sys-kernel/hardened-kernel: version update to 6.15.8

Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
2025-07-30 18:07:07 +03:00
parent d7cd234adc
commit a0126429a1
10 changed files with 159 additions and 73526 deletions
--- a/sys-kernel/hardened-kernel/Manifest
+++ b/sys-kernel/hardened-kernel/Manifest
@@ -1,20 +1,10 @@
-DIST genpatches-6.12-23.base.tar.xz 1435492 BLAKE2B ca65b4ead188bb8c561e47dd7aca29c2cb10d98ed28e78113cedd1bf9d9bf2a380bf12a807bcfc3cce3976621355e087cb8a2a5a06857660401eea0e9156830f SHA512 82fc23bb6e04227bcea2d29336d5a46a6e7f1649244b9ceae2869fac65e3f785e7512ea8d1e32f34281d48c76831223cc5c8b448452d2dd036445773a1329c6d
-DIST genpatches-6.12-23.experimental.tar.xz 78500 BLAKE2B f7c0bbe38f90fe3c203725c83bae75f105de44ecc3b4bb5d262056936cc472f8678d50900587e51fd388ed54d95fefa624ba86642f5d12bfc650f0bb4a2a0e37 SHA512 9738997ec9056d66a0e56fb21bc1d6f06c198394993d2960c13acf29821b0f6f1e8b6637abca0abdd3e57ff25b734286a309d991c9614fe6b9ee1f8de59e25fc
-DIST genpatches-6.12-23.extras.tar.xz 4056 BLAKE2B dc27e7f57ea95e678f08d3b6f791a26cec5b51e2204f3d527538f3c54333c8f25194981cdc68b7812973ee8baa95e0d5c575be26e918b25c160178d3bcf80769 SHA512 c7d92cc303dde284b5c1f31b87081167a1a8645e5611a65780d09ebc49f9cc2ded94007d10e1764d90e0d25e31fa73095227d381977c1ba13714654a328ac77f
-DIST genpatches-6.14-9.base.tar.xz 751104 BLAKE2B 54247d1f3e1639761408bd622efd9ecb1311ec87f5b231ab6e243829b2ef0ab828b7743b38599b655684229875fb07127c931c2bb1de65c05318d54b832ba7a9 SHA512 de7fff5b69767c1fbe7d3dabc97be4777f22c90a47eb137a8a69756ed0fca36a9b962650215ec91b985ad35057bcca0e2a824c71b4d3cde0100e2b7e8e8edceb
-DIST genpatches-6.14-9.experimental.tar.xz 79816 BLAKE2B f72de3acdeff2c48e01e488144befceea4e8cd7fbc94b1bd36078b998ca6da3f807db1e2368fb48a8f38fe80627d94583c9c26457f8f560a80642c18ecd437cb SHA512 d678dc235b5e120205e093ddaa86349dc2f2f6613596044a2fb18f94b29da15f4ecbd02fb14a4c61ab1e18b7fb43a494fe8f12d7de01efa45de27ac62bb0406c
-DIST genpatches-6.14-9.extras.tar.xz 4056 BLAKE2B 431e8bd76cd1edce40f831c16c9971fd21ebdddb7720bca0028a70c42fdd97d483de920248eff645cb5902684df40b21a7b68ca6e714831b216792c4a2a910e8 SHA512 5e112f31f2b0ec5d25d2d19897ced19b3d3e632d272bac4ae1a27c701235e3c981eb7bd95c176f6a9f9cefbcb0304a1d48b99aea4d091222ac5781ce5dbd4682
-DIST gentoo-kernel-config-g15.tar.gz 5746 BLAKE2B 2baef40e18cbf3bb975362d71ad674604ad80338d1e6914ffa2fc03af26f1b9c9cec66d39a56077693a7327060bc29bd5eb5787549857dd3779e841192cb2016 SHA512 45d609ee25a529988868b8c99c808f4e6abbde34ae501bf35523431ee85c9f3657663d6f938f2036a5f012a55a68965b32fd41fc44d8f6ca606a6fd38f952445
 DIST gentoo-kernel-config-g16.tar.gz 5995 BLAKE2B cddb80d45169749c707d87efd186f7a981534aab2479b6c51790008ea61e9f9feac35d0d74b95dc18281e4b81771e09f259a1d9f216f5d7f806fa7cd6aeeb4d1 SHA512 f8114e645e1ab99e45703790b7e43c2fa9ee17b41a2265dccdd9187c122bf8b5a09ba918fbcf094aa899bb959f05d105ed474b75cdfa9a19c4d49fd138825647
-DIST kernel-aarch64-fedora.config.6.12.8-gentoo 288081 BLAKE2B 08273a34c387621d0ccffcc325a0a34b40e0a8fbe78f2429c8a9efc73aa05f8fb563ed53e5fadb25662089f23ebafb61b2d08f91ea00b073e67e702798255e9c SHA512 58ea4f247aa9af6f7535ab5fe44dae2fbf286c7fbceeda86df532125807bbd4c25a89ddeeff4284592efefbaaef5022626abad7f1d1d64976e3040dc6e89251a
-DIST kernel-aarch64-fedora.config.6.14.5-gentoo 291637 BLAKE2B 3255e3c098f6c161328633886473ee4cec96799545e9b1a106b1f3fe59fa373407435ee970a9b5d442ceb26869ddc8cf62c962105757630be2fc741a378c4014 SHA512 aded4b58a526b1fd8ece961f04a0885d12fb860bb9e246489242a3060bbebfad904ed1a72935bc6f5a9aabf9b062eccada430772299a958e8393e2980d5b255a
-DIST kernel-i686-fedora.config.6.12.8-gentoo 255163 BLAKE2B 7015bbcfb2aed0ba70173dc7e9abf464e167184e2bc8cea6d26623972bbe6b42956241a7d75ff8604d70d5c0202db6e40cdb890abfcea3d0c8e0d00aa869353e SHA512 a1b4b688510a231fe079b4158e8aaddaddc4e719367132668279edcb16e32b6c7f2c449ec196646b0986171dc43a82475255502ae40679e0433de9f9876e0a20
-DIST kernel-i686-fedora.config.6.14.5-gentoo 259410 BLAKE2B c28dfc8cd90f60b57ac80f357ea787bbb68e86e58e21880f643bd5276121f9ff1f6afaf70852694d8bb3a11616c278281d067e248baa439487d7870f76ac7b25 SHA512 d53d840cc1dc2359b3b03198c3416e2f2cbceae1e0555478ab6592d7b280aac07da2a3813c3e3e175160c4674adcb6ec4232b0073fc40b14e64dcc60b278e400
-DIST kernel-ppc64le-fedora.config.6.12.8-gentoo 241851 BLAKE2B e7b8833572348037d7af2ba1f9671e8010276d853e0d85b8a175c0dcc5c212c57c7660be54a7ba2621c427cc8120acbeb1063a1c1a1c293894ebe1d63921b684 SHA512 7a81fe1c4b1d4fb9f2d68846882a8869c0888c8fa764ec41f41d27e61b7a69825ea8ceba2209b40deb7c0e8f4bb2c5d81226a4f28e7ca8aff4788bc7a3292194
-DIST kernel-ppc64le-fedora.config.6.14.5-gentoo 243480 BLAKE2B 1174ca580d5de7db3e94e7a040e655136ce9356c6bccd9c7d6e0c4c6f0cae0b325ac0fd3345e6e493891a4e648ccecf22a0e36adb53f4e028611cf99d1ca4876 SHA512 99adb16c8a84c31442dfae67a828eaa6689fb1b96b4d5fe2505bcf5ae1803e9df742eb239c4524566375eabe64cb93d26390edb4ff651f48cb5f87c27895e2b4
-DIST kernel-x86_64-fedora.config.6.12.8-gentoo 256210 BLAKE2B f14f7de8ae573561824df47cf94c3c0ce52a820456ebd0e618e4c1e7f5454b7d3f6f86c559a3cd98dd94c55aaeed397f3d0cee6b0e37cf6b47d3aedd920a9dea SHA512 ea87b4b45c78888e02d0288dd5844cf2d97a14e251b565c7d6451a0e62fbe0dbef38f46715467af2f869995d6bbc8be61d5b70476a86d607a5bfa27fbaf36e92
-DIST kernel-x86_64-fedora.config.6.14.5-gentoo 260496 BLAKE2B b68058a75bc02afcc3e45371be25d295ccb959efb9047ec394d1d11becea30f3d9007e78da02253ebb8cea41500e0fbb392866b1086c9746cdefdb78cc4edd3c SHA512 2f1e6f112db46bd3765e29cfe0cff1f45991d652c49b520b46b0c5ced4c995e2ef7753c13730b0a918379200cb05f50eaadc827516136177ea5900b4e10d6192
-DIST linux-6.12.tar.xz 147906904 BLAKE2B b2ec2fc69218cacabbbe49f78384a5d259ca581b717617c12b000b16f4a4c59ee348ea886b37147f5f70fb9a7a01c1e2c8f19021078f6b23f5bc62d1c48d5e5e SHA512 a37b1823df7b4f72542f689b65882634740ba0401a42fdcf6601d9efd2e132e5a7650e70450ba76f6cd1f13ca31180f2ccee9d54fe4df89bc0000ade4380a548
-DIST linux-6.14.tar.xz 149408504 BLAKE2B 11835719804b406fe281ea1c276a84dc0cbaa808552ddcca9233d3eaeb1c001d0455c7205379b02de8e8db758c1bae6fe7ceb6697e63e3cf9ae7187dc7a9715e SHA512 71dcaa3772d8d9797c3ae30cae9c582b11a7047a3bbcb8dfd479a4dffb40ff0da74cf3d45175f50cc9992e338bcadd46c9c570f54054ca3bde6661768d3d22eb
-DIST linux-hardened-v6.12.19-hardened1.patch 89621 BLAKE2B dcd5dace9b76852547e02ce79f98eb417ebe0290654f6f19d18655d873c868a4e84d72608714e0bf02ae71178726cf69bcee20c38b30b590ef44de9ba7b88470 SHA512 e96e7028303d2d7660d71de2e90a03ea467bafeb3af296c456d859235274d1c92b9f92b093bc3747f1f47d9f0a2ed2e501b05baf22a483b473dc00cb983433ed
-DIST linux-hardened-v6.14.8-hardened1.patch 90843 BLAKE2B 9e1d570a0fc91ad249365b2821ffddfa24e822f251a82eede6db827951de799b45bef7223e9c8b7479eba9d130a1205f19750d7e92ffae9784d30563c9bd1789 SHA512 dcf7a7b5456de0d05b9821462d4a1aa20162314092a8a0a855aeac586bdde5d8e7d35b594abd0416c7a11bb0b28f851ab91c36d153565cd76a025e1f8bb81fb9
+DIST kernel-aarch64-fedora.config.6.15.6-gentoo 294308 BLAKE2B 62b4c06f14572cf3ffda30e0d2d3f1d08d9c45b072888e2ffef7d771a88efecd84a463e9b42f6b676f13adc65ec95bfda9ebfa84cb722514bfb7212ffd08d3bc SHA512 058e072cfdfd0314e38f5b538fd82db4140844366f666ba2afd152ca584067ff53d0c63ae9a73be31dec49c69b4301b2a52e328fb4c712ef1f729d806abea950
+DIST kernel-i686-fedora.config.6.15.6-gentoo 261602 BLAKE2B aa195831ccd61cba9c0b7fde51af25d4accc2953c1fdd35c7b007aea4e2a747ce043b0aff90f71aff1b8dd42d22aa99a387fdbcab844edb40f962a0a1d0e0e41 SHA512 4600b2244b34889cbe6014858d012c208878f1815decbc17dd618bcd2a6f37908b7b869286bd2639f6a64ef73c7c199406edd08ed13cc7f4ba9273d76373222d
+DIST kernel-ppc64le-fedora.config.6.15.6-gentoo 245484 BLAKE2B b59792e2fe18e0b3ad8459bd5f7dedee3149505be63f15f5ca02b88e95eed0e4dfaf204f95a00761595092163d12967aa8a71ba13103682ded8dd9b70063412b SHA512 ca0915a6be9d0028c4f5d57a145d598fa1c2dc77700bbaeaee5116d611da476e3a3849bbe0bf84935c85946f100d1f0b824c7892651b943986cd8a4f042f5c29
+DIST kernel-x86_64-fedora.config.6.15.6-gentoo 262707 BLAKE2B 4727bbee8f4458c2627d9f808c7baa1df2828844e92a1d6733b7ed1525e76b0b5664f224ef6e1697f949d64602fb2fcbbe913f68c9ddc008d5be01d29c7a847e SHA512 353e804ef2ee63ad8b353a52ea3c905f58668e4162bda6024a0201db1634250eaa782f30a1dd1220a6bc1df364c141167f4e2eacd221f47c022e3a23dc987afb
+DIST linux-6.15.tar.xz 151168812 BLAKE2B 465596c6dc053ff3a3966302a906d3edb4f7ee1ef82f8c20b96360196d3414f5b1deeafa67b8340fcdecd3617280ba9b756d7073ad15c707865e256397b4af53 SHA512 d03788ffa8d8ae1b84ef1286bb44a08fc01432e509dfec6cccae5c5a5a47201d378aec2bcd21e6f0bbd1e625b26f47780c06ee9c1cef3775358f98b160923f30
+DIST linux-6.x-sha256sums-20250724.asc 159789 BLAKE2B 9a85b54a784ea9f026ccc7d63d961239f09c0e656a67eac035fac6d7f3eb8bbebd67097a1a38b6d06ab232e79411e6d0ea2cce30eb7972df4cac65fc5f63c664 SHA512 dd79403876b28843987b7685962a9f79f9dae3ae680ff1dd915ec78218c235df4177d1197f8ff9e2a05cb11a3464808dda4c15441626e0fc5b91bbbc217537d0
+DIST linux-gentoo-patches-6.15.8.tar.xz 85336 BLAKE2B 04e7f012c9375fac93fdbfd97a7450ed9022110c56eff2b9b76a856d83c2dab97da983c4c577c7df3f06ec889771f772f281d0ae837b3e07dee30fec79dad110 SHA512 cc51a68444a20c4f106fc16d6f6327d40372faf77fad8e76936a50f97102736166efffc107a405cfe8124b61dbf1370095b811d0172af9003d6e6eaca4effa64
+DIST linux-hardened-v6.15.8-hardened2.patch 90401 BLAKE2B be2f2fb1a4af1231b52f24b7bbcd8ef766cc6ea8883f0a75dafc3ed337e02671265a039c26e8540b8a45013b427a410ae3b393eab57413b07e9d875436a0ddb9 SHA512 44ba90e044a1ce1999c08a68be7023dea3cef3e87411fe6a5c47b10d6ebba01589bf3f166bb22465e08ce209531816723fc2601a339983ea1a8032bf76dbc6b8
+DIST patch-6.15.8.xz 706220 BLAKE2B dea53067591c113c1cc1c5546c6ca1a561199c9b5d36e7b68c0dc712fd0851c879bc24f6bfcf38aa044c0e2dbe565bca4e5f655aa3c48755c5efda8e6fb5e4f2 SHA512 a6341a8c6ca08a0a02598ea2b60dfcf88f99aededda4e3c37bbb8a07fc2d8720d590d9054ef59a8c611f7e4fe1184e3781b6c1a6e0daabac9015597236354158
--- a/sys-kernel/hardened-kernel/files/linux-6.12.amd64.config
+++ b/sys-kernel/hardened-kernel/files/linux-6.12.amd64.config
--- a/sys-kernel/hardened-kernel/files/linux-6.12/1191-bcachefs-upd-from-bcachefs-for-upstream-69a5a13.patch
