down access to the running kernel
+ image
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=4e038dfc742f11bcd02e5a3fba5718cefbf06d70
+
+Provide a single call to allow kernel code to determine whether the system
+should be locked down, thereby disallowing various accesses that might
+allow the running kernel image to be changed including the loading of
+modules that aren't validly signed with a key we recognise, fiddling with
+MSR registers and disallowing hibernation,
+
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ include/linux/kernel.h | 9 +++++++++
+ include/linux/security.h | 11 +++++++++++
+ security/Kconfig | 15 +++++++++++++++
+ security/Makefile | 3 +++
+ security/lock_down.c | 40 ++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 78 insertions(+)
+ create mode 100644 security/lock_down.c
+
+diff --git a/include/linux/kernel.h b/include/linux/kernel.h
+index 4c26dc3a8295..b820a80dc949 100644
+--- a/include/linux/kernel.h
++++ b/include/linux/kernel.h
+@@ -275,6 +275,15 @@ extern int oops_may_print(void);
+ void do_exit(long error_code) __noreturn;
+ void complete_and_exit(struct completion *, long) __noreturn;
+
++#ifdef CONFIG_LOCK_DOWN_KERNEL
++extern bool kernel_is_locked_down(void);
++#else
++static inline bool kernel_is_locked_down(void)
++{
++ return false;
++}
++#endif
++
+ /* Internal, do not use. */
+ int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
+ int __must_check _kstrtol(const char *s, unsigned int base, long *res);
+diff --git a/include/linux/security.h b/include/linux/security.h
+index af675b576645..68bab18ddd57 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -1698,5 +1698,16 @@ static inline void free_secdata(void *secdata)
+ { }
+ #endif /* CONFIG_SECURITY */
+
++#ifdef CONFIG_LOCK_DOWN_KERNEL
++extern void lock_kernel_down(void);
++#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT
++extern void lift_kernel_lockdown(void);
++#endif
++#else
++static inline void lock_kernel_down(void)
++{
++}
++#endif
++
+ #endif /* ! __LINUX_SECURITY_H */
+
+diff --git a/security/Kconfig b/security/Kconfig
+index 3ff1bf91080e..e3830171bdcb 100644
+--- a/security/Kconfig
++++ b/security/Kconfig
+@@ -198,6 +198,21 @@ config STATIC_USERMODEHELPER_PATH
+ If you wish for all usermode helper programs to be disabled,
+ specify an empty string here (i.e. "").
+
++config LOCK_DOWN_KERNEL
++ bool "Allow the kernel to be 'locked down'"
++ help
++ Allow the kernel to be locked down under certain circumstances, for
++ instance if UEFI secure boot is enabled. Locking down the kernel
++ turns off various features that might otherwise allow access to the
++ kernel image (eg. setting MSR registers).
++
++config ALLOW_LOCKDOWN_LIFT
++ bool
++ help
++ Allow the lockdown on a kernel to be lifted, thereby restoring the
++ ability of userspace to access the kernel image (eg. by SysRq+x under
++ x86).
++
+ source security/selinux/Kconfig
+ source security/smack/Kconfig
+ source security/tomoyo/Kconfig
+diff --git a/security/Makefile b/security/Makefile
+index f2d71cdb8e19..8c4a43e3d4e0 100644
+--- a/security/Makefile
++++ b/security/Makefile
+@@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
+ # Object integrity file lists
+ subdir-$(CONFIG_INTEGRITY) += integrity
+ obj-$(CONFIG_INTEGRITY) += integrity/
++
++# Allow the kernel to be locked down
++obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o
+diff --git a/security/lock_down.c b/security/lock_down.c
+new file mode 100644
+index 000000000000..5788c60ff4e1
+--- /dev/null
++++ b/security/lock_down.c
+@@ -0,0 +1,40 @@
++/* Lock down the kernel
++ *
++ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
++ * Written by David Howells (dhowells at redhat.com)
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public Licence
++ * as published by the Free Software Foundation; either version
++ * 2 of the Licence, or (at your option) any later version.
++ */
++
++#include <linux/security.h>
++#include <linux/export.h>
++
++static __read_mostly bool kernel_locked_down;
++
++/*
++ * Put the kernel into lock-down mode.
++ */
++void lock_kernel_down(void)
++{
++ kernel_locked_down = true;
++}
++
++/*
++ * Take the kernel out of lockdown mode.
++ */
++void lift_kernel_lockdown(void)
++{
++ kernel_locked_down = false;
++}
++
++/**
++ * kernel_is_locked_down - Find out if the kernel is locked down
++ */
++bool kernel_is_locked_down(void)
++{
++ return kernel_locked_down;
++}
++EXPORT_SYMBOL(kernel_is_locked_down);
diff --git a/debian/patches/features/all/lockdown/0041-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/debian/patches/features/all/lockdown/0041-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
new file mode 100644
index 0000000..94c33c4
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0041-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
@@ -0,0 +1,66 @@
+From: David Howells <dhowells at redhat.com>
+Date: Wed, 5 Apr 2017 17:40:29 +0100
+Subject: [41/62] efi: Lock down the kernel if booted in secure boot mode
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=48f943a855fa850977db9071250db2b9e12287ce
+
+UEFI Secure Boot provides a mechanism for ensuring that the firmware will
+only load signed bootloaders and kernels. Certain use cases may also
+require that all kernel modules also be signed. Add a configuration option
+that to lock down the kernel - which includes requiring validly signed
+modules - if the kernel is secure-booted.
+
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ arch/x86/Kconfig | 12 ++++++++++++
+ arch/x86/kernel/setup.c | 8 +++++++-
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index cc98d5a294ee..21f39855661d 100644
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -1817,6 +1817,18 @@ config EFI_MIXED
+
+ If unsure, say N.
+
++config EFI_SECURE_BOOT_LOCK_DOWN
++ def_bool n
++ depends on EFI
++ prompt "Lock down the kernel when UEFI Secure Boot is enabled"
++ ---help---
++ UEFI Secure Boot provides a mechanism for ensuring that the firmware
++ will only load signed bootloaders and kernels. Certain use cases may
++ also require that all kernel modules also be signed and that
++ userspace is prevented from directly changing the running kernel
++ image. Say Y here to automatically lock down the kernel when a
++ system boots with UEFI Secure Boot enabled.
++
+ config SECCOMP
+ def_bool y
+ prompt "Enable seccomp to safely compute untrusted bytecode"
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+index 396285bddb93..85dfa745c442 100644
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -69,6 +69,7 @@
+ #include <linux/crash_dump.h>
+ #include <linux/tboot.h>
+ #include <linux/jiffies.h>
++#include <linux/security.h>
+
+ #include <video/edid.h>
+
+@@ -1185,7 +1186,12 @@ void __init setup_arch(char **cmdline_p)
+ break;
+ case efi_secureboot_mode_enabled:
+ set_bit(EFI_SECURE_BOOT, &efi.flags);
+- pr_info("Secure boot enabled\n");
++ if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT_LOCK_DOWN)) {
++ lock_kernel_down();
++ pr_info("Secure boot enabled and kernel locked down\n");
++ } else {
++ pr_info("Secure boot enabled\n");
++ }
+ break;
+ default:
+ pr_info("Secure boot could not be determined\n");
diff --git a/debian/patches/features/all/lockdown/0042-Enforce-module-signatures-if-the-kernel-is-locked-do.patch b/debian/patches/features/all/lockdown/0042-Enforce-module-signatures-if-the-kernel-is-locked-do.patch
new file mode 100644
index 0000000..3d4a27d
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0042-Enforce-module-signatures-if-the-kernel-is-locked-do.patch
@@ -0,0 +1,26 @@
+From: David Howells <dhowells at redhat.com>
+Date: Wed, 5 Apr 2017 17:40:30 +0100
+Subject: [42/62] Enforce module signatures if the kernel is locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a9643aef5a6c576f32a97053b4024638943044ca
+
+If the kernel is locked down, require that all modules have valid
+signatures that we can verify.
+
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ kernel/module.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/module.c b/kernel/module.c
+index 7eba6dea4f41..3331f2eb9b93 100644
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -2756,7 +2756,7 @@ static int module_sig_check(struct load_info *info, int flags)
+ }
+
+ /* Not having a signature is only an error if we're strict. */
+- if (err == -ENOKEY && !sig_enforce)
++ if (err == -ENOKEY && !sig_enforce && !kernel_is_locked_down())
+ err = 0;
+
+ return err;
diff --git a/debian/patches/features/all/lockdown/0043-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch b/debian/patches/features/all/lockdown/0043-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch
new file mode 100644
index 0000000..2a9f1e6
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0043-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch
@@ -0,0 +1,40 @@
+From: Matthew Garrett <matthew.garrett at nebula.com>
+Date: Wed, 5 Apr 2017 17:40:30 +0100
+Subject: [43/62] Restrict /dev/mem and /dev/kmem when the kernel is locked
+ down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=104cff827b18e35874153bd8df14eba59e5b411a
+
+Allowing users to write to address space makes it possible for the kernel to
+be subverted, avoiding module loading restrictions. Prevent this when the
+kernel has been locked down.
+
+Signed-off-by: Matthew Garrett <matthew.garrett at nebula.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ drivers/char/mem.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/char/mem.c b/drivers/char/mem.c
+index 6d9cc2d39d22..f8144049bda3 100644
+--- a/drivers/char/mem.c
++++ b/drivers/char/mem.c
+@@ -163,6 +163,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
+ if (p != *ppos)
+ return -EFBIG;
+
++ if (kernel_is_locked_down())
++ return -EPERM;
++
+ if (!valid_phys_addr_range(p, count))
+ return -EFAULT;
+
+@@ -513,6 +516,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
+ char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
+ int err = 0;
+
++ if (kernel_is_locked_down())
++ return -EPERM;
++
+ if (p < (unsigned long) high_memory) {
+ unsigned long to_write = min_t(unsigned long, count,
+ (unsigned long)high_memory - p);
diff --git a/debian/patches/features/all/lockdown/0044-Add-a-sysrq-option-to-exit-secure-boot-mode.patch b/debian/patches/features/all/lockdown/0044-Add-a-sysrq-option-to-exit-secure-boot-mode.patch
new file mode 100644
index 0000000..91e7001
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0044-Add-a-sysrq-option-to-exit-secure-boot-mode.patch
@@ -0,0 +1,249 @@
+From: Kyle McMartin <kyle at redhat.com>
+Date: Wed, 5 Apr 2017 17:40:30 +0100
+Subject: [44/62] Add a sysrq option to exit secure boot mode
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=e26d9e1cb0218082265875505edc284a63385010
+
+Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running
+kernel image to be modified. This lifts the lockdown.
+
+Signed-off-by: Kyle McMartin <kyle at redhat.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ arch/x86/Kconfig | 10 ++++++++++
+ arch/x86/kernel/setup.c | 31 +++++++++++++++++++++++++++++++
+ drivers/input/misc/uinput.c | 1 +
+ drivers/tty/sysrq.c | 19 +++++++++++++------
+ include/linux/input.h | 5 +++++
+ include/linux/sysrq.h | 8 +++++++-
+ kernel/debug/kdb/kdb_main.c | 2 +-
+ 7 files changed, 68 insertions(+), 8 deletions(-)
+
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index 21f39855661d..457c04971849 100644
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -1829,6 +1829,16 @@ config EFI_SECURE_BOOT_LOCK_DOWN
+ image. Say Y here to automatically lock down the kernel when a
+ system boots with UEFI Secure Boot enabled.
+
++config EFI_ALLOW_SECURE_BOOT_EXIT
++ def_bool n
++ depends on EFI_SECURE_BOOT_LOCK_DOWN && MAGIC_SYSRQ
++ select ALLOW_LOCKDOWN_LIFT
++ prompt "Allow secure boot mode to be exited with SysRq+x on a keyboard"
++ ---help---
++ Allow secure boot mode to be exited and the kernel lockdown lifted by
++ typing SysRq+x on a keyboard attached to the system (not permitted
++ through procfs).
++
+ config SECCOMP
+ def_bool y
+ prompt "Enable seccomp to safely compute untrusted bytecode"
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+index 85dfa745c442..a415a4817684 100644
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -71,6 +71,11 @@
+ #include <linux/jiffies.h>
+ #include <linux/security.h>
+
++#include <linux/fips.h>
++#include <linux/cred.h>
++#include <linux/sysrq.h>
++#include <linux/init_task.h>
++
+ #include <video/edid.h>
+
+ #include <asm/mtrr.h>
+@@ -1330,6 +1335,32 @@ void __init i386_reserve_resources(void)
+
+ #endif /* CONFIG_X86_32 */
+
++#ifdef CONFIG_EFI_ALLOW_SECURE_BOOT_EXIT
++
++static void sysrq_handle_secure_boot(int key)
++{
++ if (!efi_enabled(EFI_SECURE_BOOT))
++ return;
++
++ pr_info("Secure boot disabled\n");
++ lift_kernel_lockdown();
++}
++static struct sysrq_key_op secure_boot_sysrq_op = {
++ .handler = sysrq_handle_secure_boot,
++ .help_msg = "unSB(x)",
++ .action_msg = "Disabling Secure Boot restrictions",
++ .enable_mask = SYSRQ_DISABLE_USERSPACE,
++};
++static int __init secure_boot_sysrq(void)
++{
++ if (efi_enabled(EFI_SECURE_BOOT))
++ register_sysrq_key('x', &secure_boot_sysrq_op);
++ return 0;
++}
++late_initcall(secure_boot_sysrq);
++#endif /*CONFIG_EFI_ALLOW_SECURE_BOOT_EXIT*/
++
++
+ static struct notifier_block kernel_offset_notifier = {
+ .notifier_call = dump_kernel_offset
+ };
+diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
+index 022be0e22eba..4a054a564636 100644
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -387,6 +387,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
+ if (!udev->dev)
+ return -ENOMEM;
+
++ udev->dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;
+ udev->dev->event = uinput_dev_event;
+ input_set_drvdata(udev->dev, udev);
+
+diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
+index c6fc7141d7b2..0c96cf60f1a6 100644
+--- a/drivers/tty/sysrq.c
++++ b/drivers/tty/sysrq.c
+@@ -481,6 +481,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
+ /* x: May be registered on mips for TLB dump */
+ /* x: May be registered on ppc/powerpc for xmon */
+ /* x: May be registered on sparc64 for global PMU dump */
++ /* x: May be registered on x86_64 for disabling secure boot */
+ NULL, /* x */
+ /* y: May be registered on sparc64 for global register dump */
+ NULL, /* y */
+@@ -524,7 +525,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
+ sysrq_key_table[i] = op_p;
+ }
+
+-void __handle_sysrq(int key, bool check_mask)
++void __handle_sysrq(int key, unsigned int from)
+ {
+ struct sysrq_key_op *op_p;
+ int orig_log_level;
+@@ -544,11 +545,15 @@ void __handle_sysrq(int key, bool check_mask)
+
+ op_p = __sysrq_get_key_op(key);
+ if (op_p) {
++ /* Ban synthetic events from some sysrq functionality */
++ if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
++ op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
++ printk("This sysrq operation is disabled from userspace.\n");
+ /*
+ * Should we check for enabled operations (/proc/sysrq-trigger
+ * should not) and is the invoked operation enabled?
+ */
+- if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
++ if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
+ pr_cont("%s\n", op_p->action_msg);
+ console_loglevel = orig_log_level;
+ op_p->handler(key);
+@@ -580,7 +585,7 @@ void __handle_sysrq(int key, bool check_mask)
+ void handle_sysrq(int key)
+ {
+ if (sysrq_on())
+- __handle_sysrq(key, true);
++ __handle_sysrq(key, SYSRQ_FROM_KERNEL);
+ }
+ EXPORT_SYMBOL(handle_sysrq);
+
+@@ -661,7 +666,7 @@ static void sysrq_do_reset(unsigned long _state)
+ static void sysrq_handle_reset_request(struct sysrq_state *state)
+ {
+ if (state->reset_requested)
+- __handle_sysrq(sysrq_xlate[KEY_B], false);
++ __handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL);
+
+ if (sysrq_reset_downtime_ms)
+ mod_timer(&state->keyreset_timer,
+@@ -812,8 +817,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
+
+ default:
+ if (sysrq->active && value && value != 2) {
++ int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ?
++ SYSRQ_FROM_SYNTHETIC : 0;
+ sysrq->need_reinject = false;
+- __handle_sysrq(sysrq_xlate[code], true);
++ __handle_sysrq(sysrq_xlate[code], from);
+ }
+ break;
+ }
+@@ -1097,7 +1104,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
+
+ if (get_user(c, buf))
+ return -EFAULT;
+- __handle_sysrq(c, false);
++ __handle_sysrq(c, SYSRQ_FROM_PROC);
+ }
+
+ return count;
+diff --git a/include/linux/input.h b/include/linux/input.h
+index a65e3b24fb18..8b0357175049 100644
+--- a/include/linux/input.h
++++ b/include/linux/input.h
+@@ -42,6 +42,7 @@ struct input_value {
+ * @phys: physical path to the device in the system hierarchy
+ * @uniq: unique identification code for the device (if device has it)
+ * @id: id of the device (struct input_id)
++ * @flags: input device flags (SYNTHETIC, etc.)
+ * @propbit: bitmap of device properties and quirks
+ * @evbit: bitmap of types of events supported by the device (EV_KEY,
+ * EV_REL, etc.)
+@@ -124,6 +125,8 @@ struct input_dev {
+ const char *uniq;
+ struct input_id id;
+
++ unsigned int flags;
++
+ unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)];
+
+ unsigned long evbit[BITS_TO_LONGS(EV_CNT)];
+@@ -190,6 +193,8 @@ struct input_dev {
+ };
+ #define to_input_dev(d) container_of(d, struct input_dev, dev)
+
++#define INPUTDEV_FLAGS_SYNTHETIC 0x000000001
++
+ /*
+ * Verify that we are in sync with input_device_id mod_devicetable.h #defines
+ */
+diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
+index 387fa7d05c98..f7c52a9ea394 100644
+--- a/include/linux/sysrq.h
++++ b/include/linux/sysrq.h
+@@ -28,6 +28,8 @@
+ #define SYSRQ_ENABLE_BOOT 0x0080
+ #define SYSRQ_ENABLE_RTNICE 0x0100
+
++#define SYSRQ_DISABLE_USERSPACE 0x00010000
++
+ struct sysrq_key_op {
+ void (*handler)(int);
+ char *help_msg;
+@@ -42,8 +44,12 @@ struct sysrq_key_op {
+ * are available -- else NULL's).
+ */
+
++#define SYSRQ_FROM_KERNEL 0x0001
++#define SYSRQ_FROM_PROC 0x0002
++#define SYSRQ_FROM_SYNTHETIC 0x0004
++
+ void handle_sysrq(int key);
+-void __handle_sysrq(int key, bool check_mask);
++void __handle_sysrq(int key, unsigned int from);
+ int register_sysrq_key(int key, struct sysrq_key_op *op);
+ int unregister_sysrq_key(int key, struct sysrq_key_op *op);
+ struct sysrq_key_op *__sysrq_get_key_op(int key);
+diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
+index c8146d53ca67..b480cadf9272 100644
+--- a/kernel/debug/kdb/kdb_main.c
++++ b/kernel/debug/kdb/kdb_main.c
+@@ -1970,7 +1970,7 @@ static int kdb_sr(int argc, const char **argv)
+ return KDB_ARGCOUNT;
+
+ kdb_trap_printk++;
+- __handle_sysrq(*argv[1], check_mask);
++ __handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0);
+ kdb_trap_printk--;
+
+ return 0;
diff --git a/debian/patches/features/all/lockdown/0045-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch b/debian/patches/features/all/lockdown/0045-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch
new file mode 100644
index 0000000..f8843b1
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0045-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch
@@ -0,0 +1,36 @@
+From: Matthew Garrett <matthew.garrett at nebula.com>
+Date: Wed, 5 Apr 2017 17:40:30 +0100
+Subject: [45/62] kexec: Disable at runtime if the kernel is locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=e7c340d3a52b23631aa5e67cd10eac766042db50
+
+kexec permits the loading and execution of arbitrary code in ring 0, which
+is something that lock-down is meant to prevent. It makes sense to disable
+kexec in this situation.
+
+This does not affect kexec_file_load() which can check for a signature on the
+image to be booted.
+
+Signed-off-by: Matthew Garrett <matthew.garrett at nebula.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ kernel/kexec.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/kernel/kexec.c b/kernel/kexec.c
+index 980936a90ee6..46de8e6b42f4 100644
+--- a/kernel/kexec.c
++++ b/kernel/kexec.c
+@@ -194,6 +194,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
+ return -EPERM;
+
+ /*
++ * kexec can be used to circumvent module loading restrictions, so
++ * prevent loading in that case
++ */
++ if (kernel_is_locked_down())
++ return -EPERM;
++
++ /*
+ * Verify we have a legal set of flags
+ * This leaves us room for future extensions.
+ */
diff --git a/debian/patches/features/all/securelevel/kexec-uefi-copy-secure_boot-flag-in-boot-params-acro.patch b/debian/patches/features/all/lockdown/0046-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch
similarity index 61%
rename from debian/patches/features/all/securelevel/kexec-uefi-copy-secure_boot-flag-in-boot-params-acro.patch
rename to debian/patches/features/all/lockdown/0046-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch
index 445aa63..f828c02 100644
--- a/debian/patches/features/all/securelevel/kexec-uefi-copy-secure_boot-flag-in-boot-params-acro.patch
+++ b/debian/patches/features/all/lockdown/0046-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch
@@ -1,28 +1,30 @@
From: Dave Young <dyoung at redhat.com>
-Date: Tue, 6 Oct 2015 13:31:31 +0100
-Subject: [15/18] kexec/uefi: copy secure_boot flag in boot params across kexec
- reboot
-Origin: https://github.com/mjg59/linux/commit/4b2b64d5a6ebc84214755ebccd599baef7c1b798
+Date: Wed, 5 Apr 2017 17:40:30 +0100
+Subject: [46/62] Copy secure_boot flag in boot params across kexec reboot
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=c124b113ed50045c2a81ddaab104578e592ebec3
Kexec reboot in case secure boot being enabled does not keep the secure
boot mode in new kernel, so later one can load unsigned kernel via legacy
kexec_load. In this state, the system is missing the protections provided
-by secure boot. Adding a patch to fix this by retain the secure_boot flag
-in original kernel.
+by secure boot.
+
+Adding a patch to fix this by retain the secure_boot flag in original
+kernel.
secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
-stub. Fixing this issue by copying secure_boot flag across kexec reboot.
+stub. Fixing this issue by copying secure_boot flag across kexec reboot.
Signed-off-by: Dave Young <dyoung at redhat.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
---
arch/x86/kernel/kexec-bzimage64.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
-index 2af478e3fd4e..61827eeb6881 100644
+index d0a814a9d96a..3551bcaa1eaf 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
-@@ -180,6 +180,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
+@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
if (efi_enabled(EFI_OLD_MEMMAP))
return 0;
diff --git a/debian/patches/features/all/lockdown/0047-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch b/debian/patches/features/all/lockdown/0047-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch
new file mode 100644
index 0000000..ce40d06
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0047-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch
@@ -0,0 +1,35 @@
+From: "Lee, Chun-Yi" <joeyli.kernel at gmail.com>
+Date: Wed, 5 Apr 2017 17:40:30 +0100
+Subject: [47/62] kexec_file: Disable at runtime if securelevel has been set
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=74cab6ae2c310633ce0148e58d326ee5a5121a89
+
+When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
+through kexec_file systemcall if securelevel has been set.
+
+This code was showed in Matthew's patch but not in git:
+https://lkml.org/lkml/2015/3/13/778
+
+Cc: Matthew Garrett <mjg59 at srcf.ucam.org>
+Signed-off-by: Lee, Chun-Yi <jlee at suse.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ kernel/kexec_file.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
+index b118735fea9d..f6937eecd1eb 100644
+--- a/kernel/kexec_file.c
++++ b/kernel/kexec_file.c
+@@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
+ if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
+ return -EPERM;
+
++ /* Don't permit images to be loaded into trusted kernels if we're not
++ * going to verify the signature on them
++ */
++ if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
++ return -EPERM;
++
+ /* Make sure we have a legal set of flags */
+ if (flags != (flags & KEXEC_FILE_FLAGS))
+ return -EINVAL;
diff --git a/debian/patches/features/all/lockdown/0048-hibernate-Disable-when-the-kernel-is-locked-down.patch b/debian/patches/features/all/lockdown/0048-hibernate-Disable-when-the-kernel-is-locked-down.patch
new file mode 100644
index 0000000..39a715d
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0048-hibernate-Disable-when-the-kernel-is-locked-down.patch
@@ -0,0 +1,29 @@
+From: Josh Boyer <jwboyer at fedoraproject.org>
+Date: Wed, 5 Apr 2017 17:40:30 +0100
+Subject: [48/62] hibernate: Disable when the kernel is locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=398b27dd51e2c295ec870943a5afb842acf7726b
+
+There is currently no way to verify the resume image when returning
+from hibernate. This might compromise the signed modules trust model,
+so until we can work with signed hibernate images we disable it when the
+kernel is locked down.