+++ b/sys-kernel/hardened-kernel/files/linux-6.12/1191-bcachefs-upd-from-bcachefs-for-upstream-69a5a13.patch
--- a/sys-kernel/hardened-kernel/files/linux-6.14/1190_bcachefs-revert-6.14-backport-fixes.patch
+++ b/sys-kernel/hardened-kernel/files/linux-6.14/1190_bcachefs-revert-6.14-backport-fixes.patch
@@ -1,128 +0,0 @@
-From ee3912c8c293b09acc90ba6ad7443ceacc33ef79 Mon Sep 17 00:00:00 2001
-From: Alexander Miroshnichenko <alex@millerson.name>
-Date: Wed, 14 May 2025 16:48:38 +0300
-Subject: [PATCH] bcachefs: revert 6.14 backport fixes
-Content-Type: text/plain; charset="utf-8"
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
---
- fs/bcachefs/btree_update_interior.c | 17 +----------------
- fs/bcachefs/error.c                 |  8 --------
- fs/bcachefs/error.h                 |  2 --
- fs/bcachefs/fs-ioctl.c              |  6 ++----
- fs/bcachefs/xattr_format.h          |  8 +-------
- 5 files changed, 4 insertions(+), 37 deletions(-)
-
-diff --git a/fs/bcachefs/btree_update_interior.c b/fs/bcachefs/btree_update_interior.c
-index e9be8b5571a4..e4e7c804625e 100644
--- a/fs/bcachefs/btree_update_interior.c
-+++ b/fs/bcachefs/btree_update_interior.c
-@@ -35,8 +35,6 @@ static const char * const bch2_btree_update_modes[] = {
- 	NULL
- };
- 
-static void bch2_btree_update_to_text(struct printbuf *, struct btree_update *);
-
- static int bch2_btree_insert_node(struct btree_update *, struct btree_trans *,
- 				  btree_path_idx_t, struct btree *, struct keylist *);
- static void bch2_btree_update_add_new_node(struct btree_update *, struct btree *);
-@@ -1784,24 +1782,11 @@ static int bch2_btree_insert_node(struct btree_update *as, struct btree_trans *t
- 	int ret;
- 
- 	lockdep_assert_held(&c->gc_lock);
-+	BUG_ON(!btree_node_intent_locked(path, b->c.level));
- 	BUG_ON(!b->c.level);
- 	BUG_ON(!as || as->b);
- 	bch2_verify_keylist_sorted(keys);
- 
-	if (!btree_node_intent_locked(path, b->c.level)) {
-		struct printbuf buf = PRINTBUF;
-		bch2_log_msg_start(c, &buf);
-		prt_printf(&buf, "%s(): node not locked at level %u\n",
-			   __func__, b->c.level);
-		bch2_btree_update_to_text(&buf, as);
-		bch2_btree_path_to_text(&buf, trans, path_idx);
-
-		bch2_print_string_as_lines(KERN_ERR, buf.buf);
-		printbuf_exit(&buf);
-		bch2_fs_emergency_read_only(c);
-		return -EIO;
-	}
-
- 	ret = bch2_btree_node_lock_write(trans, path, &b->c);
- 	if (ret)
- 		return ret;
-diff --git a/fs/bcachefs/error.c b/fs/bcachefs/error.c
-index 6cbf4819e923..038da6a61f6b 100644
--- a/fs/bcachefs/error.c
-+++ b/fs/bcachefs/error.c
-@@ -11,14 +11,6 @@
- 
- #define FSCK_ERR_RATELIMIT_NR	10
- 
-void bch2_log_msg_start(struct bch_fs *c, struct printbuf *out)
-{
-#ifdef BCACHEFS_LOG_PREFIX
-	prt_printf(out, bch2_log_msg(c, ""));
-#endif
-	printbuf_indent_add(out, 2);
-}
-
- bool bch2_inconsistent_error(struct bch_fs *c)
- {
- 	set_bit(BCH_FS_error, &c->flags);
-diff --git a/fs/bcachefs/error.h b/fs/bcachefs/error.h
-index 5730eb6b2f38..7acf2a27ca28 100644
--- a/fs/bcachefs/error.h
-+++ b/fs/bcachefs/error.h
-@@ -18,8 +18,6 @@ struct work_struct;
- 
- /* Error messages: */
- 
-void bch2_log_msg_start(struct bch_fs *, struct printbuf *);
-
- /*
-  * Inconsistency errors: The on disk data is inconsistent. If these occur during
-  * initial recovery, they don't indicate a bug in the running code - we walk all
-diff --git a/fs/bcachefs/fs-ioctl.c b/fs/bcachefs/fs-ioctl.c
-index 4d6193820483..15725b4ce393 100644
--- a/fs/bcachefs/fs-ioctl.c
-+++ b/fs/bcachefs/fs-ioctl.c
-@@ -515,12 +515,10 @@ static long bch2_ioctl_subvolume_destroy(struct bch_fs *c, struct file *filp,
- 		ret = -ENOENT;
- 		goto err;
- 	}
-
-	ret =   inode_permission(file_mnt_idmap(filp), d_inode(victim), MAY_WRITE) ?:
-		__bch2_unlink(dir, victim, true);
-+	ret = __bch2_unlink(dir, victim, true);
- 	if (!ret) {
- 		fsnotify_rmdir(dir, victim);
-		d_invalidate(victim);
-+		d_delete(victim);
- 	}
- err:
- 	inode_unlock(dir);
-diff --git a/fs/bcachefs/xattr_format.h b/fs/bcachefs/xattr_format.h
-index 67426e33d04e..c7916011ef34 100644
--- a/fs/bcachefs/xattr_format.h
-+++ b/fs/bcachefs/xattr_format.h
-@@ -13,13 +13,7 @@ struct bch_xattr {
- 	__u8			x_type;
- 	__u8			x_name_len;
- 	__le16			x_val_len;
-	/*
-	 * x_name contains the name and value counted by
-	 * x_name_len + x_val_len. The introduction of
-	 * __counted_by(x_name_len) caused a false positive
-	 * detection of an out of bounds write.
-	 */
-	__u8			x_name[];
-+	__u8			x_name[] __counted_by(x_name_len);
- } __packed __aligned(8);
- 
- #endif /* _BCACHEFS_XATTR_FORMAT_H */
-- 
-2.49.0
-
--- a/sys-kernel/hardened-kernel/files/linux-6.14/1191_bcachefs-cherry-pick-updates-from-master-17227e8.patch
+++ b/sys-kernel/hardened-kernel/files/linux-6.14/1191_bcachefs-cherry-pick-updates-from-master-17227e8.patch
--- a/sys-kernel/hardened-kernel/files/linux-6.14/1199_openpax-cherry-pick-updates-fb1be96.patch
+++ b/sys-kernel/hardened-kernel/files/linux-6.14/1199_openpax-cherry-pick-updates-fb1be96.patch
@@ -1,720 +0,0 @@
-From a80207aef480f66179564003807d7a4ecf5aef8e Mon Sep 17 00:00:00 2001
-From: Alexander Miroshnichenko <alex@millerson.name>
-Date: Wed, 14 May 2025 19:33:06 +0300
-Subject: [PATCH] openpax: cherry-pick updates from master fb1be96e0a3e
-Content-Type: text/plain; charset="utf-8"
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
---
- .../admin-guide/kernel-parameters.txt         |   3 +
- arch/x86/mm/fault.c                           | 218 ++++++++++++++++++
- fs/binfmt_elf.c                               |  88 ++++++-
- fs/proc/array.c                               |  15 ++
- fs/xattr.c                                    |  16 ++
- include/linux/init.h                          |   1 +
- include/linux/mm_types.h                      |  11 +
- include/linux/mman.h                          |  11 +-
- include/linux/xattr.h                         |   4 +
- include/uapi/linux/xattr.h                    |   5 +
- init/main.c                                   |  11 +
- kernel/sysctl.c                               |  15 ++
- security/Kconfig                              |   1 +
- security/Kconfig.openpax                      |  89 +++++++
- 14 files changed, 485 insertions(+), 3 deletions(-)
- create mode 100644 security/Kconfig.openpax
-
-diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
-index bd53e2675c75..d46f21aa6a26 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
-+++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -4579,6 +4579,9 @@
- 			from the first 4GB of memory as the bootmem allocator
- 			passes the memory pages to the buddy allocator.
- 
-+	pax_softmode=<int>
-+			Enables OpenPaX soft mode if set to a non-zero value.
-+
- 	pcbit=		[HW,ISDN]
- 
- 	pci=option[,option...]	[PCI,EARLY] various PCI subsystem options.
-diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
-index 296d294142c8..65665982e401 100644
--- a/arch/x86/mm/fault.c
-+++ b/arch/x86/mm/fault.c
-@@ -1198,6 +1198,217 @@ do_kern_addr_fault(struct pt_regs *regs, unsigned long hw_error_code,
- }
- NOKPROBE_SYMBOL(do_kern_addr_fault);
- 
-+#ifdef CONFIG_OPENPAX_EMUTRAMP
-+/*
-+ * Determine if a fault is possibly caused by an emulatable stack or
-+ * heap trampoline.  We return false if trampoline emulation is not
-+ * enabled.
-+ */
-+static inline
-+bool openpax_fault_is_trampoline(unsigned long error_code,
-+				 struct pt_regs *regs,
-+				 unsigned long address)
-+{
-+	struct mm_struct *mm = current->mm;
-+	unsigned long ip = regs->ip;
-+
-+	if (!test_bit(PAXF_EMUTRAMP, &mm->pax_flags))
-+		return false;
-+
-+	if (v8086_mode(regs))
-+		ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
-+
-+	if (test_bit(PAXF_PAGEEXEC, &mm->pax_flags)) {
-+		if ((__supported_pte_mask & _PAGE_NX) && (error_code & X86_PF_INSTR))
-+			return true;
-+		if (!(error_code & (X86_PF_PROT | X86_PF_WRITE)) && ip == address)
-+			return true;
-+		return false;
-+	}
-+
-+	return false;
-+}
-+NOKPROBE_SYMBOL(openpax_fault_is_trampoline);
-+
-+static inline
-+bool openpax_emulate_trampoline_32(struct pt_regs *regs)
-+{
-+	int err;
-+
-+	/* libffi trampoline type 1, gcc trampoline type 2 */
-+	do {
-+		unsigned char mov, jmp;
-+		unsigned int addr1, addr2;
-+
-+#ifdef CONFIG_X86_64
-+		if ((regs->ip + 9) >> 32)
-+			break;
-+#endif
-+
-+		err = get_user(mov, (unsigned char __user *) regs->ip);
-+		err |= get_user(addr1, (unsigned int __user *) (regs->ip + 1));
-+		err |= get_user(jmp, (unsigned char __user *) (regs->ip + 5));
-+		err |= get_user(addr2, (unsigned int __user *) (regs->ip + 6));
-+
-+		if (err)
-+			break;
-+
-+		if ((mov == 0xB8 || mov == 0xB9) && jmp == 0xE9) {
-+			if (mov == 0xB8)
-+				regs->ax = addr1;
-+			else
-+				regs->cx = addr1;
-+
-+			regs->ip = (unsigned int)(regs->ip + addr2 + 10);
-+			return true;
-+		}
-+	} while (0);
-+
-+	/* older gcc trampoline type... */
-+	do {
-+		unsigned char mov1, mov2;
-+		unsigned short jmp;
-+		unsigned int addr1, addr2;
-+
-+#ifdef CONFIG_X86_64
-+		if ((regs->ip + 11) >> 32)
-+			break;
-+#endif
-+
-+		err = get_user(mov1, (unsigned char __user *) regs->ip);
-+		err |= get_user(addr1, (unsigned int __user *) (regs->ip + 1));
-+		err |= get_user(mov2, (unsigned char __user *) (regs->ip + 5));
-+		err |= get_user(addr2, (unsigned int __user *) (regs->ip + 6));
-+		err |= get_user(jmp, (unsigned short __user *) (regs->ip + 10));
-+
-+		if (err)
-+			break;
-+
-+		if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
-+			regs->cx = addr1;
-+			regs->ax = addr2;
-+			regs->ip = addr2;
-+			return true;
-+		}
-+	} while (0);
-+
-+	return false;
-+}
-+NOKPROBE_SYMBOL(openpax_emulate_trampoline_32);
-+
-+#ifdef CONFIG_X86_64
-+static inline
-+bool openpax_emulate_trampoline_64(struct pt_regs *regs)
-+{
-+	int err;
-+
-+	/* libffi trampoline type 1 */
-+	do {
-+		unsigned short mov1, mov2, jmp1;
-+		unsigned char stcclc, jmp2;
-+		unsigned long addr1, addr2;
-+