+
+Signed-off-by: Josh Boyer <jwboyer at fedoraproject.org>
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ kernel/power/hibernate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
+index a8b978c35a6a..50cca5dcb62f 100644
+--- a/kernel/power/hibernate.c
++++ b/kernel/power/hibernate.c
+@@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
+
+ bool hibernation_available(void)
+ {
+- return (nohibernate == 0);
++ return nohibernate == 0 && !kernel_is_locked_down();
+ }
+
+ /**
diff --git a/debian/patches/features/all/lockdown/0049-uswsusp-Disable-when-the-kernel-is-locked-down.patch b/debian/patches/features/all/lockdown/0049-uswsusp-Disable-when-the-kernel-is-locked-down.patch
new file mode 100644
index 0000000..bb94bd5
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0049-uswsusp-Disable-when-the-kernel-is-locked-down.patch
@@ -0,0 +1,29 @@
+From: Matthew Garrett <mjg59 at srcf.ucam.org>
+Date: Wed, 5 Apr 2017 17:40:30 +0100
+Subject: [49/62] uswsusp: Disable when the kernel is locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=6c773b2f00bec7cdccc1adf4a1af1afb082b78b8
+
+uswsusp allows a user process to dump and then restore kernel state, which
+makes it possible to modify the running kernel. Disable this if the kernel
+is locked down.
+
+Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ kernel/power/user.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/power/user.c b/kernel/power/user.c
+index 22df9f7ff672..e4b926d329b7 100644
+--- a/kernel/power/user.c
++++ b/kernel/power/user.c
+@@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
+ if (!hibernation_available())
+ return -EPERM;
+
++ if (kernel_is_locked_down())
++ return -EPERM;
++
+ lock_system_sleep();
+
+ if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
diff --git a/debian/patches/features/all/lockdown/0050-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch b/debian/patches/features/all/lockdown/0050-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch
new file mode 100644
index 0000000..2b1d623
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0050-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch
@@ -0,0 +1,99 @@
+From: Matthew Garrett <matthew.garrett at nebula.com>
+Date: Wed, 5 Apr 2017 17:40:30 +0100
+Subject: [50/62] PCI: Lock down BAR access when the kernel is locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=fdfe195b5f8e0693a98f1f37eb1281ea7830dbff
+
+Any hardware that can potentially generate DMA has to be locked down in
+order to avoid it being possible for an attacker to modify kernel code,
+allowing them to circumvent disabled module loading or module signing.
+Default to paranoid - in future we can potentially relax this for
+sufficiently IOMMU-isolated devices.
+
+Signed-off-by: Matthew Garrett <matthew.garrett at nebula.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ drivers/pci/pci-sysfs.c | 9 +++++++++
+ drivers/pci/proc.c | 8 +++++++-
+ drivers/pci/syscall.c | 2 +-
+ 3 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
+index 25d010d449a3..f70b3668036f 100644
+--- a/drivers/pci/pci-sysfs.c
++++ b/drivers/pci/pci-sysfs.c
+@@ -727,6 +727,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
+ loff_t init_off = off;
+ u8 *data = (u8 *) buf;
+
++ if (kernel_is_locked_down())
++ return -EPERM;
++
+ if (off > dev->cfg_size)
+ return 0;
+ if (off + count > dev->cfg_size) {
+@@ -1018,6 +1021,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
+ resource_size_t start, end;
+ int i;
+
++ if (kernel_is_locked_down())
++ return -EPERM;
++
+ for (i = 0; i < PCI_ROM_RESOURCE; i++)
+ if (res == &pdev->resource[i])
+ break;
+@@ -1117,6 +1123,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
+ struct bin_attribute *attr, char *buf,
+ loff_t off, size_t count)
+ {
++ if (kernel_is_locked_down())
++ return -EPERM;
++
+ return pci_resource_io(filp, kobj, attr, buf, off, count, true);
+ }
+
+diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
+index f82710a8694d..139d6f09ae7b 100644
+--- a/drivers/pci/proc.c
++++ b/drivers/pci/proc.c
+@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
+ int size = dev->cfg_size;
+ int cnt;
+
++ if (kernel_is_locked_down())
++ return -EPERM;
++
+ if (pos >= size)
+ return 0;
+ if (nbytes >= size)
+@@ -195,6 +198,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
+ #endif /* HAVE_PCI_MMAP */
+ int ret = 0;
+
++ if (kernel_is_locked_down())
++ return -EPERM;
++
+ switch (cmd) {
+ case PCIIOC_CONTROLLER:
+ ret = pci_domain_nr(dev->bus);
+@@ -233,7 +239,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
+ struct pci_filp_private *fpriv = file->private_data;
+ int i, ret, write_combine;
+
+- if (!capable(CAP_SYS_RAWIO))
++ if (!capable(CAP_SYS_RAWIO) || kernel_is_locked_down())
+ return -EPERM;
+
+ /* Make sure the caller is mapping a real resource for this device */
+diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
+index 9bf993e1f71e..c09524738ceb 100644
+--- a/drivers/pci/syscall.c
++++ b/drivers/pci/syscall.c
+@@ -92,7 +92,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
+ u32 dword;
+ int err = 0;
+
+- if (!capable(CAP_SYS_ADMIN))
++ if (!capable(CAP_SYS_ADMIN) || kernel_is_locked_down())
+ return -EPERM;
+
+ dev = pci_get_bus_and_slot(bus, dfn);
diff --git a/debian/patches/features/all/lockdown/0051-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch b/debian/patches/features/all/lockdown/0051-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch
new file mode 100644
index 0000000..af41f04
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0051-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch
@@ -0,0 +1,55 @@
+From: Matthew Garrett <matthew.garrett at nebula.com>
+Date: Wed, 5 Apr 2017 17:40:30 +0100
+Subject: [51/62] x86: Lock down IO port access when the kernel is locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=37a19fd0d859cc12f1d6f47085071e35d34a0a41
+
+IO port access would permit users to gain access to PCI configuration
+registers, which in turn (on a lot of hardware) give access to MMIO
+register space. This would potentially permit root to trigger arbitrary
+DMA, so lock it down by default.
+
+This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
+KDDISABIO console ioctls.
+
+Signed-off-by: Matthew Garrett <matthew.garrett at nebula.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ arch/x86/kernel/ioport.c | 4 ++--
+ drivers/char/mem.c | 2 ++
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
+index 9c3cf0944bce..4a613fed94b6 100644
+--- a/arch/x86/kernel/ioport.c
++++ b/arch/x86/kernel/ioport.c
+@@ -30,7 +30,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
+
+ if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
+ return -EINVAL;
+- if (turn_on && !capable(CAP_SYS_RAWIO))
++ if (turn_on && (!capable(CAP_SYS_RAWIO) || kernel_is_locked_down()))
+ return -EPERM;
+
+ /*
+@@ -120,7 +120,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
+ return -EINVAL;
+ /* Trying to gain more privileges? */
+ if (level > old) {
+- if (!capable(CAP_SYS_RAWIO))
++ if (!capable(CAP_SYS_RAWIO) || kernel_is_locked_down())
+ return -EPERM;
+ }
+ regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
+diff --git a/drivers/char/mem.c b/drivers/char/mem.c
+index f8144049bda3..9afebb60550f 100644
+--- a/drivers/char/mem.c
++++ b/drivers/char/mem.c
+@@ -741,6 +741,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
+
+ static int open_port(struct inode *inode, struct file *filp)
+ {
++ if (kernel_is_locked_down())
++ return -EPERM;
+ return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
+ }
+
diff --git a/debian/patches/features/all/lockdown/0052-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch b/debian/patches/features/all/lockdown/0052-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch
new file mode 100644
index 0000000..73ffc78
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0052-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch
@@ -0,0 +1,41 @@
+From: Matthew Garrett <matthew.garrett at nebula.com>
+Date: Wed, 5 Apr 2017 17:40:30 +0100
+Subject: [52/62] x86: Restrict MSR access when the kernel is locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=e20ab2be2f77e6c0da7cd8fe0953a367c5012ecf
+
+Writing to MSRs should not be allowed if the kernel is locked down, since
+it could lead to execution of arbitrary code in kernel mode. Based on a
+patch by Kees Cook.
+
+Cc: Kees Cook <keescook at chromium.org>
+Signed-off-by: Matthew Garrett <matthew.garrett at nebula.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ arch/x86/kernel/msr.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
+index ef688804f80d..fbcce028e502 100644
+--- a/arch/x86/kernel/msr.c
++++ b/arch/x86/kernel/msr.c
+@@ -84,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
+ int err = 0;
+ ssize_t bytes = 0;
+
++ if (kernel_is_locked_down())
++ return -EPERM;
++
+ if (count % 8)
+ return -EINVAL; /* Invalid chunk size */
+
+@@ -131,6 +134,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
+ err = -EBADF;
+ break;
+ }
++ if (kernel_is_locked_down()) {
++ err = -EPERM;
++ break;
++ }
+ if (copy_from_user(®s, uregs, sizeof regs)) {
+ err = -EFAULT;
+ break;
diff --git a/debian/patches/features/all/lockdown/0053-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch b/debian/patches/features/all/lockdown/0053-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch
new file mode 100644
index 0000000..2381b24
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0053-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch
@@ -0,0 +1,52 @@
+From: Matthew Garrett <matthew.garrett at nebula.com>
+Date: Wed, 5 Apr 2017 17:40:30 +0100
+Subject: [53/62] asus-wmi: Restrict debugfs interface when the kernel is
+ locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=bfa10bc7193d6309dc8029e18fe7d844f9a3a1c0
+
+We have no way of validating what all of the Asus WMI methods do on a given
+machine - and there's a risk that some will allow hardware state to be
+manipulated in such a way that arbitrary code can be executed in the
+kernel, circumventing module loading restrictions. Prevent that if the
+kernel is locked down.
+
+Signed-off-by: Matthew Garrett <matthew.garrett at nebula.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ drivers/platform/x86/asus-wmi.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
+index 8fe5890bf539..feef25076813 100644
+--- a/drivers/platform/x86/asus-wmi.c
++++ b/drivers/platform/x86/asus-wmi.c
+@@ -1900,6 +1900,9 @@ static int show_dsts(struct seq_file *m, void *data)
+ int err;
+ u32 retval = -1;
+
++ if (kernel_is_locked_down())
++ return -EPERM;
++
+ err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
+
+ if (err < 0)
+@@ -1916,6 +1919,9 @@ static int show_devs(struct seq_file *m, void *data)
+ int err;
+ u32 retval = -1;
+
++ if (kernel_is_locked_down())
++ return -EPERM;
++
+ err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
+ &retval);
+
+@@ -1940,6 +1946,9 @@ static int show_call(struct seq_file *m, void *data)
+ union acpi_object *obj;
+ acpi_status status;
+
++ if (kernel_is_locked_down())
++ return -EPERM;
++
+ status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
+ 1, asus->debug.method_id,
+ &input, &output);
diff --git a/debian/patches/features/all/lockdown/0054-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch b/debian/patches/features/all/lockdown/0054-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch
new file mode 100644
index 0000000..16f9431
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0054-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch
@@ -0,0 +1,30 @@
+From: Matthew Garrett <matthew.garrett at nebula.com>
+Date: Wed, 5 Apr 2017 17:40:30 +0100
+Subject: [54/62] ACPI: Limit access to custom_method when the kernel is locked
+ down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=c333ace27a3115f2b56f25987bdb7ef05f71836c
+
+custom_method effectively allows arbitrary access to system memory, making
+it possible for an attacker to circumvent restrictions on module loading.
+Disable it if the kernel is locked down.
+
+Signed-off-by: Matthew Garrett <matthew.garrett at nebula.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ drivers/acpi/custom_method.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
+index c68e72414a67..e4d721c330c0 100644
+--- a/drivers/acpi/custom_method.c
++++ b/drivers/acpi/custom_method.c
+@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
+ struct acpi_table_header table;
+ acpi_status status;
+
++ if (kernel_is_locked_down())
++ return -EPERM;
++
+ if (!(*ppos)) {
+ /* parse the table header to get the table length */
+ if (count <= sizeof(struct acpi_table_header))
diff --git a/debian/patches/features/all/lockdown/0055-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch b/debian/patches/features/all/lockdown/0055-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch
new file mode 100644
index 0000000..f1b9673
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0055-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch
@@ -0,0 +1,29 @@
+From: Josh Boyer <jwboyer at redhat.com>
+Date: Wed, 5 Apr 2017 17:40:31 +0100
+Subject: [55/62] acpi: Ignore acpi_rsdp kernel param when the kernel has been
+ locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=1e915addf2f56a29d84dfc899017a926de9c0264
+
+This option allows userspace to pass the RSDP address to the kernel, which
+makes it possible for a user to circumvent any restrictions imposed on
+loading modules. Ignore the option when the kernel is locked down.
+
+Signed-off-by: Josh Boyer <jwboyer at redhat.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ drivers/acpi/osl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
+index db78d353bab1..d4d4ba348451 100644
+--- a/drivers/acpi/osl.c
++++ b/drivers/acpi/osl.c
+@@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
+ acpi_physical_address pa = 0;
+
+ #ifdef CONFIG_KEXEC
+- if (acpi_rsdp)
++ if (acpi_rsdp && !kernel_is_locked_down())
+ return acpi_rsdp;
+ #endif
+
diff --git a/debian/patches/features/all/lockdown/0056-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch b/debian/patches/features/all/lockdown/0056-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
new file mode 100644
index 0000000..04befdf
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0056-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
@@ -0,0 +1,38 @@
+From: Linn Crosetto <linn at hpe.com>
+Date: Wed, 5 Apr 2017 17:40:31 +0100
+Subject: [56/62] acpi: Disable ACPI table override if the kernel is locked
+ down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=2a3b80bfba52f3f71bbb9b20942fb86ca6f491fe
+
+From the kernel documentation (initrd_table_override.txt):
+
+ If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
+ to override nearly any ACPI table provided by the BIOS with an
+ instrumented, modified one.
+
+When securelevel is set, the kernel should disallow any unauthenticated
+changes to kernel space. ACPI tables contain code invoked by the kernel,
+so do not allow ACPI tables to be overridden if the kernel is locked down.
+
+Signed-off-by: Linn Crosetto <linn at hpe.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ drivers/acpi/tables.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
+index 2604189d6cd1..601096d0d849 100644
+--- a/drivers/acpi/tables.c
++++ b/drivers/acpi/tables.c
+@@ -542,6 +542,11 @@ void __init acpi_table_upgrade(void)
+ if (table_nr == 0)
+ return;
+
++ if (kernel_is_locked_down()) {
++ pr_notice("kernel is locked down, ignoring table override\n");
++ return;
++ }
++
+ acpi_tables_addr =
+ memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
+ all_tables_size, PAGE_SIZE);
diff --git a/debian/patches/features/all/securelevel/acpi-disable-apei-error-injection-if-securelevel-is-.patch b/debian/patches/features/all/lockdown/0057-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch
similarity index 59%
rename from debian/patches/features/all/securelevel/acpi-disable-apei-error-injection-if-securelevel-is-.patch
rename to debian/patches/features/all/lockdown/0057-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch
index 2ae1100..143b310 100644
--- a/debian/patches/features/all/securelevel/acpi-disable-apei-error-injection-if-securelevel-is-.patch
+++ b/debian/patches/features/all/lockdown/0057-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch
@@ -1,43 +1,39 @@
From: Linn Crosetto <linn at hpe.com>
-Date: Wed, 16 Mar 2016 14:43:33 -0600
-Subject: [17/18] acpi: Disable APEI error injection if securelevel is set
-Origin: https://github.com/mjg59/linux/commit/d7a6be58edc01b1c66ecd8fcc91236bfbce0a420
+Date: Wed, 5 Apr 2017 17:40:31 +0100
+Subject: [57/62] acpi: Disable APEI error injection if the kernel is locked
+ down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=cc8de994de095fc6b88f92c9a768c806605fba07
ACPI provides an error injection mechanism, EINJ, for debugging and testing
-the ACPI Platform Error Interface (APEI) and other RAS features. If
+the ACPI Platform Error Interface (APEI) and other RAS features. If
supported by the firmware, ACPI specification 5.0 and later provide for a
way to specify a physical memory address to which to inject the error.
Injecting errors through EINJ can produce errors which to the platform are
-indistinguishable from real hardware errors. This can have undesirable
+indistinguishable from real hardware errors. This can have undesirable
side-effects, such as causing the platform to mark hardware as needing
replacement.
While it does not provide a method to load unauthenticated privileged code,
the effect of these errors may persist across reboots and affect trust in
the underlying hardware, so disable error injection through EINJ if
-securelevel is set.
+the kernel is locked down.
Signed-off-by: Linn Crosetto <linn at hpe.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
---
- drivers/acpi/apei/einj.c | 4 ++++
- 1 file changed, 4 insertions(+)
+ drivers/acpi/apei/einj.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c
+index ec50c32ea3da..e082718d01c2 100644
--- a/drivers/acpi/apei/einj.c
+++ b/drivers/acpi/apei/einj.c
-@@ -29,6 +29,7 @@
- #include <linux/nmi.h>
- #include <linux/delay.h>
- #include <linux/mm.h>
-+#include <linux/security.h>
- #include <asm/unaligned.h>
-
- #include "apei-internal.h"
-@@ -521,6 +522,9 @@ static int einj_error_inject(u32 type, u
+@@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
int rc;
u64 base_addr, size;
-+ if (get_securelevel() > 0)
++ if (kernel_is_locked_down())
+ return -EPERM;
+
/* If user manually set "flags", make sure it is legal */
diff --git a/debian/patches/features/all/lockdown/0058-bpf-Restrict-kernel-image-access-functions-when-the-.patch b/debian/patches/features/all/lockdown/0058-bpf-Restrict-kernel-image-access-functions-when-the-.patch
new file mode 100644
index 0000000..8c45b80
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0058-bpf-Restrict-kernel-image-access-functions-when-the-.patch
@@ -0,0 +1,54 @@
+From: "Lee, Chun-Yi" <jlee at suse.com>
+Date: Wed, 5 Apr 2017 17:40:31 +0100
+Subject: [58/62] bpf: Restrict kernel image access functions when the kernel
+ is locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=12c6b01166d3a94a49cf78a8bfe37fb280dd7cb6
+
+There are some bpf functions can be used to read kernel memory:
+bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow
+private keys in kernel memory (e.g. the hibernation image signing key) to
+be read by an eBPF program. Prohibit those functions when the kernel is
+locked down.
+
+Signed-off-by: Lee, Chun-Yi <jlee at suse.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ kernel/trace/bpf_trace.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
+index cee9802cf3e0..7fde851f207b 100644
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr)
+ {
+ int ret;
+
++ if (kernel_is_locked_down()) {
++ memset(dst, 0, size);
++ return -EPERM;
++ }
++
+ ret = probe_kernel_read(dst, unsafe_ptr, size);
+ if (unlikely(ret < 0))
+ memset(dst, 0, size);
+@@ -84,6 +89,9 @@ static const struct bpf_func_proto bpf_probe_read_proto = {
+ BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src,
+ u32, size)
+ {
++ if (kernel_is_locked_down())
++ return -EPERM;
++
+ /*
+ * Ensure we're in user context which is safe for the helper to
+ * run. This helper has no business in a kthread.
+@@ -143,6 +151,9 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1,
+ if (fmt[--fmt_size] != 0)
+ return -EINVAL;
+
++ if (kernel_is_locked_down())
++ return __trace_printk(1, fmt, 0, 0, 0);
++
+ /* check format string for allowed specifiers */
+ for (i = 0; i < fmt_size; i++) {
+ if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i]))
diff --git a/debian/patches/features/all/lockdown/0059-scsi-Lock-down-the-eata-driver.patch b/debian/patches/features/all/lockdown/0059-scsi-Lock-down-the-eata-driver.patch
new file mode 100644
index 0000000..19307fd
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0059-scsi-Lock-down-the-eata-driver.patch
@@ -0,0 +1,44 @@
+From: David Howells <dhowells at redhat.com>
+Date: Wed, 5 Apr 2017 17:40:31 +0100
+Subject: [59/62] scsi: Lock down the eata driver
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=e6fc4e593143fbbb8b83c558bb8e6445d9aaa45a
+
+When the kernel is running in secure boot mode, we lock down the kernel to
+prevent userspace from modifying the running kernel image. Whilst this
+includes prohibiting access to things like /dev/mem, it must also prevent
+access by means of configuring driver modules in such a way as to cause a
+device to access or modify the kernel image.
+
+The eata driver takes a single string parameter that contains a slew of
+settings, including hardware resource configuration. Prohibit use of the
+parameter if the kernel is locked down.
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+cc: Dario Ballabio <ballabio_dario at emc.com>
+cc: "James E.J. Bottomley" <jejb at linux.vnet.ibm.com>
+cc: "Martin K. Petersen" <martin.petersen at oracle.com>
+cc: linux-scsi at vger.kernel.org
+---
+ drivers/scsi/eata.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/eata.c b/drivers/scsi/eata.c
+index 227dd2c2ec2f..5c036d10c18b 100644
+--- a/drivers/scsi/eata.c
++++ b/drivers/scsi/eata.c
+@@ -1552,8 +1552,13 @@ static int eata2x_detect(struct scsi_host_template *tpnt)
+
+ tpnt->proc_name = "eata2x";
+
+- if (strlen(boot_options))
++ if (strlen(boot_options)) {
++ if (kernel_is_locked_down()) {
++ pr_err("Command line-specified device addresses, irqs and dma channels are not permitted when the kernel is locked down\n");
++ return -EPERM;
++ }
+ option_setup(boot_options);
++ }
+
+ #if defined(MODULE)
+ /* io_port could have been modified when loading as a module */
diff --git a/debian/patches/features/all/lockdown/0060-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch b/debian/patches/features/all/lockdown/0060-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch
new file mode 100644
index 0000000..41322dd
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0060-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch
@@ -0,0 +1,30 @@
+From: David Howells <dhowells at redhat.com>
+Date: Wed, 5 Apr 2017 17:40:31 +0100
+Subject: [60/62] Prohibit PCMCIA CIS storage when the kernel is locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=36b3c01337b2d0e4aa69828186586951b9cf50fa
+
+Prohibit replacement of the PCMCIA Card Information Structure when the
+kernel is locked down.
+
+Suggested-by: Dominik Brodowski <linux at dominikbrodowski.net>
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ drivers/pcmcia/cistpl.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
+index 55ef7d1fd8da..193e4f7b73b1 100644
+--- a/drivers/pcmcia/cistpl.c
++++ b/drivers/pcmcia/cistpl.c
+@@ -1578,6 +1578,11 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
+ struct pcmcia_socket *s;
+ int error;
+
++ if (kernel_is_locked_down()) {
++ pr_err("Direct CIS storage isn't permitted when the kernel is locked down\n");
++ return -EPERM;
++ }
++
+ s = to_socket(container_of(kobj, struct device, kobj));
+
+ if (off)
diff --git a/debian/patches/features/all/lockdown/0061-Lock-down-TIOCSSERIAL.patch b/debian/patches/features/all/lockdown/0061-Lock-down-TIOCSSERIAL.patch
new file mode 100644
index 0000000..7909c7c
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0061-Lock-down-TIOCSSERIAL.patch
@@ -0,0 +1,33 @@
+From: David Howells <dhowells at redhat.com>
+Date: Wed, 5 Apr 2017 17:40:31 +0100
+Subject: [61/62] Lock down TIOCSSERIAL
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=3f0d5eb601c66451afebe889623bcbafec0e4bb8
+
+Lock down TIOCSSERIAL as that can be used to change the ioport and irq
+settings on a serial port. This only appears to be an issue for the serial
+drivers that use the core serial code. All other drivers seem to either
+ignore attempts to change port/irq or give an error.
+
+Reported-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ drivers/tty/serial/serial_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
+index 3fe56894974a..4181b0004de9 100644
+--- a/drivers/tty/serial/serial_core.c
++++ b/drivers/tty/serial/serial_core.c
+@@ -821,6 +821,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
+ new_flags = new_info->flags;
+ old_custom_divisor = uport->custom_divisor;
+
++ if ((change_port || change_irq) && kernel_is_locked_down()) {
++ pr_err("Using TIOCSSERIAL to change device addresses, irqs and dma channels is not permitted when the kernel is locked down\n");
++ retval = -EPERM;
++ goto exit;
++ }
++
+ if (!capable(CAP_SYS_ADMIN)) {
+ retval = -EPERM;
+ if (change_irq || change_port ||
diff --git a/debian/patches/features/all/lockdown/0062-Lock-down-module-params-that-specify-hardware-parame.patch b/debian/patches/features/all/lockdown/0062-Lock-down-module-params-that-specify-hardware-parame.patch
new file mode 100644
index 0000000..8b05cf2
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0062-Lock-down-module-params-that-specify-hardware-parame.patch
@@ -0,0 +1,81 @@
+From: David Howells <dhowells at redhat.com>
+Date: Wed, 5 Apr 2017 13:50:07 +0100
+Subject: [62/62] Lock down module params that specify hardware parameters (eg.
+ ioport)
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=0240fa7c7c948b19d57c0163d57e55296277ff3c
+
+Provided an annotation for module parameters that specify hardware
+parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
+dma buffers and other types).