-+		err = get_user(mov1, (unsigned short __user *) regs->ip);
-+		err |= get_user(addr1, (unsigned long __user *) (regs->ip + 2));
-+		err |= get_user(mov2, (unsigned short __user *) (regs->ip + 10));
-+		err |= get_user(addr2, (unsigned long __user *) (regs->ip + 12));
-+		err |= get_user(stcclc, (unsigned char __user *) (regs->ip + 20));
-+		err |= get_user(jmp1, (unsigned short __user *) (regs->ip + 21));
-+		err |= get_user(jmp2, (unsigned char __user *) (regs->ip + 23));
-+
-+		if (err)
-+			break;
-+
-+		if (mov1 == 0xBB49 && mov2 == 0xBA49 && (stcclc == 0xF8 || stcclc == 0xF9) && jmp1 == 0xFF49 && jmp2 == 0xE3) {
-+			regs->r11 = addr1;
-+			regs->r10 = addr2;
-+
-+			if (stcclc == 0xF8)
-+				regs->flags &= ~X86_EFLAGS_CF;
-+			else
-+				regs->flags |= X86_EFLAGS_CF;
-+
-+			regs->ip = addr1;
-+			return true;
-+		}
-+	} while (0);
-+
-+	/* gcc trampoline type 1 */
-+	do {
-+		unsigned short mov1, mov2, jmp1;
-+		unsigned char jmp2;
-+		unsigned int addr1;
-+		unsigned long addr2;
-+
-+		err = get_user(mov1, (unsigned short __user *) regs->ip);
-+		err |= get_user(addr1, (unsigned int __user *) (regs->ip + 2));
-+		err |= get_user(mov2, (unsigned short __user *) (regs->ip + 6));
-+		err |= get_user(addr2, (unsigned long __user *) (regs->ip + 8));
-+		err |= get_user(jmp1, (unsigned short __user *) (regs->ip + 16));
-+		err |= get_user(jmp2, (unsigned char __user *) (regs->ip + 18));
-+
-+		if (err)
-+			break;
-+
-+		if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
-+			regs->r11 = addr1;
-+			regs->r10 = addr2;
-+			regs->ip = addr1;
-+			return true;
-+		}
-+	} while (0);
-+
-+	/* gcc trampoline type 2 */
-+	do {
-+		unsigned short mov1, mov2, jmp1;
-+		unsigned char jmp2;
-+		unsigned long addr1, addr2;
-+
-+		err = get_user(mov1, (unsigned short __user *) regs->ip);
-+		err |= get_user(addr1, (unsigned long __user *) (regs->ip + 2));
-+		err |= get_user(mov2, (unsigned short __user *) (regs->ip + 10));
-+		err |= get_user(addr2, (unsigned long __user *) (regs->ip + 12));
-+		err |= get_user(jmp1, (unsigned short __user *) (regs->ip + 20));
-+		err |= get_user(jmp2, (unsigned char __user *) (regs->ip + 22));
-+
-+		if (err)
-+			break;
-+
-+		if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
-+			regs->r11 = addr1;
-+			regs->r10 = addr2;
-+			regs->ip = addr1;
-+			return true;
-+		}
-+	} while (0);
-+
-+	return false;
-+}
-+NOKPROBE_SYMBOL(openpax_emulate_trampoline_64);
-+#endif
-+
-+/*
-+ * Emulate a trampoline.  Returns false if emulation failed, meaning
-+ * that the task should be killed.
-+ */
-+static inline
-+bool openpax_emulate_trampoline(struct pt_regs *regs)
-+{
-+	if (v8086_mode(regs))
-+		return false;
-+
-+	if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
-+		return openpax_emulate_trampoline_32(regs);
-+#ifdef CONFIG_X86_64
-+	else
-+		return openpax_emulate_trampoline_64(regs);
-+#endif
-+
-+	return false;
-+}
-+NOKPROBE_SYMBOL(openpax_emulate_trampoline);
-+#endif
-+
- /*
-  * Handle faults in the user portion of the address space.  Nothing in here
-  * should check X86_PF_USER without a specific justification: for almost
-@@ -1322,6 +1533,13 @@ void do_user_addr_fault(struct pt_regs *regs,
- 	}
- #endif
- 
-+#ifdef CONFIG_OPENPAX_EMUTRAMP
-+	if (openpax_fault_is_trampoline(error_code, regs, address)) {
-+		if (openpax_emulate_trampoline(regs))
-+			return;
-+	}
-+#endif
-+
- 	if (!(flags & FAULT_FLAG_USER))
- 		goto lock_mmap;
- 
-diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index 8054f44d39cf..00f436d6d0a8 100644
--- a/fs/binfmt_elf.c
-+++ b/fs/binfmt_elf.c
-@@ -47,6 +47,7 @@
- #include <linux/dax.h>
- #include <linux/uaccess.h>
- #include <linux/rseq.h>
-+#include <linux/xattr.h>
- #include <asm/param.h>
- #include <asm/page.h>
- 
-@@ -822,6 +823,72 @@ static int parse_elf_properties(struct file *f, const struct elf_phdr *phdr,
- 	return ret == -ENOENT ? 0 : ret;
- }
- 
-+#ifdef CONFIG_OPENPAX
-+#ifdef CONFIG_OPENPAX_XATTR_PAX_FLAGS
-+static int openpax_parse_xattr_flags(struct file * const file)
-+{
-+	ssize_t xattr_size, i;
-+	unsigned char xattr_value[sizeof("pemrs") - 1];
-+
-+	xattr_size = pax_getxattr(file, xattr_value, sizeof xattr_value);
-+	if (xattr_size < 0 || xattr_size > sizeof xattr_value)
-+		return -ENOENT;
-+
-+	for (i = 0; i < xattr_size; i++)
-+		switch (xattr_value[i]) {
-+		default:
-+			return -EINVAL;
-+
-+#define parse_flag(option_disable, option_enable, flag)				\
-+		case option_disable:						\
-+			clear_bit(flag, &current->mm->pax_flags);		\
-+			break;							\
-+		case option_enable:						\
-+			set_bit(flag, &current->mm->pax_flags);			\
-+			break;
-+
-+		parse_flag('p', 'P', PAXF_PAGEEXEC);
-+		parse_flag('e', 'E', PAXF_EMUTRAMP);
-+		parse_flag('m', 'M', PAXF_MPROTECT);
-+		parse_flag('r', 'R', PAXF_RANDMMAP);
-+		parse_flag('s', 'S', PAXF_SEGMEXEC);
-+#undef parse_flag
-+		}
-+
-+	return 0;
-+}
-+#endif
-+
-+static int openpax_set_flags(struct file * const file, const int snapshot_randomize_va_space)
-+{
-+#ifdef CONFIG_OPENPAX_XATTR_PAX_FLAGS
-+	int error;
-+#endif
-+	current->mm->pax_flags = 0;
-+
-+	if (snapshot_randomize_va_space) {
-+		set_bit(PAXF_RANDMMAP, &current->mm->pax_flags);
-+	}
-+
-+	if (!pax_softmode) {
-+		set_bit(PAXF_PAGEEXEC, &current->mm->pax_flags);
-+		set_bit(PAXF_MPROTECT, &current->mm->pax_flags);
-+	}
-+
-+#ifdef CONFIG_OPENPAX_EMUTRAMP_DEFAULT
-+	set_bit(PAXF_EMUTRAMP, &current->mm->pax_flags);
-+#endif
-+
-+#ifdef CONFIG_OPENPAX_XATTR_PAX_FLAGS
-+	error = openpax_parse_xattr_flags(file);
-+	if (error != -ENOENT)
-+		return error;
-+#endif
-+
-+	return 0;
-+}
-+#endif
-+
- static int load_elf_binary(struct linux_binprm *bprm)
- {
- 	struct file *interpreter = NULL; /* to shut gcc up */
-@@ -1006,11 +1073,28 @@ static int load_elf_binary(struct linux_binprm *bprm)
- 	/* Do this immediately, since STACK_TOP as used in setup_arg_pages
- 	   may depend on the personality.  */
- 	SET_PERSONALITY2(*elf_ex, &arch_state);
-+
-+	const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space);
-+
-+#ifdef CONFIG_OPENPAX
-+	retval = openpax_set_flags(bprm->file, snapshot_randomize_va_space);
-+	if (retval)
-+		goto out_free_dentry;
-+
-+	if (test_bit(PAXF_PAGEEXEC, &current->mm->pax_flags) || test_bit(PAXF_SEGMEXEC, &current->mm->pax_flags)) {
-+		executable_stack = EXSTACK_DISABLE_X;
-+		current->personality &= ~READ_IMPLIES_EXEC;
-+	} else
-+#endif
-+
- 	if (elf_read_implies_exec(*elf_ex, executable_stack))
- 		current->personality |= READ_IMPLIES_EXEC;
- 
-	const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space);
-	if (!(current->personality & ADDR_NO_RANDOMIZE) && snapshot_randomize_va_space)
-+	if (!(current->personality & ADDR_NO_RANDOMIZE) && snapshot_randomize_va_space
-+#ifdef CONFIG_OPENPAX
-+	    && test_bit(PAXF_RANDMMAP, &current->mm->pax_flags)
-+#endif
-+	    )
- 		current->flags |= PF_RANDOMIZE;
- 
- 	setup_new_exec(bprm);
-diff --git a/fs/proc/array.c b/fs/proc/array.c
-index d6a0369caa93..242c8a969400 100644
--- a/fs/proc/array.c
-+++ b/fs/proc/array.c
-@@ -436,6 +436,18 @@ __weak void arch_proc_pid_thread_features(struct seq_file *m,
- {
- }
- 
-+#ifdef CONFIG_OPENPAX
-+static inline void task_pax(struct seq_file *m, struct mm_struct *mm)
-+{
-+	seq_printf(m, "PaX:\t%c%c%c%c%c\n",
-+		   test_bit(PAXF_PAGEEXEC, &mm->pax_flags) ? 'P' : 'p',
-+		   test_bit(PAXF_EMUTRAMP, &mm->pax_flags) ? 'E' : 'e',
-+		   test_bit(PAXF_MPROTECT, &mm->pax_flags) ? 'M' : 'm',
-+		   test_bit(PAXF_RANDMMAP, &mm->pax_flags) ? 'R' : 'r',
-+		   test_bit(PAXF_SEGMEXEC, &mm->pax_flags) ? 'S' : 's');
-+}
-+#endif
-+
- int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
- 			struct pid *pid, struct task_struct *task)
- {
-@@ -452,6 +464,9 @@ int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
- 		task_core_dumping(m, task);
- 		task_thp_status(m, mm);
- 		task_untag_mask(m, mm);
-+#ifdef CONFIG_OPENPAX
-+		task_pax(m, mm);
-+#endif
- 		mmput(mm);
- 	}
- 	task_sig(m, task);
-diff --git a/fs/xattr.c b/fs/xattr.c
-index fabb2a04501e..76c2b5f8d6e6 100644
--- a/fs/xattr.c
-+++ b/fs/xattr.c
-@@ -424,6 +424,22 @@ __vfs_getxattr(struct dentry *dentry, struct inode *inode, const char *name,
- }
- EXPORT_SYMBOL(__vfs_getxattr);
- 
-+#ifdef CONFIG_OPENPAX_XATTR_PAX_FLAGS
-+ssize_t
-+pax_getxattr(struct file *file, void *value, size_t size)
-+{
-+	struct inode *inode = file->f_path.dentry->d_inode;
-+	ssize_t error;
-+
-+	error = inode_permission(file_mnt_idmap(file), inode, MAY_EXEC);
-+	if (error)
-+		return error;
-+
-+	return __vfs_getxattr(file->f_path.dentry, inode, XATTR_NAME_USER_PAX_FLAGS, value, size);
-+}
-+EXPORT_SYMBOL(pax_getxattr);
-+#endif
-+
- ssize_t
- vfs_getxattr(struct mnt_idmap *idmap, struct dentry *dentry,
- 	     const char *name, void *value, size_t size)
-diff --git a/include/linux/init.h b/include/linux/init.h
-index ee1309473bc6..4abbce4cf60b 100644
--- a/include/linux/init.h
-+++ b/include/linux/init.h
-@@ -144,6 +144,7 @@ extern char __initdata boot_command_line[];
- extern char *saved_command_line;
- extern unsigned int saved_command_line_len;
- extern unsigned int reset_devices;
-+extern int pax_softmode;
- 
- /* used by init/main.c */
- void setup_arch(char **);
-diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
-index 0234f14f2aa6..fd8bd5517e4d 100644
--- a/include/linux/mm_types.h
-+++ b/include/linux/mm_types.h
-@@ -973,6 +973,9 @@ struct mm_struct {
- 		mm_context_t context;
- 
- 		unsigned long flags; /* Must use atomic bitops to access */
-+#ifdef CONFIG_OPENPAX
-+		unsigned long pax_flags;
-+#endif
- 
- #ifdef CONFIG_AIO
- 		spinlock_t			ioctx_lock;
-@@ -1656,4 +1659,12 @@ static inline unsigned long mmf_init_flags(unsigned long flags)
- 	return flags & MMF_INIT_MASK;
- }
- 
-+#ifdef CONFIG_OPENPAX
-+#define PAXF_PAGEEXEC		1
-+#define PAXF_EMUTRAMP		2
-+#define PAXF_MPROTECT		3
-+#define PAXF_RANDMMAP		4
-+#define PAXF_SEGMEXEC		5