+
+Suggested-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+ kernel/params.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/params.c b/kernel/params.c
+index a6d6149c0fe6..04185c5aa929 100644
+--- a/kernel/params.c
++++ b/kernel/params.c
+@@ -108,13 +108,20 @@ bool parameq(const char *a, const char *b)
+ return parameqn(a, b, strlen(a)+1);
+ }
+
+-static void param_check_unsafe(const struct kernel_param *kp)
++static bool param_check_unsafe(const struct kernel_param *kp,
++ const char *doing)
+ {
+ if (kp->flags & KERNEL_PARAM_FL_UNSAFE) {
+ pr_warn("Setting dangerous option %s - tainting kernel\n",
+ kp->name);
+ add_taint(TAINT_USER, LOCKDEP_STILL_OK);
+ }
++
++ if (kp->flags & KERNEL_PARAM_FL_HWPARAM && kernel_is_locked_down()) {
++ pr_err("Command line-specified device addresses, irqs and dma channels are not permitted when the kernel is locked down (%s.%s)\n", doing, kp->name);
++ return false;
++ }
++ return true;
+ }
+
+ static int parse_one(char *param,
+@@ -144,8 +151,10 @@ static int parse_one(char *param,
+ pr_debug("handling %s with %p\n", param,
+ params[i].ops->set);
+ kernel_param_lock(params[i].mod);
+- param_check_unsafe(¶ms[i]);
+- err = params[i].ops->set(val, ¶ms[i]);
++ if (param_check_unsafe(¶ms[i], doing))
++ err = params[i].ops->set(val, ¶ms[i]);
++ else
++ err = -EPERM;
+ kernel_param_unlock(params[i].mod);
+ return err;
+ }
+@@ -608,6 +617,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr,
+ return count;
+ }
+
++#ifdef CONFIG_MODULES
++#define mod_name(mod) (mod)->name
++#else
++#define mod_name(mod) "unknown"
++#endif
++
+ /* sysfs always hands a nul-terminated string in buf. We rely on that. */
+ static ssize_t param_attr_store(struct module_attribute *mattr,
+ struct module_kobject *mk,
+@@ -620,8 +635,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr,
+ return -EPERM;
+
+ kernel_param_lock(mk->mod);
+- param_check_unsafe(attribute->param);
+- err = attribute->param->ops->set(buf, attribute->param);
++ if (param_check_unsafe(attribute->param, mod_name(mk->mod)))
++ err = attribute->param->ops->set(buf, attribute->param);
++ else
++ err = -EPERM;
+ kernel_param_unlock(mk->mod);
+ if (!err)
+ return len;
diff --git a/debian/patches/features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.patch b/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
similarity index 68%
rename from debian/patches/features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.patch
rename to debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
index 10812f2..14eb621 100644
--- a/debian/patches/features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.patch
+++ b/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
@@ -1,8 +1,8 @@
From: Linn Crosetto <linn at hpe.com>
Date: Tue, 30 Aug 2016 11:54:38 -0600
-Subject: arm64: add kernel config option to set securelevel when in Secure Boot mode
+Subject: arm64: add kernel config option to lock down when in Secure Boot mode
-Add a kernel configuration option to enable securelevel, to restrict
+Add a kernel configuration option to lock down the kernel, to restrict
userspace's ability to modify the running kernel when UEFI Secure Boot is
enabled. Based on the x86 patch by Matthew Garrett.
@@ -12,13 +12,10 @@ kernel using the FDT.
Signed-off-by: Linn Crosetto <linn at hpe.com>
[bwh: Forward-ported to 4.10: adjust context]
[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
-[bwh: Forward-ported to 4.11: convert result of efi_get_secureboot() to a
- boolean]
+[bwh: Forward-ported to 4.11 and lockdown patch set:
+ - Convert result of efi_get_secureboot() to a boolean
+ - Use lockdown API and naming]
---
-v2:
-
- - Add cpu_to_fdt32() when setting Secure Boot flag in FDT (Ben Hutchings)
-
arch/arm64/Kconfig | 13 +++++++++++++
drivers/firmware/efi/arm-init.c | 7 +++++++
drivers/firmware/efi/efi.c | 3 ++-
@@ -30,44 +27,34 @@ v2:
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
-@@ -1033,6 +1033,19 @@ config EFI
+@@ -1033,6 +1033,18 @@ config EFI
allow the kernel to be booted as an EFI application. This
is only useful on systems that have UEFI firmware.
-+config EFI_SECURE_BOOT_SECURELEVEL
++config EFI_SECURE_BOOT_LOCK_DOWN
+ def_bool n
-+ depends on SECURITY_SECURELEVEL
+ depends on EFI
-+ prompt "Automatically set securelevel when UEFI Secure Boot is enabled"
++ prompt "Lock down the kernel when UEFI Secure Boot is enabled"
+ ---help---
-+ UEFI Secure Boot provides a mechanism for ensuring that the
-+ firmware will only load signed bootloaders and kernels. Certain
-+ use cases may also require that the kernel restrict any userspace
-+ mechanism that could insert untrusted code into the kernel.
-+ Say Y here to automatically enable securelevel enforcement
-+ when a system boots with UEFI Secure Boot enabled.
++ UEFI Secure Boot provides a mechanism for ensuring that the firmware
++ will only load signed bootloaders and kernels. Certain use cases may
++ also require that all kernel modules also be signed and that
++ userspace is prevented from directly changing the running kernel
++ image. Say Y here to automatically lock down the kernel when a
++ system boots with UEFI Secure Boot enabled.
+
config DMI
bool "Enable support for SMBIOS (DMI) tables"
depends on EFI
--- a/drivers/firmware/efi/arm-init.c
+++ b/drivers/firmware/efi/arm-init.c
-@@ -21,6 +21,7 @@
- #include <linux/of_fdt.h>
- #include <linux/platform_device.h>
- #include <linux/screen_info.h>
-+#include <linux/security.h>
-
- #include <asm/efi.h>
-
-@@ -244,6 +245,12 @@ void __init efi_init(void)
+@@ -244,6 +245,11 @@ void __init efi_init(void)
"Unexpected EFI_MEMORY_DESCRIPTOR version %ld",
efi.memmap.desc_version);
-+#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
-+ if (params.secure_boot > 0) {
-+ set_securelevel(1);
-+ }
++#ifdef CONFIG_EFI_SECURE_BOOT_LOCK_DOWN
++ if (params.secure_boot > 0)
++ lock_kernel_down();
+#endif
+
if (uefi_init() < 0) {
diff --git a/debian/patches/features/all/securelevel/enable-cold-boot-attack-mitigation.patch b/debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch
similarity index 80%
rename from debian/patches/features/all/securelevel/enable-cold-boot-attack-mitigation.patch
rename to debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch
index d023f0e..2b08995 100644
--- a/debian/patches/features/all/securelevel/enable-cold-boot-attack-mitigation.patch
+++ b/debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch
@@ -8,11 +8,9 @@ Origin: https://github.com/mjg59/linux/commit/02d999574936dd234a508c0112a0200c13
arch/x86/boot/compressed/eboot.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
-diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 28c24d80d0a0..b0413ba639af 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
-@@ -1051,6 +1051,22 @@ void setup_graphics(struct boot_params *boot_params)
+@@ -604,6 +604,22 @@ void setup_graphics(struct boot_params *
}
}
@@ -35,16 +33,16 @@ index 28c24d80d0a0..b0413ba639af 100644
/*
* Because the x86 boot code expects to be passed a boot_params we
* need to create one ourselves (usually the bootloader would create
-@@ -1482,6 +1498,12 @@ struct boot_params *efi_main(struct efi_config *c,
- else
+@@ -989,6 +1005,12 @@ struct boot_params *efi_main(struct efi_
setup_boot_services32(efi_early);
-+ /*
+ /*
+ * Ask the firmware to clear memory if we don't have a clean
+ * shutdown
+ */
+ enable_reset_attack_mitigation();
+
- sanitize_boot_params(boot_params);
-
- /*
++ /*
+ * If the boot loader gave us a value for secure_boot then we use that,
+ * otherwise we ask the BIOS.
+ */
diff --git a/debian/patches/features/all/securelevel/mtd-disable-slram-and-phram-when-securelevel-is-enabled.patch b/debian/patches/features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch
similarity index 58%
rename from debian/patches/features/all/securelevel/mtd-disable-slram-and-phram-when-securelevel-is-enabled.patch
rename to debian/patches/features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch
index b8b2e33..7ea97e5 100644
--- a/debian/patches/features/all/securelevel/mtd-disable-slram-and-phram-when-securelevel-is-enabled.patch
+++ b/debian/patches/features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch
@@ -1,30 +1,22 @@
From: Ben Hutchings <ben at decadent.org.uk>
Date: Fri, 03 Jun 2016 00:48:39 +0100
-Subject: mtd: Disable slram and phram when securelevel is enabled
+Subject: mtd: Disable slram and phram when locked down
The slram and phram drivers both allow mapping regions of physical
address space such that they can then be read and written by userland
through the MTD interface. This is probably usable to manipulate
hardware into overwriting kernel code on many systems. Prevent that
-if securelevel is set.
+if locked down.
Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
---
--- a/drivers/mtd/devices/phram.c
+++ b/drivers/mtd/devices/phram.c
-@@ -25,6 +25,7 @@
- #include <linux/moduleparam.h>
- #include <linux/slab.h>
- #include <linux/mtd/mtd.h>
-+#include <linux/security.h>
-
- struct phram_mtd_list {
- struct mtd_info mtd;
-@@ -226,6 +227,9 @@ static int phram_setup(const char *val)
+@@ -226,6 +226,9 @@ static int phram_setup(const char *val)
uint64_t len;
int i, ret;
-+ if (get_securelevel() > 0)
++ if (kernel_is_locked_down())
+ return -EPERM;
+
if (strnlen(val, sizeof(buf)) >= sizeof(buf))
@@ -32,19 +24,11 @@ Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
--- a/drivers/mtd/devices/slram.c
+++ b/drivers/mtd/devices/slram.c
-@@ -42,6 +42,7 @@
- #include <linux/ioctl.h>
- #include <linux/init.h>
- #include <linux/io.h>
-+#include <linux/security.h>
-
- #include <linux/mtd/mtd.h>
-
-@@ -230,6 +231,9 @@ static int parse_cmdline(char *devname,
+@@ -230,6 +230,9 @@ static int parse_cmdline(char *devname,
unsigned long devstart;
unsigned long devlength;
-+ if (get_securelevel() > 0)
++ if (kernel_is_locked_down())
+ return -EPERM;
+
if ((!devname) || (!szstart) || (!szlength)) {
diff --git a/debian/patches/features/all/securelevel/acpi-disable-acpi-table-override-if-securelevel-is-s.patch b/debian/patches/features/all/securelevel/acpi-disable-acpi-table-override-if-securelevel-is-s.patch
deleted file mode 100644
index b936100..0000000
--- a/debian/patches/features/all/securelevel/acpi-disable-acpi-table-override-if-securelevel-is-s.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From: Linn Crosetto <linn at hpe.com>
-Date: Fri, 4 Mar 2016 16:08:24 -0700
-Subject: [16/18] acpi: Disable ACPI table override if securelevel is set
-Origin: https://github.com/mjg59/linux/commit/a4a5ed2835e8ea042868b7401dced3f517cafa76
-
-From the kernel documentation (initrd_table_override.txt):
-
- If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
- to override nearly any ACPI table provided by the BIOS with an
- instrumented, modified one.
-
-When securelevel is set, the kernel should disallow any unauthenticated
-changes to kernel space. ACPI tables contain code invoked by the kernel, so
-do not allow ACPI tables to be overridden if securelevel is set.
-
-Signed-off-by: Linn Crosetto <linn at hpe.com>
-[bwh: Forward-ported to 4.7: ACPI override code moved to drivers/acpi/tables.c]
-[bwh: Forward-ported to 4.9: adjust context]
-[Lukas Wunner: Forward-ported to 4.11: secure_boot field is now quad-state]
----
- arch/x86/kernel/setup.c | 12 ++++++------
- drivers/acpi/tables.c | 6 ++++++
- 2 files changed, 12 insertions(+), 6 deletions(-)
-
---- a/arch/x86/kernel/setup.c
-+++ b/arch/x86/kernel/setup.c
-@@ -1153,6 +1153,12 @@ void __init setup_arch(char **cmdline_p)
- }
- }
-
-+#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
-+ if (boot_params.secure_boot == efi_secureboot_mode_enabled) {
-+ set_securelevel(1);
-+ }
-+#endif
-+
- reserve_initrd();
-
- acpi_table_upgrade();
-@@ -1161,12 +1167,6 @@ void __init setup_arch(char **cmdline_p)
-
- io_delay_init();
-
--#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
-- if (boot_params.secure_boot == efi_secureboot_mode_enabled) {
-- set_securelevel(1);
-- }
--#endif
--
- /*
- * Parse the ACPI tables for possible boot-time SMP configuration.