-+#endif
-+
- #endif /* _LINUX_MM_TYPES_H */
-diff --git a/include/linux/mman.h b/include/linux/mman.h
-index a842783ffa62..e108371ff12e 100644
--- a/include/linux/mman.h
-+++ b/include/linux/mman.h
-@@ -197,12 +197,21 @@ static inline bool arch_memory_deny_write_exec_supported(void)
-  * we propose to set.
-  *
-  * Return: false if proposed change is OK, true if not ok and should be denied.
-+ *
-+ * Note: If OpenPaX is enabled, it will be assumed that we want to deny
-+ * PROT_WRITE | PROT_EXEC by default, unless the MPROTECT feature bit is
-+ * disabled on a binary.
-  */
- static inline bool map_deny_write_exec(unsigned long old, unsigned long new)
- {
- 	/* If MDWE is disabled, we have nothing to deny. */
-	if (!test_bit(MMF_HAS_MDWE, &current->mm->flags))
-+	if (
-+#ifdef CONFIG_OPENPAX_MPROTECT
-+	    !test_bit(PAXF_MPROTECT, &current->mm->pax_flags) &&
-+#endif
-+	    !test_bit(MMF_HAS_MDWE, &current->mm->flags)) {
- 		return false;
-+	}
- 
- 	/* If the new VMA is not executable, we have nothing to deny. */
- 	if (!(new & VM_EXEC))
-diff --git a/include/linux/xattr.h b/include/linux/xattr.h
-index 86b0d47984a1..c4ad3af7e1a2 100644
--- a/include/linux/xattr.h
-+++ b/include/linux/xattr.h
-@@ -25,6 +25,7 @@
- 
- struct inode;
- struct dentry;
-+struct file;
- 
- static inline bool is_posix_acl_xattr(const char *name)
- {
-@@ -75,6 +76,9 @@ struct xattr {
- 	size_t value_len;
- };
- 
-+#ifdef CONFIG_OPENPAX_XATTR_PAX_FLAGS
-+ssize_t pax_getxattr(struct file *, void *, size_t);
-+#endif
- ssize_t __vfs_getxattr(struct dentry *, struct inode *, const char *, void *, size_t);
- ssize_t vfs_getxattr(struct mnt_idmap *, struct dentry *, const char *,
- 		     void *, size_t);
-diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h
-index 9854f9cff3c6..843787b91ef0 100644
--- a/include/uapi/linux/xattr.h
-+++ b/include/uapi/linux/xattr.h
-@@ -88,5 +88,10 @@ struct xattr_args {
- #define XATTR_POSIX_ACL_DEFAULT  "posix_acl_default"
- #define XATTR_NAME_POSIX_ACL_DEFAULT XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_DEFAULT
- 
-+/* User namespace */
-+#define XATTR_PAX_PREFIX "pax."
-+#define XATTR_PAX_FLAGS_SUFFIX "flags"
-+#define XATTR_NAME_USER_PAX_FLAGS XATTR_USER_PREFIX XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX
-+#define XATTR_NAME_PAX_FLAGS XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX
- 
- #endif /* _UAPI_LINUX_XATTR_H */
-diff --git a/init/main.c b/init/main.c
-index 2a1757826397..4720dce1a3b9 100644
--- a/init/main.c
-+++ b/init/main.c
-@@ -188,6 +188,17 @@ static int __init set_reset_devices(char *str)
- 
- __setup("reset_devices", set_reset_devices);
- 
-+int pax_softmode;
-+
-+#ifdef CONFIG_OPENPAX_SOFTMODE
-+static int __init setup_pax_softmode(char *str)
-+{
-+	get_option(&str, &pax_softmode);
-+	return 1;
-+}
-+__setup("pax_softmode=", setup_pax_softmode);
-+#endif
-+
- static const char *argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
- const char *envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
- static const char *panic_later, *panic_param;
-diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index 1d600ae89f15..44aff4b84516 100644
--- a/kernel/sysctl.c
-+++ b/kernel/sysctl.c
-@@ -1647,6 +1647,18 @@ int proc_do_static_key(const struct ctl_table *table, int write,
- 	return ret;
- }
- 
-+#ifdef CONFIG_OPENPAX_SOFTMODE
-+static const struct ctl_table pax_table[] = {
-+	{
-+		.procname       = "softmode",
-+		.data           = &pax_softmode,
-+		.maxlen         = sizeof(int),
-+		.mode           = 0600,
-+		.proc_handler   = proc_dointvec,
-+	},
-+};
-+#endif
-+
- static const struct ctl_table kern_table[] = {
- 	{
- 		.procname	= "panic",
-@@ -2279,6 +2291,9 @@ int __init sysctl_init_bases(void)
- {
- 	register_sysctl_init("kernel", kern_table);
- 	register_sysctl_init("vm", vm_table);
-+#ifdef CONFIG_OPENPAX_SOFTMODE
-+	register_sysctl_init("kernel/pax", pax_table);
-+#endif
- 
- 	return 0;
- }
-diff --git a/security/Kconfig b/security/Kconfig
-index adc4a853ce0d..e9cfe77f08e0 100644
--- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -311,6 +311,7 @@ config LSM
- 	  If unsure, leave this as the default.
- 
- source "security/Kconfig.hardening"
-+source "security/Kconfig.openpax"
- 
- endmenu
- 
-diff --git a/security/Kconfig.openpax b/security/Kconfig.openpax
-new file mode 100644
-index 000000000000..76ee145094d9
--- /dev/null
-+++ b/security/Kconfig.openpax
-@@ -0,0 +1,89 @@
-+#
-+# OpenPaX configuration
-+#
-+
-+menu "OpenPaX options"
-+
-+config OPENPAX
-+	bool "Enable OpenPaX features"
-+	default y
-+	help
-+	  This configuration setting enables OpenPaX features.
-+	  OpenPaX adds memory safety-related defenses to the kernel which
-+	  reduce the risks posed by exploitable memory safety bugs.
-+
-+config OPENPAX_SOFTMODE
-+	bool "Support PaX soft mode"
-+	default y
-+	help
-+	  Enabling this option will allow you to configure OpenPaX
-+	  features to run in soft mode.  In this mode, OpenPaX features
-+	  will be disabled by default, only running on applications
-+	  which explicitly enable them.
-+	
-+	  Soft mode can be enabled via the kernel.pax.softmode sysctl,
-+	  or the pax_softmode=1 kernel command-line option.
-+
-+config OPENPAX_XATTR_PAX_FLAGS
-+	bool "Use filesystem extended attributes to modify OpenPaX features"
-+	depends on OPENPAX
-+	default y
-+	help
-+	  Enabling this option will allow you to control whether
-+	  OpenPaX features are enabled on a per-executable basis via
-+	  xattr attributes.
-+	
-+	  For compatibility with the original PaX patch, the feature
-+	  flags are read from the user.pax.flags extended attribute.
-+	
-+	  If you disable this feature, then all applications will run
-+	  with OpenPaX enabled by default.
-+
-+config OPENPAX_MPROTECT
-+	bool "Enforce W^X for memory mappings"
-+	depends on OPENPAX
-+	default y
-+	help
-+	  Enabling this option prevents programs from making pages
-+	  executable when they are also writable.  In addition, it
-+	  also denies transition of writable mappings to executable
-+	  mappings.
-+	
-+	  This feature is known to break programs which depend on
-+	  just-in-time (JIT) compilation.  It is advisable to enable
-+	  this feature system-wide, but mark programs which have
-+	  JIT compilation appropriately so the W^X enforcement is
-+	  disabled for them.
-+
-+config OPENPAX_EMUTRAMP
-+	bool "Emulate stack and heap trampolines"
-+	depends on OPENPAX
-+	default y
-+	help
-+	  Enabling this option allows programs to depend on common
-+	  types of stack and heap trampolines (such as the ones
-+	  generated by GCC and libffi) to continue working despite
-+	  the stack and heap being non-executable memory.
-+	
-+	  This option works by intercepting the page faults caused
-+	  by executing code in non-executable memory and emulating
-+	  the side effects that would have happened from executing
-+	  the trampoline.
-+	
-+	  Most likely, you should say 'y' here.
-+
-+config OPENPAX_EMUTRAMP_DEFAULT
-+	bool "Enable trampoline emulation by default"
-+	depends on OPENPAX_EMUTRAMP
-+	default y
-+	help
-+	  Enabling this option allows programs which require
-+	  trampolines to be emulated to continue working by default.
-+
-+	  Otherwise, the emulation flag must be enabled in a binary's
-+	  PaX marking, e.g. with paxmark -E <binary>.
-+
-+	  If you do not say 'y' here, you will have to manually mark
-+	  all programs which require trampoline emulation.
-+
-+endmenu
-- 
-2.49.0
-
--- a/sys-kernel/hardened-kernel/files/linux-6.15.amd64.config
+++ b/sys-kernel/hardened-kernel/files/linux-6.15.amd64.config
@@ -1,28 +1,26 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 6.14.6-hardened1 Kernel Configuration
+# Linux/x86 6.15.8-hardened2 Kernel Configuration
 #
-CONFIG_CC_VERSION_TEXT="gcc (Gentoo Hardened 14.2.1_p20241221 p7) 14.2.1 20241221"
+CONFIG_CC_VERSION_TEXT="gcc (Gentoo Hardened 14.3.0 p8) 14.3.0"
 CONFIG_CC_IS_GCC=y
-CONFIG_GCC_VERSION=140201
+CONFIG_GCC_VERSION=140300
 CONFIG_CLANG_VERSION=0
 CONFIG_AS_IS_GNU=y
 CONFIG_AS_VERSION=24400
 CONFIG_LD_IS_BFD=y
 CONFIG_LD_VERSION=24400
 CONFIG_LLD_VERSION=0
-CONFIG_RUSTC_VERSION=108501
-CONFIG_RUSTC_LLVM_VERSION=190107
+CONFIG_RUSTC_VERSION=0
+CONFIG_RUSTC_LLVM_VERSION=0
 CONFIG_CC_CAN_LINK=y
-CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y
 CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT=y
 CONFIG_TOOLS_SUPPORT_RELR=y
 CONFIG_CC_HAS_ASM_INLINE=y
 CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y
 CONFIG_LD_CAN_USE_KEEP_IN_OVERLAY=y
-CONFIG_RUSTC_HAS_COERCE_POINTEE=y
-CONFIG_PAHOLE_VERSION=129
+CONFIG_PAHOLE_VERSION=130
 CONFIG_IRQ_WORK=y
 CONFIG_BUILDTIME_TABLE_SORT=y
 CONFIG_THREAD_INFO_IN_TASK=y
@@ -76,7 +74,6 @@ CONFIG_HARDIRQS_SW_RESEND=y
 CONFIG_IRQ_DOMAIN=y
 CONFIG_IRQ_DOMAIN_HIERARCHY=y
 CONFIG_GENERIC_MSI_IRQ=y
-CONFIG_IRQ_MSI_IOMMU=y
 CONFIG_GENERIC_IRQ_MATRIX_ALLOCATOR=y
 CONFIG_GENERIC_IRQ_RESERVATION_MODE=y
 CONFIG_GENERIC_IRQ_STAT_SNAPSHOT=y
@@ -222,7 +219,6 @@ CONFIG_CGROUP_FREEZER=y
 CONFIG_CGROUP_HUGETLB=y
 CONFIG_CPUSETS=y
 # CONFIG_CPUSETS_V1 is not set
-CONFIG_PROC_PID_CPUSET=y
 CONFIG_CGROUP_DEVICE=y
 CONFIG_CGROUP_CPUACCT=y
 CONFIG_CGROUP_PERF=y
@@ -261,12 +257,12 @@ CONFIG_LD_ORPHAN_WARN_LEVEL="error"
 CONFIG_SYSCTL=y
 CONFIG_HAVE_UID16=y
 CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_SYSFS_SYSCALL=y
 CONFIG_HAVE_PCSPKR_PLATFORM=y
 # CONFIG_EXPERT is not set
 CONFIG_UID16=y
 CONFIG_MULTIUSER=y
 CONFIG_SGETMASK_SYSCALL=y
-CONFIG_SYSFS_SYSCALL=y
 CONFIG_FHANDLE=y
 CONFIG_POSIX_TIMERS=y
 CONFIG_PRINTK=y
@@ -290,8 +286,8 @@ CONFIG_CACHESTAT_SYSCALL=y
 CONFIG_KALLSYMS=y
 # CONFIG_KALLSYMS_SELFTEST is not set
 # CONFIG_KALLSYMS_ALL is not set
-CONFIG_KALLSYMS_ABSOLUTE_PERCPU=y
 CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y
+CONFIG_ARCH_SUPPORTS_MSEAL_SYSTEM_MAPPINGS=y
 CONFIG_HAVE_PERF_EVENTS=y
 CONFIG_GUEST_PERF_EVENTS=y

@@ -340,7 +336,6 @@ CONFIG_X86_64_SMP=y
 CONFIG_ARCH_SUPPORTS_UPROBES=y
 CONFIG_FIX_EARLYCON_MEM=y
 CONFIG_PGTABLE_LEVELS=4
-CONFIG_CC_HAS_SANE_STACKPROTECTOR=y

 #
 # Processor type and features
@@ -350,6 +345,7 @@ CONFIG_X86_X2APIC=y
 CONFIG_X86_POSTED_MSI=y
 CONFIG_X86_MPPARSE=y
 CONFIG_X86_CPU_RESCTRL=y
+CONFIG_RESCTRL_FS_PSEUDO_LOCK=y
 CONFIG_X86_FRED=y
 # CONFIG_X86_EXTENDED_PLATFORM is not set
 CONFIG_X86_INTEL_LPSS=y
@@ -372,61 +368,17 @@ CONFIG_PARAVIRT_CLOCK=y
 # CONFIG_JAILHOUSE_GUEST is not set
 # CONFIG_ACRN_GUEST is not set
 # CONFIG_INTEL_TDX_GUEST is not set
-# CONFIG_MK8 is not set
-# CONFIG_MK8SSE3 is not set
-# CONFIG_MK10 is not set
-# CONFIG_MBARCELONA is not set
-# CONFIG_MBOBCAT is not set
-# CONFIG_MJAGUAR is not set
-# CONFIG_MBULLDOZER is not set
-# CONFIG_MPILEDRIVER is not set
-# CONFIG_MSTEAMROLLER is not set
-# CONFIG_MEXCAVATOR is not set
-# CONFIG_MZEN is not set
-# CONFIG_MZEN2 is not set
-# CONFIG_MZEN3 is not set
-# CONFIG_MZEN4 is not set
-# CONFIG_MZEN5 is not set
-# CONFIG_MPSC is not set
-# CONFIG_MATOM is not set
-# CONFIG_MCORE2 is not set
-# CONFIG_MNEHALEM is not set
-# CONFIG_MWESTMERE is not set
-# CONFIG_MSILVERMONT is not set
-# CONFIG_MGOLDMONT is not set
-# CONFIG_MGOLDMONTPLUS is not set
-# CONFIG_MSANDYBRIDGE is not set
-# CONFIG_MIVYBRIDGE is not set
-# CONFIG_MHASWELL is not set
-# CONFIG_MBROADWELL is not set
-# CONFIG_MSKYLAKE is not set
-# CONFIG_MSKYLAKEX is not set
-# CONFIG_MCANNONLAKE is not set
-# CONFIG_MICELAKE_CLIENT is not set
-# CONFIG_MICELAKE_SERVER is not set
-# CONFIG_MCASCADELAKE is not set
-# CONFIG_MCOOPERLAKE is not set
-# CONFIG_MTIGERLAKE is not set
-# CONFIG_MSAPPHIRERAPIDS is not set
-# CONFIG_MROCKETLAKE is not set
-# CONFIG_MALDERLAKE is not set
-# CONFIG_MRAPTORLAKE is not set
-# CONFIG_MMETEORLAKE is not set
-# CONFIG_MEMERALDRAPIDS is not set
-CONFIG_GENERIC_CPU=y
-# CONFIG_MNATIVE_INTEL is not set
-# CONFIG_MNATIVE_AMD is not set
-CONFIG_X86_64_VERSION=2
 CONFIG_X86_INTERNODE_CACHE_SHIFT=6
 CONFIG_X86_L1_CACHE_SHIFT=6
 CONFIG_X86_TSC=y
 CONFIG_X86_HAVE_PAE=y
-CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CX8=y
 CONFIG_X86_CMOV=y
 CONFIG_X86_MINIMUM_CPU_FAMILY=64
 CONFIG_X86_DEBUGCTLMSR=y
 CONFIG_IA32_FEAT_CTL=y
 CONFIG_X86_VMX_FEATURE_NAMES=y
+CONFIG_BROADCAST_TLB_FLUSH=y
 CONFIG_CPU_SUP_INTEL=y
 CONFIG_CPU_SUP_AMD=y
 CONFIG_CPU_SUP_HYGON=y
@@ -540,8 +492,7 @@ CONFIG_HOTPLUG_CPU=y
 # CONFIG_LEGACY_VSYSCALL_XONLY is not set
 CONFIG_LEGACY_VSYSCALL_NONE=y
 CONFIG_CMDLINE_BOOL=y
-CONFIG_CMDLINE="vdso32=0 page_poison=1 page_alloc.shuffle=1 slab_nomerge pti=on"
-# CONFIG_CMDLINE_OVERRIDE is not set
+CONFIG_CMDLINE=""
 # CONFIG_MODIFY_LDT_SYSCALL is not set
 # CONFIG_STRICT_SIGALTSTACK_SIZE is not set
 CONFIG_HAVE_LIVEPATCH=y
@@ -583,6 +534,8 @@ CONFIG_MITIGATION_SPECTRE_V1=y
 CONFIG_MITIGATION_SPECTRE_V2=y
 CONFIG_MITIGATION_SRBDS=y
 CONFIG_MITIGATION_SSB=y
+CONFIG_MITIGATION_ITS=y
+CONFIG_MITIGATION_TSA=y
 CONFIG_ARCH_HAS_ADD_PAGES=y

 #
@@ -709,6 +662,7 @@ CONFIG_X86_AMD_FREQ_SENSITIVITY=m
 #
 # shared options
 #
+CONFIG_CPUFREQ_ARCH_CUR_FREQ=y
 # end of CPU Frequency scaling

 #
@@ -770,6 +724,7 @@ CONFIG_HAVE_KVM_PM_NOTIFIER=y
 CONFIG_KVM_GENERIC_HARDWARE_ENABLING=y
 CONFIG_KVM_GENERIC_MMU_NOTIFIER=y
 CONFIG_KVM_ELIDE_TLB_FLUSH_IF_YOUNG=y
+CONFIG_KVM_MMU_LOCKLESS_AGING=y
 CONFIG_KVM_GENERIC_MEMORY_ATTRIBUTES=y
 CONFIG_KVM_PRIVATE_MEM=y
 CONFIG_KVM_GENERIC_PRIVATE_MEM=y
@@ -787,6 +742,30 @@ CONFIG_KVM_SMM=y
 # CONFIG_KVM_XEN is not set
 CONFIG_KVM_EXTERNAL_WRITE_TRACKING=y
 CONFIG_KVM_MAX_NR_VCPUS=1024
+CONFIG_X86_REQUIRED_FEATURE_ALWAYS=y
+CONFIG_X86_REQUIRED_FEATURE_NOPL=y
+CONFIG_X86_REQUIRED_FEATURE_CX8=y
+CONFIG_X86_REQUIRED_FEATURE_CMOV=y
+CONFIG_X86_REQUIRED_FEATURE_CPUID=y
+CONFIG_X86_REQUIRED_FEATURE_FPU=y
+CONFIG_X86_REQUIRED_FEATURE_PAE=y
+CONFIG_X86_REQUIRED_FEATURE_PSE=y
+CONFIG_X86_REQUIRED_FEATURE_PGE=y
+CONFIG_X86_REQUIRED_FEATURE_MSR=y
+CONFIG_X86_REQUIRED_FEATURE_FXSR=y
+CONFIG_X86_REQUIRED_FEATURE_XMM=y
+CONFIG_X86_REQUIRED_FEATURE_XMM2=y
+CONFIG_X86_REQUIRED_FEATURE_LM=y
+CONFIG_X86_DISABLED_FEATURE_VME=y
+CONFIG_X86_DISABLED_FEATURE_K6_MTRR=y
+CONFIG_X86_DISABLED_FEATURE_CYRIX_ARR=y
+CONFIG_X86_DISABLED_FEATURE_CENTAUR_MCR=y
+CONFIG_X86_DISABLED_FEATURE_LA57=y
+CONFIG_X86_DISABLED_FEATURE_LAM=y
+CONFIG_X86_DISABLED_FEATURE_SGX=y
+CONFIG_X86_DISABLED_FEATURE_XENPV=y
+CONFIG_X86_DISABLED_FEATURE_TDX_GUEST=y
+CONFIG_X86_DISABLED_FEATURE_USER_SHSTK=y
 CONFIG_AS_AVX512=y
 CONFIG_AS_SHA1_NI=y
 CONFIG_AS_SHA256_NI=y
@@ -897,6 +876,7 @@ CONFIG_ARCH_WANT_PMD_MKWRITE=y
 CONFIG_HAVE_ARCH_SOFT_DIRTY=y
 CONFIG_HAVE_MOD_ARCH_SPECIFIC=y
 CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_ARCH_HAS_EXECMEM_ROX=y
 CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
 CONFIG_HAVE_SOFTIRQ_ON_OWN_STACK=y
 CONFIG_SOFTIRQ_ON_OWN_STACK=y
@@ -950,6 +930,7 @@ CONFIG_DYNAMIC_SIGFRAME=y
 CONFIG_ARCH_HAS_HW_PTE_YOUNG=y
 CONFIG_ARCH_HAS_NONLEAF_PMD_YOUNG=y
 CONFIG_ARCH_HAS_KERNEL_FPU_SUPPORT=y
+CONFIG_ARCH_VMLINUX_NEEDS_RELOCS=y