- */
---- a/drivers/acpi/tables.c
-+++ b/drivers/acpi/tables.c
-@@ -35,6 +35,7 @@
- #include <linux/earlycpio.h>
- #include <linux/memblock.h>
- #include <linux/initrd.h>
-+#include <linux/security.h>
- #include "internal.h"
-
- #ifdef CONFIG_ACPI_CUSTOM_DSDT
-@@ -545,6 +546,12 @@ void __init acpi_table_upgrade(void)
- if (table_nr == 0)
- return;
-
-+ if (get_securelevel() > 0) {
-+ pr_notice(PREFIX
-+ "securelevel enabled, ignoring table override\n");
-+ return;
-+ }
-+
- acpi_tables_addr =
- memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
- all_tables_size, PAGE_SIZE);
diff --git a/debian/patches/features/all/securelevel/acpi-ignore-acpi_rsdp-kernel-parameter-when-securele.patch b/debian/patches/features/all/securelevel/acpi-ignore-acpi_rsdp-kernel-parameter-when-securele.patch
deleted file mode 100644
index 728f7b2..0000000
--- a/debian/patches/features/all/securelevel/acpi-ignore-acpi_rsdp-kernel-parameter-when-securele.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Josh Boyer <jwboyer at redhat.com>
-Date: Mon, 25 Jun 2012 19:57:30 -0400
-Subject: [07/18] acpi: Ignore acpi_rsdp kernel parameter when securelevel is
- set
-Origin: https://github.com/mjg59/linux/commit/9524fadac774fbe85e2ac6abe7b957b1750c7e36
-
-This option allows userspace to pass the RSDP address to the kernel, which
-makes it possible for a user to execute arbitrary code in the kernel.
-Disable this when securelevel is set.
-
-Signed-off-by: Josh Boyer <jwboyer at redhat.com>
----
- drivers/acpi/osl.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/drivers/acpi/osl.c
-+++ b/drivers/acpi/osl.c
-@@ -40,6 +40,7 @@
- #include <linux/list.h>
- #include <linux/jiffies.h>
- #include <linux/semaphore.h>
-+#include <linux/security.h>
-
- #include <asm/io.h>
- #include <linux/uaccess.h>
-@@ -192,7 +193,7 @@ acpi_physical_address __init acpi_os_get
- acpi_physical_address pa = 0;
-
- #ifdef CONFIG_KEXEC
-- if (acpi_rsdp)
-+ if (acpi_rsdp && (get_securelevel() <= 0))
- return acpi_rsdp;
- #endif
-
diff --git a/debian/patches/features/all/securelevel/acpi-limit-access-to-custom_method-if-securelevel-is.patch b/debian/patches/features/all/securelevel/acpi-limit-access-to-custom_method-if-securelevel-is.patch
deleted file mode 100644
index 97c0b1b..0000000
--- a/debian/patches/features/all/securelevel/acpi-limit-access-to-custom_method-if-securelevel-is.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Matthew Garrett <mjg59 at srcf.ucam.org>
-Date: Fri, 9 Mar 2012 08:39:37 -0500
-Subject: [06/18] acpi: Limit access to custom_method if securelevel is set
-Origin: https://github.com/mjg59/linux/commit/3cdc48db6b6d1b3cc1412d428389889f74cafe83
-
-custom_method effectively allows arbitrary access to system memory, making
-it possible for an attacker to modify the kernel at runtime. Prevent this
-if securelevel has been set.
-
-Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
----
- drivers/acpi/custom_method.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
-index c68e72414a67..359f45d54543 100644
---- a/drivers/acpi/custom_method.c
-+++ b/drivers/acpi/custom_method.c
-@@ -8,6 +8,7 @@
- #include <linux/uaccess.h>
- #include <linux/debugfs.h>
- #include <linux/acpi.h>
-+#include <linux/security.h>
-
- #include "internal.h"
-
-@@ -29,6 +30,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
- struct acpi_table_header table;
- acpi_status status;
-
-+ if (get_securelevel() > 0)
-+ return -EPERM;
-+
- if (!(*ppos)) {
- /* parse the table header to get the table length */
- if (count <= sizeof(struct acpi_table_header))
diff --git a/debian/patches/features/all/securelevel/add-bsd-style-securelevel-support.patch b/debian/patches/features/all/securelevel/add-bsd-style-securelevel-support.patch
deleted file mode 100644
index 15e636c..0000000
--- a/debian/patches/features/all/securelevel/add-bsd-style-securelevel-support.patch
+++ /dev/null
@@ -1,208 +0,0 @@
-From: Matthew Garrett <mjg59 at srcf.ucam.org>
-Date: Fri, 9 Aug 2013 17:58:15 -0400
-Subject: [01/18] Add BSD-style securelevel support
-Origin: https://github.com/mjg59/linux/commit/058b8ddfe86dc90268f6dbe0ffed29ec46f1fafa
-
-Provide a coarse-grained runtime configuration option for restricting
-userspace's ability to modify the running kernel.
-
-Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
----
- Documentation/security/securelevel.txt | 23 +++++++
- include/linux/security.h | 8 +++
- security/Kconfig | 8 +++
- security/Makefile | 1 +
- security/securelevel.c | 116 +++++++++++++++++++++++++++++++++
- 5 files changed, 156 insertions(+)
- create mode 100644 Documentation/security/securelevel.txt
- create mode 100644 security/securelevel.c
-
---- /dev/null
-+++ b/Documentation/security/securelevel.txt
-@@ -0,0 +1,23 @@
-+Linux securelevel interface
-+---------------------------
-+
-+The Linux securelevel interface (inspired by the BSD securelevel interface)
-+is a runtime mechanism for configuring coarse-grained kernel-level security
-+restrictions. It provides a runtime configuration variable at
-+/sys/kernel/security/securelevel which can be written to by root. The
-+following values are supported:
-+
-+-1: Permanently insecure mode. This level is equivalent to level 0, but once
-+ set cannot be changed.
-+
-+0: Insecure mode (default). This level imposes no additional kernel
-+ restrictions.
-+
-+1: Secure mode. If set, userspace will be unable to perform direct access
-+ to PCI devices, port IO access, access system memory directly via
-+ /dev/mem and /dev/kmem, perform kexec_load(), use the userspace
-+ software suspend mechanism, insert new ACPI code at runtime via the
-+ custom_method interface or modify CPU MSRs (on x86). Certain drivers
-+ may also limit additional interfaces.
-+
-+Once the securelevel value is increased, it may not be decreased.
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -1589,6 +1589,14 @@ static inline void security_audit_rule_f
- #endif /* CONFIG_SECURITY */
- #endif /* CONFIG_AUDIT */
-
-+#ifdef CONFIG_SECURITY_SECURELEVEL
-+extern int get_securelevel(void);
-+extern int set_securelevel(int new_securelevel);
-+#else
-+static inline int get_securelevel(void) { return 0; }
-+static inline int set_securelevel(int new_securelevel) { return 0; }
-+#endif /* CONFIG_SECURELEVEL */
-+
- #ifdef CONFIG_SECURITYFS
-
- extern struct dentry *securityfs_create_file(const char *name, umode_t mode,
---- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -93,6 +93,14 @@ config SECURITY_PATH
- implement pathname based access controls.
- If you are unsure how to answer this question, answer N.
-
-+config SECURITY_SECURELEVEL
-+ bool "Securelevel kernel restriction interface"
-+ depends on SECURITY
-+ help
-+ This enables support for adding a set of additional kernel security
-+ restrictions at runtime. See Documentation/security/securelevel.txt
-+ for further information.
-+
- config INTEL_TXT
- bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
- depends on HAVE_INTEL_TXT
---- a/security/Makefile
-+++ b/security/Makefile
-@@ -16,6 +16,7 @@ obj-$(CONFIG_MMU) += min_addr.o
- # Object file lists
- obj-$(CONFIG_SECURITY) += security.o
- obj-$(CONFIG_SECURITYFS) += inode.o
-+obj-$(CONFIG_SECURITY_SECURELEVEL) += securelevel.o
- obj-$(CONFIG_SECURITY_SELINUX) += selinux/
- obj-$(CONFIG_SECURITY_SMACK) += smack/
- obj-$(CONFIG_AUDIT) += lsm_audit.o
---- /dev/null
-+++ b/security/securelevel.c
-@@ -0,0 +1,116 @@
-+/*
-+ * securelevel.c - support for generic kernel lockdown
-+ *
-+ * Copyright Nebula, Inc <mjg59 at srcf.ucam.org>
-+ *
-+ * This program is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License version 2 as
-+ * published by the Free Software Foundation.
-+ *
-+ */
-+
-+#include <linux/fs.h>
-+#include <linux/init.h>
-+#include <linux/security.h>
-+#include <linux/uaccess.h>
-+
-+static int securelevel;
-+
-+static DEFINE_SPINLOCK(securelevel_lock);
-+
-+#define MAX_SECURELEVEL 1
-+
-+int get_securelevel(void)
-+{
-+ return securelevel;
-+}
-+EXPORT_SYMBOL(get_securelevel);
-+
-+int set_securelevel(int new_securelevel)
-+{
-+ int ret = 0;
-+
-+ spin_lock(&securelevel_lock);
-+
-+ if ((securelevel == -1) || (new_securelevel < securelevel) ||
-+ (new_securelevel > MAX_SECURELEVEL)) {
-+ ret = -EINVAL;
-+ goto out;
-+ }
-+
-+ securelevel = new_securelevel;
-+out:
-+ spin_unlock(&securelevel_lock);
-+ return ret;
-+}
-+EXPORT_SYMBOL(set_securelevel);
-+
-+static ssize_t securelevel_read(struct file *filp, char __user *buf,
-+ size_t count, loff_t *ppos)
-+{
-+ char tmpbuf[12];
-+ ssize_t length;
-+
-+ length = scnprintf(tmpbuf, sizeof(tmpbuf), "%d", securelevel);
-+ return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
-+}
-+
-+static ssize_t securelevel_write(struct file *file, const char __user *buf,
-+ size_t count, loff_t *ppos)
-+{
-+ char *page = NULL;
-+ ssize_t length;
-+ int new_securelevel;
-+
-+ length = -ENOMEM;
-+ if (count >= PAGE_SIZE)
-+ goto out;
-+
-+ length = -EINVAL;
-+ if (*ppos != 0)
-+ goto out;
-+
-+ length = -ENOMEM;
-+ page = (char *)get_zeroed_page(GFP_KERNEL);
-+ if (!page)
-+ goto out;
-+
-+ length = -EFAULT;
-+ if (copy_from_user(page, buf, count))
-+ goto out;
-+
-+ length = -EINVAL;
-+ if (sscanf(page, "%d", &new_securelevel) != 1)
-+ goto out;
-+
-+ length = set_securelevel(new_securelevel);
-+ if (length)
-+ goto out;
-+
-+ length = count;
-+out:
-+ free_page((unsigned long) page);
-+ return length;
-+}
-+
-+static const struct file_operations securelevel_fops = {
-+ .read = securelevel_read,
-+ .write = securelevel_write,
-+ .llseek = generic_file_llseek,
-+};
-+
-+static __init int setup_securelevel(void)
-+{
-+ struct dentry *securelevel_file;
-+
-+ securelevel_file = securityfs_create_file("securelevel",
-+ S_IWUSR | S_IRUGO,
-+ NULL, NULL,
-+ &securelevel_fops);
-+
-+ if (IS_ERR(securelevel_file))
-+ return PTR_ERR(securelevel_file);
-+
-+ return 0;
-+}
-+late_initcall(setup_securelevel);
diff --git a/debian/patches/features/all/securelevel/add-option-to-automatically-set-securelevel-when-in-.patch b/debian/patches/features/all/securelevel/add-option-to-automatically-set-securelevel-when-in-.patch
deleted file mode 100644
index bdd2455..0000000
--- a/debian/patches/features/all/securelevel/add-option-to-automatically-set-securelevel-when-in-.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From: Matthew Garrett <mjg59 at srcf.ucam.org>
-Date: Fri, 9 Aug 2013 18:36:30 -0400
-Subject: [12/18] Add option to automatically set securelevel when in Secure
- Boot mode
-Origin: https://github.com/mjg59/linux/commit/e324de2d053295670f3ba8ef67289835d663aae5
-
-UEFI Secure Boot provides a mechanism for ensuring that the firmware will
-only load signed bootloaders and kernels. Certain use cases may also
-require that the kernel prevent userspace from inserting untrusted kernel
-code at runtime. Add a configuration option that enforces this automatically
-when enabled.
-
-Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
-[Lukas Wunner: Forward-ported to 4.11:
- - Drop parts applied upstream
- - secure_boot field is now quad-state]
----
- arch/x86/Kconfig | 13 +++++++++++++
- arch/x86/kernel/setup.c | 7 +++++++
- 5 files changed, 60 insertions(+), 1 deletion(-)
-
---- a/arch/x86/Kconfig
-+++ b/arch/x86/Kconfig
-@@ -1754,6 +1754,19 @@ config EFI_MIXED
-
- If unsure, say N.
-
-+config EFI_SECURE_BOOT_SECURELEVEL
-+ def_bool n
-+ depends on SECURITY_SECURELEVEL
-+ depends on EFI
-+ prompt "Automatically set securelevel when UEFI Secure Boot is enabled"
-+ ---help---
-+ UEFI Secure Boot provides a mechanism for ensuring that the
-+ firmware will only load signed bootloaders and kernels. Certain
-+ use cases may also require that the kernel restrict any userspace
-+ mechanism that could insert untrusted code into the kernel.