 #
 # GCOV-based kernel profiling
@@ -1112,12 +1093,8 @@ CONFIG_ZSWAP_SHRINKER_DEFAULT_ON=y
 # CONFIG_ZSWAP_COMPRESSOR_DEFAULT_LZ4HC is not set
 CONFIG_ZSWAP_COMPRESSOR_DEFAULT_ZSTD=y
 CONFIG_ZSWAP_COMPRESSOR_DEFAULT="zstd"
-# CONFIG_ZSWAP_ZPOOL_DEFAULT_ZBUD is not set
-# CONFIG_ZSWAP_ZPOOL_DEFAULT_Z3FOLD_DEPRECATED is not set
 CONFIG_ZSWAP_ZPOOL_DEFAULT_ZSMALLOC=y
 CONFIG_ZSWAP_ZPOOL_DEFAULT="zsmalloc"
-CONFIG_ZBUD=y
-# CONFIG_Z3FOLD_DEPRECATED is not set
 CONFIG_ZSMALLOC=y
 # CONFIG_ZSMALLOC_STAT is not set
 CONFIG_ZSMALLOC_CHAIN_SIZE=8
@@ -1126,6 +1103,7 @@ CONFIG_ZSMALLOC_CHAIN_SIZE=8
 # Slab allocator options
 #
 CONFIG_SLUB=y
+CONFIG_KVFREE_RCU_BATCHED=y
 # CONFIG_SLAB_MERGE_DEFAULT is not set
 CONFIG_SLAB_FREELIST_RANDOM=y
 CONFIG_SLAB_FREELIST_HARDENED=y
@@ -1142,8 +1120,10 @@ CONFIG_SPARSEMEM=y
 CONFIG_SPARSEMEM_EXTREME=y
 CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
 CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_SPARSEMEM_VMEMMAP_PREINIT=y
 CONFIG_ARCH_WANT_OPTIMIZE_DAX_VMEMMAP=y
 CONFIG_ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP=y
+CONFIG_ARCH_WANT_HUGETLB_VMEMMAP_PREINIT=y
 CONFIG_HAVE_GUP_FAST=y
 CONFIG_NUMA_KEEP_MEMINFO=y
 CONFIG_MEMORY_ISOLATION=y
@@ -1182,12 +1162,15 @@ CONFIG_MEMORY_FAILURE=y
 # CONFIG_HWPOISON_INJECT is not set
 CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
 CONFIG_ARCH_WANTS_THP_SWAP=y
+CONFIG_MM_ID=y
 CONFIG_TRANSPARENT_HUGEPAGE=y
 # CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS is not set
 CONFIG_TRANSPARENT_HUGEPAGE_MADVISE=y
 # CONFIG_TRANSPARENT_HUGEPAGE_NEVER is not set
 CONFIG_THP_SWAP=y
 CONFIG_READ_ONLY_THP_FOR_FS=y
+# CONFIG_NO_PAGE_MAPCOUNT is not set
+CONFIG_PAGE_MAPCOUNT=y
 CONFIG_PGTABLE_HAS_HUGE_LEAVES=y
 CONFIG_ARCH_SUPPORTS_HUGE_PFNMAP=y
 CONFIG_ARCH_SUPPORTS_PMD_PFNMAP=y
@@ -1978,6 +1961,7 @@ CONFIG_PCI_REALLOC_ENABLE_AUTO=y
 CONFIG_PCI_STUB=m
 # CONFIG_PCI_PF_STUB is not set
 CONFIG_PCI_ATS=y
+CONFIG_PCI_DOE=y
 CONFIG_PCI_LOCKLESS_CONFIG=y
 CONFIG_PCI_IOV=y
 CONFIG_PCI_PRI=y
@@ -2034,6 +2018,8 @@ CONFIG_HOTPLUG_PCI_ACPI_IBM=m
 # CONFIG_PCI_SW_SWITCHTEC is not set
 # end of PCI switch controller drivers

+CONFIG_PCI_PWRCTL=m
+CONFIG_PCI_PWRCTL_SLOT=m
 # CONFIG_CXL_BUS is not set
 # CONFIG_PCCARD is not set
 # CONFIG_RAPIDIO is not set
@@ -2154,6 +2140,7 @@ CONFIG_UEFI_CPER_X86=y
 # end of Tegra firmware driver
 # end of Firmware Drivers

+CONFIG_FWCTL=m
 # CONFIG_GNSS is not set
 # CONFIG_MTD is not set
 # CONFIG_OF is not set
@@ -2654,6 +2641,7 @@ CONFIG_BCM_NET_PHYLIB=m
 #
 # CONFIG_MCTP_SERIAL is not set
 # CONFIG_MCTP_TRANSPORT_I3C is not set
+# CONFIG_MCTP_TRANSPORT_USB is not set
 # end of MCTP Device Drivers

 CONFIG_MDIO_DEVICE=m
@@ -2772,6 +2760,7 @@ CONFIG_IWLWIFI=m
 CONFIG_IWLWIFI_LEDS=y
 CONFIG_IWLDVM=m
 CONFIG_IWLMVM=m
+CONFIG_IWLMLD=m
 CONFIG_IWLWIFI_OPMODE_MODULAR=y

 #
@@ -3029,6 +3018,7 @@ CONFIG_SERIAL_8250_DWLIB=y
 CONFIG_SERIAL_8250_LPSS=y
 CONFIG_SERIAL_8250_MID=y
 CONFIG_SERIAL_8250_PERICOM=y
+# CONFIG_SERIAL_8250_NI is not set

 #
 # Non-8250 serial port support
@@ -3392,6 +3382,7 @@ CONFIG_SENSORS_DRIVETEMP=m
 # CONFIG_SENSORS_G762 is not set
 # CONFIG_SENSORS_HIH6130 is not set
 # CONFIG_SENSORS_HS3001 is not set
+# CONFIG_SENSORS_HTU31 is not set
 # CONFIG_SENSORS_I5500 is not set
 CONFIG_SENSORS_CORETEMP=m
 # CONFIG_SENSORS_ISL28022 is not set
@@ -3592,6 +3583,7 @@ CONFIG_WATCHDOG_SYSFS=y
 #
 # CONFIG_SOFT_WATCHDOG is not set
 # CONFIG_LENOVO_SE10_WDT is not set
+# CONFIG_LENOVO_SE30_WDT is not set
 # CONFIG_WDAT_WDT is not set
 # CONFIG_XILINX_WATCHDOG is not set
 # CONFIG_ZIIRAVE_WATCHDOG is not set
@@ -3697,6 +3689,7 @@ CONFIG_MFD_INTEL_LPSS_PCI=m
 # CONFIG_MFD_MAX14577 is not set
 # CONFIG_MFD_MAX77541 is not set
 # CONFIG_MFD_MAX77693 is not set
+# CONFIG_MFD_MAX77705 is not set
 # CONFIG_MFD_MAX77843 is not set
 # CONFIG_MFD_MAX8907 is not set
 # CONFIG_MFD_MAX8925 is not set
@@ -3710,7 +3703,6 @@ CONFIG_MFD_INTEL_LPSS_PCI=m
 # CONFIG_EZX_PCAP is not set
 # CONFIG_MFD_VIPERBOARD is not set
 # CONFIG_MFD_RETU is not set
-# CONFIG_MFD_PCF50633 is not set
 # CONFIG_MFD_SY7636A is not set
 # CONFIG_MFD_RDC321X is not set
 # CONFIG_MFD_RT4831 is not set
@@ -4013,15 +4005,6 @@ CONFIG_DRM_GEM_SHMEM_HELPER=y
 CONFIG_DRM_SUBALLOC_HELPER=m
 CONFIG_DRM_SCHED=m

-#
-# I2C encoder or helper chips
-#
-# CONFIG_DRM_I2C_CH7006 is not set
-# CONFIG_DRM_I2C_SIL164 is not set
-# CONFIG_DRM_I2C_NXP_TDA998X is not set
-# CONFIG_DRM_I2C_NXP_TDA9950 is not set
-# end of I2C encoder or helper chips
-
 #
 # ARM devices
 #
@@ -4058,6 +4041,8 @@ CONFIG_NOUVEAU_DEBUG_DEFAULT=3
 # CONFIG_NOUVEAU_DEBUG_PUSH is not set
 CONFIG_DRM_NOUVEAU_BACKLIGHT=y
 # CONFIG_DRM_NOUVEAU_GSP_DEFAULT is not set
+# CONFIG_DRM_NOUVEAU_CH7006 is not set
+# CONFIG_DRM_NOUVEAU_SIL164 is not set
 CONFIG_DRM_I915=m
 CONFIG_DRM_I915_FORCE_PROBE=""
 CONFIG_DRM_I915_CAPTURE_ERROR=y
@@ -4103,11 +4088,13 @@ CONFIG_DRM_PANEL_BRIDGE=y
 #
 # Display Interface Bridges
 #
+# CONFIG_DRM_I2C_NXP_TDA998X is not set
 # CONFIG_DRM_ANALOGIX_ANX78XX is not set
 # end of Display Interface Bridges

 # CONFIG_DRM_ETNAVIV is not set
 # CONFIG_DRM_HISI_HIBMC is not set
+# CONFIG_DRM_APPLETBDRM is not set
 CONFIG_DRM_BOCHS=m
 # CONFIG_DRM_CIRRUS_QEMU is not set
 # CONFIG_DRM_GM12U320 is not set
@@ -4251,6 +4238,7 @@ CONFIG_SOUND=y
 CONFIG_SND=m
 CONFIG_SND_TIMER=m
 CONFIG_SND_PCM=m
+CONFIG_SND_PCM_ELD=y
 CONFIG_SND_HWDEP=m
 CONFIG_SND_SEQ_DEVICE=m
 CONFIG_SND_RAWMIDI=m
@@ -4584,6 +4572,7 @@ CONFIG_SND_SOC_I2C_AND_SPI=m
 # CONFIG_SND_SOC_ALC5623 is not set
 # CONFIG_SND_SOC_AW8738 is not set
 # CONFIG_SND_SOC_AW88395 is not set
+# CONFIG_SND_SOC_AW88166 is not set
 # CONFIG_SND_SOC_AW88261 is not set
 # CONFIG_SND_SOC_AW88081 is not set
 # CONFIG_SND_SOC_AW87390 is not set
@@ -4775,6 +4764,8 @@ CONFIG_HID_A4TECH=m
 # CONFIG_HID_ACRUX is not set
 # CONFIG_HID_APPLE is not set
 # CONFIG_HID_APPLEIR is not set
+# CONFIG_HID_APPLETB_BL is not set
+# CONFIG_HID_APPLETB_KBD is not set
 # CONFIG_HID_ASUS is not set
 # CONFIG_HID_AUREAL is not set
 # CONFIG_HID_BELKIN is not set
@@ -4823,13 +4814,6 @@ CONFIG_HID_XIAOMI=m
 # CONFIG_HID_LED is not set
 CONFIG_HID_LENOVO=m
 # CONFIG_HID_LETSKETCH is not set
-CONFIG_HID_LOGITECH=m
-CONFIG_HID_LOGITECH_DJ=m
-CONFIG_HID_LOGITECH_HIDPP=m
-# CONFIG_LOGITECH_FF is not set
-# CONFIG_LOGIRUMBLEPAD2_FF is not set
-# CONFIG_LOGIG940_FF is not set
-# CONFIG_LOGIWHEELS_FF is not set
 # CONFIG_HID_MAGICMOUSE is not set
 # CONFIG_HID_MALTRON is not set
 # CONFIG_HID_MAYFLASH is not set
@@ -5144,6 +5128,7 @@ CONFIG_UCSI_ACPI=m
 # CONFIG_TYPEC_MUX_INTEL_PMC is not set
 # CONFIG_TYPEC_MUX_IT5205 is not set
 # CONFIG_TYPEC_MUX_NB7VPQ904M is not set
+# CONFIG_TYPEC_MUX_PS883X is not set
 # CONFIG_TYPEC_MUX_PTN36502 is not set
 # CONFIG_TYPEC_MUX_TUSB1046 is not set
 # CONFIG_TYPEC_MUX_WCD939X_USBSS is not set
@@ -5265,7 +5250,7 @@ CONFIG_LEDS_TRIGGER_HEARTBEAT=m
 # CONFIG_LEDS_TRIGGER_INPUT_EVENTS is not set

 #
-# Simple LED drivers
+# Simatic LED drivers
 #
 # CONFIG_ACCESSIBILITY is not set
 # CONFIG_INFINIBAND is not set
@@ -5276,6 +5261,9 @@ CONFIG_EDAC=y
 # CONFIG_EDAC_DEBUG is not set
 CONFIG_EDAC_DECODE_MCE=m
 # CONFIG_EDAC_GHES is not set
+CONFIG_EDAC_SCRUB=y
+CONFIG_EDAC_ECS=y
+CONFIG_EDAC_MEM_REPAIR=y
 CONFIG_EDAC_AMD64=m
 # CONFIG_EDAC_E752X is not set
 # CONFIG_EDAC_I82975X is not set
@@ -5463,7 +5451,6 @@ CONFIG_VFIO_VIRQFD=y
 # VFIO support for PCI devices
 #
 CONFIG_VFIO_PCI_CORE=m
-CONFIG_VFIO_PCI_MMAP=y
 CONFIG_VFIO_PCI_INTX=y
 CONFIG_VFIO_PCI=m
 CONFIG_VFIO_PCI_VGA=y
@@ -5564,6 +5551,7 @@ CONFIG_AMD_WBRF=y
 CONFIG_WIRELESS_HOTKEY=m
 # CONFIG_IBM_RTL is not set
 CONFIG_IDEAPAD_LAPTOP=m
+CONFIG_LENOVO_WMI_HOTKEY_UTILITIES=m
 CONFIG_LENOVO_YMC=m
 CONFIG_SENSORS_HDAPS=m
 CONFIG_THINKPAD_ACPI=m
@@ -5616,6 +5604,7 @@ CONFIG_INTEL_VSEC=m
 # CONFIG_MSI_LAPTOP is not set
 # CONFIG_MSI_WMI is not set
 # CONFIG_MSI_WMI_PLATFORM is not set
+# CONFIG_SAMSUNG_GALAXYBOOK is not set
 # CONFIG_SAMSUNG_LAPTOP is not set
 # CONFIG_SAMSUNG_Q10 is not set
 # CONFIG_TOSHIBA_BT_RFKILL is not set
@@ -5629,7 +5618,6 @@ CONFIG_INTEL_VSEC=m
 # CONFIG_SYSTEM76_ACPI is not set
 # CONFIG_TOPSTAR_LAPTOP is not set
 # CONFIG_SERIAL_MULTI_INSTANTIATE is not set
-# CONFIG_MLX_PLATFORM is not set
 # CONFIG_INSPUR_PLATFORM_PROFILE is not set
 # CONFIG_LENOVO_WMI_CAMERA is not set
 CONFIG_FW_ATTR_CLASS=m
@@ -6141,7 +6129,6 @@ CONFIG_PSTORE_BLK=y
 CONFIG_PSTORE_BLK_BLKDEV=""
 CONFIG_PSTORE_BLK_KMSG_SIZE=64
 CONFIG_PSTORE_BLK_MAX_REASON=2
-# CONFIG_SYSV_FS is not set
 # CONFIG_UFS_FS is not set
 # CONFIG_EROFS_FS is not set
 CONFIG_NETWORK_FILESYSTEMS=y
@@ -6259,7 +6246,6 @@ CONFIG_NLS_UTF8=y
 CONFIG_NLS_UCS2_UTILS=m
 # CONFIG_DLM is not set
 CONFIG_UNICODE=y
-# CONFIG_UNICODE_NORMALIZATION_SELFTEST is not set
 CONFIG_IO_WQ=y
 # end of File systems

@@ -6269,6 +6255,7 @@ CONFIG_IO_WQ=y
 CONFIG_KEYS=y
 CONFIG_KEYS_REQUEST_CACHE=y
 CONFIG_PERSISTENT_KEYRINGS=y
+# CONFIG_BIG_KEYS is not set
 # CONFIG_TRUSTED_KEYS is not set
 CONFIG_ENCRYPTED_KEYS=y
 # CONFIG_USER_DECRYPTED_DATA is not set
@@ -6288,8 +6275,6 @@ CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_PATH=y
 # CONFIG_INTEL_TXT is not set
 CONFIG_LSM_MMAP_MIN_ADDR=65536
-CONFIG_HARDENED_USERCOPY=y
-CONFIG_FORTIFY_SOURCE=y
 # CONFIG_STATIC_USERMODEHELPER is not set
 CONFIG_SECURITY_SELINUX=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
@@ -6355,6 +6340,14 @@ CONFIG_PAGE_SANITIZE_VERIFY=y
 CONFIG_SLAB_SANITIZE_VERIFY=y
 # end of Memory initialization

+#
+# Bounds checking
+#
+CONFIG_FORTIFY_SOURCE=y
+CONFIG_HARDENED_USERCOPY=y
+CONFIG_HARDENED_USERCOPY_DEFAULT_ON=y
+# end of Bounds checking
+
 #
 # Hardening of kernel data structures
 #
@@ -6368,17 +6361,6 @@ CONFIG_RANDSTRUCT_FULL=y
 CONFIG_RANDSTRUCT=y
 CONFIG_GCC_PLUGIN_RANDSTRUCT=y
 # end of Kernel hardening options
-
-#
-# OpenPaX options
-#
-CONFIG_OPENPAX=y
-CONFIG_OPENPAX_SOFTMODE=y
-CONFIG_OPENPAX_XATTR_PAX_FLAGS=y
-CONFIG_OPENPAX_MPROTECT=y
-CONFIG_OPENPAX_EMUTRAMP=y
-# CONFIG_OPENPAX_EMUTRAMP_DEFAULT is not set
-# end of OpenPaX options
 # end of Security options

 CONFIG_XOR_BLOCKS=m
@@ -6410,6 +6392,7 @@ CONFIG_CRYPTO_AKCIPHER=y
 CONFIG_CRYPTO_KPP2=y
 CONFIG_CRYPTO_KPP=m
 CONFIG_CRYPTO_ACOMP2=y
+CONFIG_CRYPTO_HKDF=y
 CONFIG_CRYPTO_MANAGER=y
 CONFIG_CRYPTO_MANAGER2=y
 # CONFIG_CRYPTO_USER is not set
@@ -6419,6 +6402,7 @@ CONFIG_CRYPTO_NULL2=y
 CONFIG_CRYPTO_PCRYPT=y
 CONFIG_CRYPTO_CRYPTD=y
 CONFIG_CRYPTO_AUTHENC=y
+# CONFIG_CRYPTO_KRB5ENC is not set
 # CONFIG_CRYPTO_TEST is not set
 CONFIG_CRYPTO_SIMD=y
 CONFIG_CRYPTO_ENGINE=m
@@ -6518,8 +6502,6 @@ CONFIG_CRYPTO_XXHASH=y
 #
 CONFIG_CRYPTO_CRC32C=y
 CONFIG_CRYPTO_CRC32=m
-CONFIG_CRYPTO_CRCT10DIF=y
-CONFIG_CRYPTO_CRC64_ROCKSOFT=y
 # end of CRCs (cyclic redundancy checks)

 #
@@ -6645,6 +6627,7 @@ CONFIG_SYSTEM_TRUSTED_KEYS=""
 # CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
 # end of Certificates for signature checking

+# CONFIG_CRYPTO_KRB5 is not set
 CONFIG_BINARY_PRINTF=y

 #
@@ -6694,20 +6677,18 @@ CONFIG_CRYPTO_LIB_SHA1=y
 CONFIG_CRYPTO_LIB_SHA256=y
 # end of Crypto library routines

-CONFIG_CRC_CCITT=y
+CONFIG_CRC_CCITT=m
 CONFIG_CRC16=y
 CONFIG_CRC_T10DIF=y
 CONFIG_ARCH_HAS_CRC_T10DIF=y
 CONFIG_CRC_T10DIF_ARCH=y
-CONFIG_CRC64_ROCKSOFT=y
-CONFIG_CRC_ITU_T=y
+CONFIG_CRC_ITU_T=m
 CONFIG_CRC32=y
 CONFIG_ARCH_HAS_CRC32=y
 CONFIG_CRC32_ARCH=y
 CONFIG_CRC64=y
-# CONFIG_CRC4 is not set
-CONFIG_CRC7=m
-CONFIG_LIBCRC32C=y
+CONFIG_ARCH_HAS_CRC64=y
+CONFIG_CRC64_ARCH=y
 CONFIG_CRC8=m
 CONFIG_CRC_OPTIMIZATIONS=y
 CONFIG_XXHASH=y
@@ -6781,6 +6762,7 @@ CONFIG_GENERIC_GETTIMEOFDAY=y
 CONFIG_GENERIC_VDSO_TIME_NS=y
 CONFIG_GENERIC_VDSO_OVERFLOW_PROTECT=y
 CONFIG_VDSO_GETRANDOM=y
+CONFIG_GENERIC_VDSO_DATA_STORE=y
 CONFIG_FONT_SUPPORT=y
 # CONFIG_FONTS is not set
 CONFIG_FONT_8x8=y
@@ -6841,6 +6823,7 @@ CONFIG_STRIP_ASM_SYMS=y
 CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 # CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE is not set
 CONFIG_OBJTOOL=y
+# CONFIG_OBJTOOL_WERROR is not set
 # CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
 # end of Compile-time checks and compiler options

@@ -6887,8 +6870,8 @@ CONFIG_PAGE_POISONING=y
 CONFIG_DEBUG_RODATA_TEST=y
 CONFIG_ARCH_HAS_DEBUG_WX=y
 CONFIG_DEBUG_WX=y
-CONFIG_GENERIC_PTDUMP=y
-CONFIG_PTDUMP_CORE=y
+CONFIG_ARCH_HAS_PTDUMP=y
+CONFIG_PTDUMP=y
 # CONFIG_PTDUMP_DEBUGFS is not set
 CONFIG_HAVE_DEBUG_KMEMLEAK=y
 # CONFIG_DEBUG_KMEMLEAK is not set
@@ -6898,6 +6881,7 @@ CONFIG_HAVE_DEBUG_KMEMLEAK=y
 # CONFIG_DEBUG_STACK_USAGE is not set
 CONFIG_SCHED_STACK_END_CHECK=y
 CONFIG_ARCH_HAS_DEBUG_VM_PGTABLE=y
+# CONFIG_DEBUG_VFS is not set
 # CONFIG_DEBUG_VM is not set
 # CONFIG_DEBUG_VM_PGTABLE is not set
 CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y
@@ -6947,6 +6931,7 @@ CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y
 CONFIG_DETECT_HUNG_TASK=y
 CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
 # CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_DETECT_HUNG_TASK_BLOCKER=y
 CONFIG_WQ_WATCHDOG=y
 # CONFIG_WQ_CPU_INTENSIVE_REPORT is not set
 # CONFIG_TEST_LOCKUP is not set
@@ -6955,7 +6940,6 @@ CONFIG_WQ_WATCHDOG=y
 #
 # Scheduler Debugging
 #
-# CONFIG_SCHED_DEBUG is not set
 CONFIG_SCHED_INFO=y
 # CONFIG_SCHEDSTATS is not set
 # end of Scheduler Debugging
@@ -7155,8 +7139,6 @@ CONFIG_RUNTIME_TESTING_MENU=y
 # CONFIG_ASYNC_RAID6_TEST is not set
 # CONFIG_TEST_HEXDUMP is not set
 # CONFIG_TEST_KSTRTOX is not set
-# CONFIG_TEST_PRINTF is not set
-# CONFIG_TEST_SCANF is not set
 # CONFIG_TEST_BITMAP is not set
 # CONFIG_TEST_UUID is not set
 # CONFIG_TEST_XARRAY is not set
@@ -7167,7 +7149,6 @@ CONFIG_RUNTIME_TESTING_MENU=y
 # CONFIG_TEST_BITOPS is not set
 # CONFIG_TEST_VMALLOC is not set
 CONFIG_TEST_BPF=m
-# CONFIG_TEST_BLACKHOLE_DEV is not set
 # CONFIG_FIND_BIT_BENCHMARK is not set
 # CONFIG_TEST_FIRMWARE is not set
 # CONFIG_TEST_SYSCTL is not set
@@ -7193,6 +7174,8 @@ CONFIG_ARCH_USE_MEMTEST=y
 # end of Rust hacking
 # end of Kernel hacking