-+ Say Y here to automatically enable securelevel enforcement
-+ when a system boots with UEFI Secure Boot enabled.
-+
- config SECCOMP
- def_bool y
- prompt "Enable seccomp to safely compute untrusted bytecode"
---- a/arch/x86/boot/compressed/eboot.c
-+++ b/arch/x86/boot/compressed/eboot.c
-@@ -12,6 +12,7 @@
- #include <asm/efi.h>
- #include <asm/setup.h>
- #include <asm/desc.h>
-+#include <asm/bootparam_utils.h>
-
- #include "../string.h"
- #include "eboot.h"
-@@ -1432,6 +1464,8 @@ struct boot_params *efi_main(struct efi_
- else
- setup_boot_services32(efi_early);
-
-+ sanitize_boot_params(boot_params);
-+
- /*
- * If the boot loader gave us a value for secure_boot then we use that,
- * otherwise we ask the BIOS.
---- a/arch/x86/kernel/setup.c
-+++ b/arch/x86/kernel/setup.c
-@@ -50,6 +50,7 @@
- #include <linux/init_ohci1394_dma.h>
- #include <linux/kvm_para.h>
- #include <linux/dma-contiguous.h>
-+#include <linux/security.h>
-
- #include <linux/errno.h>
- #include <linux/kernel.h>
-@@ -1145,6 +1146,12 @@ void __init setup_arch(char **cmdline_p)
-
- io_delay_init();
-
-+#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
-+ if (boot_params.secure_boot == efi_secureboot_mode_enabled) {
-+ set_securelevel(1);
-+ }
-+#endif
-+
- /*
- * Parse the ACPI tables for possible boot-time SMP configuration.
- */
diff --git a/debian/patches/features/all/securelevel/asus-wmi-restrict-debugfs-interface-when-securelevel.patch b/debian/patches/features/all/securelevel/asus-wmi-restrict-debugfs-interface-when-securelevel.patch
deleted file mode 100644
index 08afb52..0000000
--- a/debian/patches/features/all/securelevel/asus-wmi-restrict-debugfs-interface-when-securelevel.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From: Matthew Garrett <mjg59 at srcf.ucam.org>
-Date: Fri, 9 Mar 2012 08:46:50 -0500
-Subject: [11/18] asus-wmi: Restrict debugfs interface when securelevel is set
-Origin: https://github.com/mjg59/linux/commit/f6e21827205ffcbfcce4b13d3a233427c3e742e0
-
-We have no way of validating what all of the Asus WMI methods do on a
-given machine, and there's a risk that some will allow hardware state to
-be manipulated in such a way that arbitrary code can be executed in the
-kernel. Prevent that if securelevel is set.
-
-Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
----
- drivers/platform/x86/asus-wmi.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
-index a96630d52346..93943e480a67 100644
---- a/drivers/platform/x86/asus-wmi.c
-+++ b/drivers/platform/x86/asus-wmi.c
-@@ -45,6 +45,7 @@
- #include <linux/seq_file.h>
- #include <linux/platform_device.h>
- #include <linux/thermal.h>
-+#include <linux/security.h>
- #include <linux/acpi.h>
- #include <linux/dmi.h>
- #include <acpi/video.h>
-@@ -1867,6 +1868,9 @@ static int show_dsts(struct seq_file *m, void *data)
- int err;
- u32 retval = -1;
-
-+ if (get_securelevel() > 0)
-+ return -EPERM;
-+
- err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
-
- if (err < 0)
-@@ -1883,6 +1887,9 @@ static int show_devs(struct seq_file *m, void *data)
- int err;
- u32 retval = -1;
-
-+ if (get_securelevel() > 0)
-+ return -EPERM;
-+
- err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
- &retval);
-
-@@ -1907,6 +1914,9 @@ static int show_call(struct seq_file *m, void *data)
- union acpi_object *obj;
- acpi_status status;
-
-+ if (get_securelevel() > 0)
-+ return -EPERM;
-+
- status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
- 1, asus->debug.method_id,
- &input, &output);
diff --git a/debian/patches/features/all/securelevel/enforce-module-signatures-when-securelevel-is-greate.patch b/debian/patches/features/all/securelevel/enforce-module-signatures-when-securelevel-is-greate.patch
deleted file mode 100644
index f6a2959..0000000
--- a/debian/patches/features/all/securelevel/enforce-module-signatures-when-securelevel-is-greate.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From: Matthew Garrett <mjg59 at srcf.ucam.org>
-Date: Mon, 9 Sep 2013 08:46:52 -0400
-Subject: [02/18] Enforce module signatures when securelevel is greater than 0
-Origin: https://github.com/mjg59/linux/commit/90e0fa532b145d1bb76c368277a3a3e3b3eb5c94
-
-If securelevel has been set to 1 or greater, require that all modules have
-valid signatures.
-
-Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
----
- kernel/module.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/kernel/module.c
-+++ b/kernel/module.c
-@@ -2616,7 +2616,7 @@ static int module_sig_check(struct load_
- }
-
- /* Not having a signature is only an error if we're strict. */
-- if (err == -ENOKEY && !sig_enforce)
-+ if ((err == -ENOKEY && !sig_enforce) && (get_securelevel() <= 0))
- err = 0;
-
- return err;
diff --git a/debian/patches/features/all/securelevel/hibernate-disable-when-securelevel-is-set.patch b/debian/patches/features/all/securelevel/hibernate-disable-when-securelevel-is-set.patch
deleted file mode 100644
index 3f22314..0000000
--- a/debian/patches/features/all/securelevel/hibernate-disable-when-securelevel-is-set.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Josh Boyer <jwboyer at fedoraproject.org>
-Date: Fri, 20 Jun 2014 08:53:24 -0400
-Subject: [14/18] hibernate: Disable when securelevel is set
-Origin: https://github.com/mjg59/linux/commit/500a87278c5c0608ba88ed8af7a35fcfa955c492
-
-There is currently no way to verify the resume image when returning
-from hibernate. This might compromise the securelevel trust model,
-so until we can work with signed hibernate images we disable it in
-a secure modules environment.
-
-Signed-off-by: Josh Boyer <jwboyer at fedoraproject.org>
----
- kernel/power/hibernate.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
-index fca9254280ee..7bf7f723a27f 100644
---- a/kernel/power/hibernate.c
-+++ b/kernel/power/hibernate.c
-@@ -29,6 +29,7 @@
- #include <linux/ctype.h>
- #include <linux/genhd.h>
- #include <linux/ktime.h>
-+#include <linux/security.h>
- #include <trace/events/power.h>
-
- #include "power.h"
-@@ -66,7 +67,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
-
- bool hibernation_available(void)
- {
-- return (nohibernate == 0);
-+ return ((nohibernate == 0) && (get_securelevel() <= 0));
- }
-
- /**
diff --git a/debian/patches/features/all/securelevel/kexec-disable-at-runtime-if-securelevel-has-been-set.patch b/debian/patches/features/all/securelevel/kexec-disable-at-runtime-if-securelevel-has-been-set.patch
deleted file mode 100644
index 3969a8e..0000000
--- a/debian/patches/features/all/securelevel/kexec-disable-at-runtime-if-securelevel-has-been-set.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Matthew Garrett <mjg59 at srcf.ucam.org>
-Date: Fri, 9 Aug 2013 03:33:56 -0400
-Subject: [08/18] kexec: Disable at runtime if securelevel has been set.
-Origin: https://github.com/mjg59/linux/commit/ec87b6aac76fd553578cec2c05674e22b79afe3e
-
-kexec permits the loading and execution of arbitrary code in ring 0, which
-permits the modification of the running kernel. Prevent this if securelevel
-has been set.
-
-Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
----
- kernel/kexec.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/kernel/kexec.c b/kernel/kexec.c
-index ee70aef5cd81..542655ea297c 100644
---- a/kernel/kexec.c
-+++ b/kernel/kexec.c
-@@ -17,6 +17,7 @@
- #include <linux/syscalls.h>
- #include <linux/vmalloc.h>
- #include <linux/slab.h>
-+#include <linux/security.h>
-
- #include "kexec_internal.h"
-
-@@ -134,6 +135,9 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
- if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
- return -EPERM;
-
-+ if (get_securelevel() > 0)
-+ return -EPERM;
-+
- /*
- * Verify we have a legal set of flags
- * This leaves us room for future extensions.
diff --git a/debian/patches/features/all/securelevel/pci-lock-down-bar-access-when-securelevel-is-enabled.patch b/debian/patches/features/all/securelevel/pci-lock-down-bar-access-when-securelevel-is-enabled.patch
deleted file mode 100644
index 800ef71..0000000
--- a/debian/patches/features/all/securelevel/pci-lock-down-bar-access-when-securelevel-is-enabled.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-From: Matthew Garrett <mjg59 at srcf.ucam.org>
-Date: Thu, 8 Mar 2012 10:10:38 -0500
-Subject: [03/18] PCI: Lock down BAR access when securelevel is enabled
-Origin: https://github.com/mjg59/linux/commit/2533a3844cf8c43bf58b653334f8925cd1e7d405
-
-Any hardware that can potentially generate DMA has to be locked down from
-userspace in order to avoid it being possible for an attacker to modify
-kernel code. This should be prevented if securelevel has been set. Default
-to paranoid - in future we can potentially relax this for sufficiently
-IOMMU-isolated devices.
-
-Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
-[bwh: Forward-ported to 4.10: adjust context]
----
- drivers/pci/pci-sysfs.c | 9 +++++++++
- drivers/pci/proc.c | 9 ++++++++-
- drivers/pci/syscall.c | 3 ++-
- 3 files changed, 19 insertions(+), 2 deletions(-)
-
---- a/drivers/pci/pci-sysfs.c
-+++ b/drivers/pci/pci-sysfs.c
-@@ -718,6 +718,9 @@ static ssize_t pci_write_config(struct f
- loff_t init_off = off;
- u8 *data = (u8 *) buf;
-
-+ if (get_securelevel() > 0)
-+ return -EPERM;
-+
- if (off > dev->cfg_size)
- return 0;
- if (off + count > dev->cfg_size) {
-@@ -1009,6 +1012,9 @@ static int pci_mmap_resource(struct kobj
- resource_size_t start, end;
- int i;
-
-+ if (get_securelevel() > 0)
-+ return -EPERM;
-+
- for (i = 0; i < PCI_ROM_RESOURCE; i++)
- if (res == &pdev->resource[i])
- break;
-@@ -1108,6 +1114,9 @@ static ssize_t pci_write_resource_io(str
- struct bin_attribute *attr, char *buf,
- loff_t off, size_t count)
- {
-+ if (get_securelevel() > 0)
-+ return -EPERM;
-+
- return pci_resource_io(filp, kobj, attr, buf, off, count, true);
- }
-
---- a/drivers/pci/proc.c
-+++ b/drivers/pci/proc.c
-@@ -12,6 +12,7 @@
- #include <linux/seq_file.h>
- #include <linux/capability.h>
- #include <linux/uaccess.h>
-+#include <linux/security.h>
- #include <asm/byteorder.h>
- #include "pci.h"
-
-@@ -116,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct
- int size = dev->cfg_size;
- int cnt;
-
-+ if (get_securelevel() > 0)
-+ return -EPERM;
-+
- if (pos >= size)
- return 0;
- if (nbytes >= size)
-@@ -195,6 +199,9 @@ static long proc_bus_pci_ioctl(struct fi
- #endif /* HAVE_PCI_MMAP */
- int ret = 0;
-
-+ if (get_securelevel() > 0)
-+ return -EPERM;
-+
- switch (cmd) {
- case PCIIOC_CONTROLLER:
- ret = pci_domain_nr(dev->bus);
-@@ -233,7 +240,7 @@ static int proc_bus_pci_mmap(struct file
- struct pci_filp_private *fpriv = file->private_data;
- int i, ret, write_combine;
-
-- if (!capable(CAP_SYS_RAWIO))
-+ if (!capable(CAP_SYS_RAWIO) || (get_securelevel() > 0))
- return -EPERM;
-
- /* Make sure the caller is mapping a real resource for this device */
---- a/drivers/pci/syscall.c
-+++ b/drivers/pci/syscall.c
-@@ -11,6 +11,7 @@
- #include <linux/pci.h>
- #include <linux/syscalls.h>
- #include <linux/uaccess.h>
-+#include <linux/security.h>
- #include "pci.h"
-
- SYSCALL_DEFINE5(pciconfig_read, unsigned long, bus, unsigned long, dfn,
-@@ -92,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigne
- u32 dword;
- int err = 0;
-
-- if (!capable(CAP_SYS_ADMIN))
-+ if (!capable(CAP_SYS_ADMIN) || (get_securelevel() > 0))
- return -EPERM;
-
- dev = pci_get_bus_and_slot(bus, dfn);
diff --git a/debian/patches/features/all/securelevel/restrict-dev-mem-and-dev-kmem-when-securelevel-is-se.patch b/debian/patches/features/all/securelevel/restrict-dev-mem-and-dev-kmem-when-securelevel-is-se.patch
deleted file mode 100644
index 5ce942a..0000000
--- a/debian/patches/features/all/securelevel/restrict-dev-mem-and-dev-kmem-when-securelevel-is-se.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From: Matthew Garrett <mjg59 at srcf.ucam.org>
-Date: Fri, 9 Mar 2012 09:28:15 -0500
-Subject: [05/18] Restrict /dev/mem and /dev/kmem when securelevel is set.