+CONFIG_IO_URING_ZCRX=y
+
 #
 # Gentoo Linux
 #
--- a/sys-kernel/hardened-kernel/files/linux-6.15/1189_restrict-fs-causes-bpf-verifier.patch
+++ b/sys-kernel/hardened-kernel/files/linux-6.15/1189_restrict-fs-causes-bpf-verifier.patch
--- a/sys-kernel/hardened-kernel/hardened-kernel-6.12.19.ebuild
+++ b/sys-kernel/hardened-kernel/hardened-kernel-6.12.19.ebuild
@@ -1,145 +0,0 @@
-# Copyright 2020-2025 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-KERNEL_IUSE_GENERIC_UKI=1
-KERNEL_IUSE_MODULES_SIGN=1
-
-inherit kernel-build toolchain-funcs
-
-MY_P=linux-${PV%.*}
-GENPATCHES_P=genpatches-${PV%.*}-$(( ${PV##*.} + 4 ))
-# https://koji.fedoraproject.org/koji/packageinfo?packageID=8
-# forked to https://github.com/projg2/fedora-kernel-config-for-gentoo
-CONFIG_VER=6.12.8-gentoo
-GENTOO_CONFIG_VER=g15
-HARDENED_PATCH_VER="${PV}-hardened1"
-GENPATCHES_EXCLUDE="1500_XATTR_USER_PREFIX.patch
-	1510_fs-enable-link-security-restrictions-by-default.patch
-	2900_dev-root-proc-mount-fix.patch
-	4200_fbcondecor.patch
-	4400_alpha-sysctl-uac.patch"
-
-DESCRIPTION="Linux kernel built with Gentoo patches"
-HOMEPAGE="
-	https://wiki.gentoo.org/wiki/Project:Distribution_Kernel
-	https://www.kernel.org/
-"
-SRC_URI+="
-	https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.xz
-	https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.base.tar.xz
-	https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.extras.tar.xz
-	experimental? (
-		https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.experimental.tar.xz
-	)
-	https://github.com/anthraxx/linux-hardened/releases/download/v${HARDENED_PATCH_VER}/linux-hardened-v${HARDENED_PATCH_VER}.patch
-	https://github.com/projg2/gentoo-kernel-config/archive/${GENTOO_CONFIG_VER}.tar.gz
-		-> gentoo-kernel-config-${GENTOO_CONFIG_VER}.tar.gz
-	amd64? (
-		https://raw.githubusercontent.com/projg2/fedora-kernel-config-for-gentoo/${CONFIG_VER}/kernel-x86_64-fedora.config
-			-> kernel-x86_64-fedora.config.${CONFIG_VER}
-	)
-	arm64? (
-		https://raw.githubusercontent.com/projg2/fedora-kernel-config-for-gentoo/${CONFIG_VER}/kernel-aarch64-fedora.config
-			-> kernel-aarch64-fedora.config.${CONFIG_VER}
-	)
-	ppc64? (
-		https://raw.githubusercontent.com/projg2/fedora-kernel-config-for-gentoo/${CONFIG_VER}/kernel-ppc64le-fedora.config
-			-> kernel-ppc64le-fedora.config.${CONFIG_VER}
-	)
-	x86? (
-		https://raw.githubusercontent.com/projg2/fedora-kernel-config-for-gentoo/${CONFIG_VER}/kernel-i686-fedora.config
-			-> kernel-i686-fedora.config.${CONFIG_VER}
-	)
-"
-S=${WORKDIR}/${MY_P}
-
-KEYWORDS="amd64 ~arm arm64 ~hppa ~loong ~ppc ppc64 ~riscv ~sparc x86"
-IUSE="debug +experimental"
-REQUIRED_USE="
-	arm? ( savedconfig )
-	hppa? ( savedconfig )
-	riscv? ( savedconfig )
-	sparc? ( savedconfig )
-"
-
-RDEPEND="
-	!sys-kernel/gentoo-kernel-bin:${SLOT}
-"
-BDEPEND="
-	debug? ( dev-util/pahole )
-"
-PDEPEND="
-	>=virtual/dist-kernel-${PV}
-"
-
-QA_FLAGS_IGNORED="
-	usr/src/linux-.*/scripts/gcc-plugins/.*.so
-	usr/src/linux-.*/vmlinux
-	usr/src/linux-.*/arch/powerpc/kernel/vdso.*/vdso.*.so.dbg
-"
-
-src_prepare() {
-	# remove some genpatches causes conflicts with linux-hardened patch
-	for patch in ${GENPATCHES_EXCLUDE}; do
-		rm -f ${WORKDIR}/${patch}
-	done
-	# Remove already exists changes in linux-hardened patch
-	sed -i '322,337d' "${WORKDIR}/4567_distro-Gentoo-Kconfig.patch"
-	# include linux-hardened patch with priority
-	cp ${DISTDIR}/linux-hardened-v${HARDENED_PATCH_VER}.patch ${WORKDIR}/1199_linux-hardened-${HARDENED_PATCH_VER}.patch
-
-    # copy pkg maintainer supplied patches
-    if [ -d "${FILESDIR}/${MY_P}" ]; then
-            cp "${FILESDIR}/${MY_P}"/*.patch ${WORKDIR}/
-    fi
-
-	local PATCHES=(
-		# meh, genpatches have no directory
-		"${WORKDIR}"/*.patch
-	)
-	default
-
-	#sed -i "s@\-hardened1@@g" Makefile || die
-
-	local biendian=false
-
-	# prepare the default config
-	case ${ARCH} in
-		amd64)
-			cp "${FILESDIR}/${MY_P}.amd64.config" .config || die
-			;;
-		*)
-			die "Unsupported arch ${ARCH}"
-			;;
-	esac
-
-	local myversion="-gentoo-dist"
-	echo "CONFIG_LOCALVERSION=\"${myversion}\"" > "${T}"/version.config || die
-	local dist_conf_path="${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"
-
-	local merge_configs=(
-		"${T}"/version.config
-	)
-	use debug || merge_configs+=(
-		"${dist_conf_path}"/no-debug.config
-	)
-
-	merge_configs+=( "${dist_conf_path}"/hardened-base.config )
-
-	tc-is-gcc && merge_configs+=( "${dist_conf_path}"/hardened-gcc-plugins.config )
-
-	if [[ -f "${dist_conf_path}/hardened-${ARCH}.config" ]]; then
-		merge_configs+=( "${dist_conf_path}/hardened-${ARCH}.config" )
-	fi
-
-	# this covers ppc64 and aarch64_be only for now
-	if [[ ${biendian} == true && $(tc-endian) == big ]]; then
-		merge_configs+=( "${dist_conf_path}/big-endian.config" )
-	fi
-
-	use secureboot && merge_configs+=( "${dist_conf_path}/secureboot.config" )
-
-	kernel-build_merge_configs "${merge_configs[@]}"
-}
--- a/sys-kernel/hardened-kernel/hardened-kernel-6.15.8.ebuild
+++ b/sys-kernel/hardened-kernel/hardened-kernel-6.15.8.ebuild
@@ -6,20 +6,20 @@ EAPI=8
 KERNEL_IUSE_GENERIC_UKI=1
 KERNEL_IUSE_MODULES_SIGN=1

-inherit kernel-build toolchain-funcs
+inherit kernel-build toolchain-funcs verify-sig

 MY_P=linux-${PV%.*}
-GENPATCHES_P=genpatches-${PV%.*}-$(( ${PV##*.} + 1 ))
+PATCHSET=linux-gentoo-patches-6.15.8
 # https://koji.fedoraproject.org/koji/packageinfo?packageID=8
 # forked to https://github.com/projg2/fedora-kernel-config-for-gentoo
-CONFIG_VER=6.14.5-gentoo
+CONFIG_VER=6.15.6-gentoo
 GENTOO_CONFIG_VER=g16
-HARDENED_PATCH_VER="${PV}-hardened1"
+SHA256SUM_DATE=20250724
+HARDENED_PATCH_VER="${PV}-hardened2"
+USER_PATCHSET=linux-user-patches-6.15.8
 GENPATCHES_EXCLUDE="1500_XATTR_USER_PREFIX.patch
-	1510_fs-enable-link-security-restrictions-by-default.patch
-	2900_dev-root-proc-mount-fix.patch
-	4200_fbcondecor.patch
-	4400_alpha-sysctl-uac.patch"
+	0001-fs-Enable-link-security-restrictions-by-default.patch
+"

 DESCRIPTION="Linux kernel built with Gentoo patches"
 HOMEPAGE="
@@ -27,15 +27,16 @@ HOMEPAGE="
 	https://www.kernel.org/
 "
 SRC_URI+="
-	https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.xz
-	https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.base.tar.xz
-	https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.extras.tar.xz
-	experimental? (
-		https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.experimental.tar.xz
-	)
+    https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.xz
+	https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/patch-${PV}.xz
+    https://dev.gentoo.org/~mgorny/dist/linux/${PATCHSET}.tar.xz
 	https://github.com/anthraxx/linux-hardened/releases/download/v${HARDENED_PATCH_VER}/linux-hardened-v${HARDENED_PATCH_VER}.patch
 	https://github.com/projg2/gentoo-kernel-config/archive/${GENTOO_CONFIG_VER}.tar.gz
 		-> gentoo-kernel-config-${GENTOO_CONFIG_VER}.tar.gz
+    verify-sig? (
+        https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/sha256sums.asc
+            -> linux-$(ver_cut 1).x-sha256sums-${SHA256SUM_DATE}.asc
+    )
 	amd64? (
 		https://raw.githubusercontent.com/projg2/fedora-kernel-config-for-gentoo/${CONFIG_VER}/kernel-x86_64-fedora.config
 			-> kernel-x86_64-fedora.config.${CONFIG_VER}
@@ -80,28 +81,56 @@ QA_FLAGS_IGNORED="
 	usr/src/linux-.*/arch/powerpc/kernel/vdso.*/vdso.*.so.dbg
 "

+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/kernel.org.asc
+
+src_unpack() {
+        if use verify-sig; then
+                cd "${DISTDIR}" || die
+                verify-sig_verify_signed_checksums \
+                        "linux-$(ver_cut 1).x-sha256sums-${SHA256SUM_DATE}.asc" \
+                        sha256 "${MY_P}.tar.xz patch-${PV}.xz"
+                cd "${WORKDIR}" || die
+        fi
+
+        default
+}
+
 src_prepare() {
+	local patch
+
+	mkdir ${WORKDIR}/${USER_PATCHSET}
+	
 	# remove some genpatches causes conflicts with linux-hardened patch
 	for patch in ${GENPATCHES_EXCLUDE}; do
-		rm -f ${WORKDIR}/${patch}
+		rm -f ${WORKDIR}/${PATCHSET}/${patch}
 	done
 	# Remove already exists changes in linux-hardened patch
-	sed -i '322,337d' "${WORKDIR}/4567_distro-Gentoo-Kconfig.patch"
+	sed -i '344,356d' "${WORKDIR}/linux-gentoo-patches-${PV}/0010-Add-Gentoo-Linux-support-config-settings-and-default.patch"
 	# include linux-hardened patch with priority
-	cp ${DISTDIR}/linux-hardened-v${HARDENED_PATCH_VER}.patch ${WORKDIR}/1198_linux-hardened-${HARDENED_PATCH_VER}.patch
+	cp ${DISTDIR}/linux-hardened-v${HARDENED_PATCH_VER}.patch ${WORKDIR}/${USER_PATCHSET}/1198_linux-hardened-${HARDENED_PATCH_VER}.patch

    # copy pkg maintainer supplied patches
    if [ -d "${FILESDIR}/${MY_P}" ]; then
-            cp "${FILESDIR}/${MY_P}"/*.patch ${WORKDIR}/
+            cp "${FILESDIR}/${MY_P}"/*.patch ${WORKDIR}/${USER_PATCHSET}/
    fi

-	local PATCHES=(
-		# meh, genpatches have no directory
-		"${WORKDIR}"/*.patch
-	)
-	default
+	eapply "${WORKDIR}/patch-${PV}"
+	for patch in "${WORKDIR}/${PATCHSET}"/*.patch; do
+	        eapply "${patch}"
+	        # non-experimental patches always finish with Gentoo Kconfig
+	        # when ! use experimental, stop applying after it
+	        if [[ ${patch} == *Add-Gentoo-Linux-support-config-settings* ]] &&
+	                ! use experimental
+	        then
+	                break
+	        fi
+	done

-	#sed -i "s@\-hardened1@@g" Makefile || die
+	for patch in "${WORKDIR}/${USER_PATCHSET}"/*.patch; do
+	        eapply "${patch}"
+	done
+	
+	default

 	local biendian=false