-Origin: https://github.com/mjg59/linux/commit/401996625d478c814fe9e736ca9e6c5c5f055f06
-
-Allowing users to write to address space provides mechanisms that may permit
-modification of the kernel at runtime. Prevent this if securelevel has been
-set.
-
-Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
-[bwh: Forward-ported to 4.10: adjust context]
----
- drivers/char/mem.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
---- a/drivers/char/mem.c
-+++ b/drivers/char/mem.c
-@@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *fi
- if (p != *ppos)
- return -EFBIG;
-
-+ if (get_securelevel() > 0)
-+ return -EPERM;
-+
- if (!valid_phys_addr_range(p, count))
- return -EFAULT;
-
-@@ -514,6 +517,9 @@ static ssize_t write_kmem(struct file *f
- char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
- int err = 0;
-
-+ if (get_securelevel() > 0)
-+ return -EPERM;
-+
- if (p < (unsigned long) high_memory) {
- unsigned long to_write = min_t(unsigned long, count,
- (unsigned long)high_memory - p);
diff --git a/debian/patches/features/all/securelevel/uswsusp-disable-when-securelevel-is-set.patch b/debian/patches/features/all/securelevel/uswsusp-disable-when-securelevel-is-set.patch
deleted file mode 100644
index fc68a85..0000000
--- a/debian/patches/features/all/securelevel/uswsusp-disable-when-securelevel-is-set.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Matthew Garrett <mjg59 at srcf.ucam.org>
-Date: Tue, 3 Sep 2013 11:23:29 -0400
-Subject: [09/18] uswsusp: Disable when securelevel is set
-Origin: https://github.com/mjg59/linux/commit/504f45f7cc9b4265a4d89728c4f8254295e81977
-
-uswsusp allows a user process to dump and then restore kernel state, which
-makes it possible to modify the running kernel. Disable this if securelevel
-has been set.
-
-Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
----
- kernel/power/user.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/kernel/power/user.c
-+++ b/kernel/power/user.c
-@@ -24,6 +24,7 @@
- #include <linux/console.h>
- #include <linux/cpu.h>
- #include <linux/freezer.h>
-+#include <linux/security.h>
-
- #include <linux/uaccess.h>
-
-@@ -52,6 +53,9 @@ static int snapshot_open(struct inode *i
- if (!hibernation_available())
- return -EPERM;
-
-+ if (get_securelevel() > 0)
-+ return -EPERM;
-+
- lock_system_sleep();
-
- if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
diff --git a/debian/patches/features/all/securelevel/x86-lock-down-io-port-access-when-securelevel-is-ena.patch b/debian/patches/features/all/securelevel/x86-lock-down-io-port-access-when-securelevel-is-ena.patch
deleted file mode 100644
index d47ce64..0000000
--- a/debian/patches/features/all/securelevel/x86-lock-down-io-port-access-when-securelevel-is-ena.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From: Matthew Garrett <mjg59 at srcf.ucam.org>
-Date: Thu, 8 Mar 2012 10:35:59 -0500
-Subject: [04/18] x86: Lock down IO port access when securelevel is enabled
-Origin: https://github.com/mjg59/linux/commit/2ad64f6ea1f1164c8b552860faa27392d9da9928
-
-IO port access would permit users to gain access to PCI configuration
-registers, which in turn (on a lot of hardware) give access to MMIO register
-space. This would potentially permit root to trigger arbitrary DMA, so lock
-it down when securelevel is set.
-
-Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
----
- arch/x86/kernel/ioport.c | 5 +++--
- drivers/char/mem.c | 7 +++++++
- 2 files changed, 10 insertions(+), 2 deletions(-)
-
---- a/arch/x86/kernel/ioport.c
-+++ b/arch/x86/kernel/ioport.c
-@@ -15,6 +15,7 @@
- #include <linux/thread_info.h>
- #include <linux/syscalls.h>
- #include <linux/bitmap.h>
-+#include <linux/security.h>
- #include <asm/syscalls.h>
- #include <asm/desc.h>
-
-@@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long
-
- if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
- return -EINVAL;
-- if (turn_on && !capable(CAP_SYS_RAWIO))
-+ if (turn_on && (!capable(CAP_SYS_RAWIO) || (get_securelevel() > 0)))
- return -EPERM;
-
- /*
-@@ -108,7 +109,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, leve
- return -EINVAL;
- /* Trying to gain more privileges? */
- if (level > old) {
-- if (!capable(CAP_SYS_RAWIO))
-+ if (!capable(CAP_SYS_RAWIO) || (get_securelevel() > 0))
- return -EPERM;
- }
- regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
---- a/drivers/char/mem.c
-+++ b/drivers/char/mem.c
-@@ -27,6 +27,7 @@
- #include <linux/export.h>
- #include <linux/io.h>
- #include <linux/uio.h>
-+#include <linux/security.h>
-
- #include <linux/uaccess.h>
-
-@@ -559,6 +560,9 @@ static ssize_t read_port(struct file *fi
- unsigned long i = *ppos;
- char __user *tmp = buf;
-
-+ if (get_securelevel() > 0)
-+ return -EPERM;
-+
- if (!access_ok(VERIFY_WRITE, buf, count))
- return -EFAULT;
- while (count-- > 0 && i < 65536) {
-@@ -577,6 +581,9 @@ static ssize_t write_port(struct file *f
- unsigned long i = *ppos;
- const char __user *tmp = buf;
-
-+ if (get_securelevel() > 0)
-+ return -EPERM;
-+
- if (!access_ok(VERIFY_READ, buf, count))
- return -EFAULT;
- while (count-- > 0 && i < 65536) {
diff --git a/debian/patches/features/all/securelevel/x86-restrict-msr-access-when-securelevel-is-set.patch b/debian/patches/features/all/securelevel/x86-restrict-msr-access-when-securelevel-is-set.patch
deleted file mode 100644
index 40263e1..0000000
--- a/debian/patches/features/all/securelevel/x86-restrict-msr-access-when-securelevel-is-set.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From: Matthew Garrett <mjg59 at srcf.ucam.org>
-Date: Fri, 8 Feb 2013 11:12:13 -0800
-Subject: [10/18] x86: Restrict MSR access when securelevel is set
-Origin: https://github.com/mjg59/linux/commit/c6ad37822699967e60fae57a64ae89676f543182
-
-Permitting write access to MSRs allows userspace to modify the running
-kernel. Prevent this if securelevel has been set. Based on a patch by Kees
-Cook.
-
-Cc: Kees Cook <keescook at chromium.org>
-Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
----
- arch/x86/kernel/msr.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
---- a/arch/x86/kernel/msr.c
-+++ b/arch/x86/kernel/msr.c
-@@ -39,6 +39,7 @@
- #include <linux/notifier.h>
- #include <linux/uaccess.h>
- #include <linux/gfp.h>
-+#include <linux/security.h>
-
- #include <asm/cpufeature.h>
- #include <asm/msr.h>
-@@ -83,6 +84,9 @@ static ssize_t msr_write(struct file *fi
- int err = 0;
- ssize_t bytes = 0;
-
-+ if (get_securelevel() > 0)
-+ return -EPERM;
-+
- if (count % 8)
- return -EINVAL; /* Invalid chunk size */
-
-@@ -130,6 +134,10 @@ static long msr_ioctl(struct file *file,
- err = -EBADF;
- break;
- }
-+ if (get_securelevel() > 0) {
-+ err = -EPERM;
-+ break;
-+ }
- if (copy_from_user(®s, uregs, sizeof regs)) {
- err = -EFAULT;
- break;
diff --git a/debian/patches/series b/debian/patches/series
index 27a2a8a..13e2599 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -71,27 +71,73 @@ bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
# Miscellaneous features
-# Securelevel patchset from mjg59
-features/all/securelevel/add-bsd-style-securelevel-support.patch
-features/all/securelevel/enforce-module-signatures-when-securelevel-is-greate.patch
-features/all/securelevel/pci-lock-down-bar-access-when-securelevel-is-enabled.patch
-features/all/securelevel/x86-lock-down-io-port-access-when-securelevel-is-ena.patch
-features/all/securelevel/restrict-dev-mem-and-dev-kmem-when-securelevel-is-se.patch
-features/all/securelevel/acpi-limit-access-to-custom_method-if-securelevel-is.patch
-features/all/securelevel/acpi-ignore-acpi_rsdp-kernel-parameter-when-securele.patch
-features/all/securelevel/kexec-disable-at-runtime-if-securelevel-has-been-set.patch
-features/all/securelevel/uswsusp-disable-when-securelevel-is-set.patch
-features/all/securelevel/x86-restrict-msr-access-when-securelevel-is-set.patch
-features/all/securelevel/asus-wmi-restrict-debugfs-interface-when-securelevel.patch
-features/all/securelevel/add-option-to-automatically-set-securelevel-when-in-.patch
-features/all/securelevel/hibernate-disable-when-securelevel-is-set.patch
-features/all/securelevel/kexec-uefi-copy-secure_boot-flag-in-boot-params-acro.patch
-features/all/securelevel/acpi-disable-acpi-table-override-if-securelevel-is-s.patch
-features/all/securelevel/acpi-disable-apei-error-injection-if-securelevel-is-.patch
-features/all/securelevel/enable-cold-boot-attack-mitigation.patch
-features/all/securelevel/mtd-disable-slram-and-phram-when-securelevel-is-enabled.patch
-# same for arm64
-features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.patch
+# Lockdown (formerly 'securelevel') patchset
+features/all/lockdown/0001-Annotate-module-params-that-specify-hardware-paramet.patch
+features/all/lockdown/0002-Annotate-hardware-config-module-parameters-in-arch-x.patch
+features/all/lockdown/0003-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0004-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0005-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0006-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0007-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0008-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0009-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0010-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0011-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0012-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0013-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0014-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0015-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0016-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0017-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0018-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0019-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0020-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0021-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0022-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0023-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0024-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0025-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0026-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0027-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0028-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0029-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0030-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0031-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0032-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0033-Annotate-hardware-config-module-parameters-in-driver.patch
+features/all/lockdown/0034-Annotate-hardware-config-module-parameters-in-fs-pst.patch
+features/all/lockdown/0035-Annotate-hardware-config-module-parameters-in-sound-.patch
+features/all/lockdown/0036-Annotate-hardware-config-module-parameters-in-sound-.patch
+features/all/lockdown/0037-Annotate-hardware-config-module-parameters-in-sound-.patch
+features/all/lockdown/0038-Annotate-hardware-config-module-parameters-in-sound-.patch
+features/all/lockdown/0039-efi-Add-EFI_SECURE_BOOT-bit.patch
+features/all/lockdown/0040-Add-the-ability-to-lock-down-access-to-the-running-k.patch
+features/all/lockdown/0041-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
+features/all/lockdown/0042-Enforce-module-signatures-if-the-kernel-is-locked-do.patch
+features/all/lockdown/0043-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch
+features/all/lockdown/0044-Add-a-sysrq-option-to-exit-secure-boot-mode.patch
+features/all/lockdown/0045-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch
+features/all/lockdown/0046-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch
+features/all/lockdown/0047-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch
+features/all/lockdown/0048-hibernate-Disable-when-the-kernel-is-locked-down.patch
+features/all/lockdown/0049-uswsusp-Disable-when-the-kernel-is-locked-down.patch
+features/all/lockdown/0050-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch
+features/all/lockdown/0051-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch
+features/all/lockdown/0052-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch
+features/all/lockdown/0053-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch
+features/all/lockdown/0054-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch
+features/all/lockdown/0055-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch
+features/all/lockdown/0056-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
+features/all/lockdown/0057-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch
+features/all/lockdown/0058-bpf-Restrict-kernel-image-access-functions-when-the-.patch
+features/all/lockdown/0059-scsi-Lock-down-the-eata-driver.patch
+features/all/lockdown/0060-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch
+features/all/lockdown/0061-Lock-down-TIOCSSERIAL.patch
+features/all/lockdown/0062-Lock-down-module-params-that-specify-hardware-parame.patch
+# some missing pieces
+features/all/lockdown/enable-cold-boot-attack-mitigation.patch
+features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch
+features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
# Security fixes
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list